Storage & Media
Files and media are stored in Supabase Storage buckets — public media for the website/CMS, plus buckets backing client files, expense receipts, and ticket attachments.
#Purpose
Explain where binary assets live and how they are accessed.
#Architecture
Supabase Storage provides object buckets. Public website/CMS media lives in a public-media bucket (public URLs), while client files, expense receipts, and ticket attachments have their own buckets with access controlled by the application.
Uploads and URL generation go through server-side helpers; access to non-public buckets is mediated by the app and organization scoping.
#How it works
1
Upload
A server-side helper uploads to the appropriate bucket.
2
Reference
Public media exposes a public URL; other buckets are accessed via the app.
3
Scope
Access to non-public files is mediated by organization and role.
4
Serve
The UI renders media and links to files as permitted.
#Reference
#Storage buckets
| Bucket | Used for |
|---|---|
| public-media | Website/CMS images and assets (public URLs) |
| client-files | Files shared in the client portal |
| expense-receipts | Receipts attached to expenses |
| ticket-attachments | Attachments on support tickets |
#Implementation notes
- Public media uses public URLs; other buckets are not public.
- Some client-file upload flows are still expanding on the product side.
- Bucket names are fixed in the storage helper.
#Limitations
Known limitations
- Non-public buckets rely on the app to mediate access.
- Direct end-user upload flows vary by area and are still expanding in places.
#Security considerations
Security
- Do not place sensitive files in the public-media bucket.
- Mediate access to private buckets by organization and role.
- Validate file type and size on upload.
#Best practices
- Keep public and private assets in their intended buckets.
- Optimize images before upload.
- Scope every file operation to the organization.
#Related documentation
Still need help?
Can’t find what you’re looking for? The DevSphere OS team is happy to help.
Was this page helpful?