Operations
Files + photos with secure storage
Photos, PDFs, documents, receipts. Stored in S3, signed-URL access, scoped by visibility and role.
The problem
Photos live in camera rolls. Documents live in inboxes. Receipts live in trucks. None of it links back to the job.
How it works
- Step 01
Upload from anywhere
Mobile app, web, or API — bytes go straight to S3.
- Step 02
Scope the visibility
owner_only / organization_only / shared / client_visible.
- Step 03
Access via signed URL
Short-lived signed URLs gate every read.
What's included
S3-backed storage
Heavy bytes live in S3; Supabase stores metadata only.
Per-scope visibility
Four-level visibility taxonomy enforced before signing.
Universal attachment
Attach to clients, work items, surveys, reports, invoices, estimates, proposals, expenses, deliveries, vehicles, routes.
Upload validation
Server-side mime + size checks per category.
Signed URL access
Bucket is private; reads always go through a fresh signed URL.
Future provider support
Google Drive + Dropbox provider slots reserved.
Why teams choose this
- No raw bytes in the database — fast queries, predictable cost.
- Bucket stays private; sharing is intentional via signed URLs.
- One file table for every attachment in the org.
- Visibility controls catch over-sharing at the action layer.
What it looks like
Screenshot
File upload
Screenshot
Photo gallery
Screenshot
Visibility settings
Use cases
Before/after photos
Photos attach to a survey or report, surface on the proposal.
Receipts
Expense receipts upload from the mobile app and attach to the expense row.
Sign-off documents
Signed PDFs upload to a work item, visible to the client via the portal.
Works well with
Frequently asked
Where are my files stored?
In your S3 bucket. We never copy bytes to Supabase or our infrastructure.
Can I bring my own S3 bucket?
Yes — set AWS_S3_BUCKET and the corresponding credentials. We never read or write outside the configured bucket.
How does visibility work?
Four-level: owner_only, organization_only, shared, client_visible. Enforced at the database (RLS) and before signing every URL.
What file types are allowed?
Images (png, jpeg, webp, svg), documents (pdf, office, csv, txt, zip), videos (mp4, mov). Size caps per category.
Are uploads scanned for malware?
Not on the hot path. Scan integration ships with the Business tier.
How long do signed URLs last?
10 minutes by default. The UI re-requests every time so no URL gets cached past expiry.
Try Files + photos with secure storage
Free for small teams. Activate it on your account in one click.