Are API responses encrypted in the S3 bucket?

Yes. All responses are encrypted with AES-256-GCM using ECDH-derived keys before upload. Only the consumer holding the private key can decrypt the data. The platform, storage provider, and API owner cannot read the stored responses.

Can I use my own MinIO instance for BYO-Cloud delivery?

Yes. MinIO is fully supported and is used in the Opsalis test infrastructure. Configure your MinIO endpoint, access key, and bucket name in the Opsalis control center.

BYO-Cloud S3 API Response Delivery

How BYO-Cloud Delivery Works

Responses are encrypted end-to-end and stored in the consumer's own S3-compatible bucket. The consumer downloads and decrypts locally.

Why BYO-Cloud Delivery?

When API responses contain sensitive data — financial records, medical results, proprietary datasets — you don't want them sitting on someone else's infrastructure. Opsalis BYO-Cloud delivery stores encrypted responses directly in your own S3-compatible storage bucket. You choose the provider, you hold the keys, you control retention.

This is ideal for enterprises with strict data residency requirements, regulated industries that mandate data sovereignty, or any team that refuses to let API response data touch third-party servers. Supported providers include AWS S3, MinIO, Backblaze B2, Wasabi, DigitalOcean Spaces, Cloudflare R2, and 22+ more.

In the Opsalis test infrastructure, the NYC owner node (New York) runs a MinIO instance. When a consumer in London makes an API call with cloud delivery enabled, the response is AES-256-GCM encrypted and uploaded to the configured MinIO bucket. The consumer then downloads and decrypts it locally — the platform never sees the plaintext data.

Live Demo — S3 Bucket Delivery

Call API with Cloud Delivery

API Endpoint

Delivery Mode

Bucket Name

Request Payload

Click "Run Demo" to make an API call with S3 delivery.

The response will show the encrypted object stored in MinIO, along with the decrypted data and latency metrics.

Code Samples

# Call API with S3 delivery via Opsalis proxy
$ curl -X POST https://opsalis.com/api/demo/api/bb-webhook-receiver \
  -H "Content-Type: application/json" \
  -H "X-Consumer-Key: demo-public-key-2026" \
  -d '{
    "action": "getStatus",
    "delivery": "s3",
    "bucket": "demo-responses"
  }'

# Response includes S3 object metadata
{
  "status": 200,
  "delivery": "s3",
  "bucket": "demo-responses",
  "objectKey": "resp_1711612800_abc123.enc",
  "encrypted": true,
  "cipher": "AES-256-GCM"
}

// JavaScript — fetch with S3 delivery
const response = await fetch('https://opsalis.com/api/demo/api/bb-webhook-receiver', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-Consumer-Key': 'demo-public-key-2026'
  },
  body: JSON.stringify({
    action: 'getStatus',
    delivery: 's3',
    bucket: 'demo-responses'
  })
});

const result = await response.json();
console.log('S3 Object Key:', result.objectKey);
console.log('Encrypted:', result.encrypted);

// Download and decrypt from your bucket
// const s3Object = await s3Client.getObject({ Bucket: 'demo-responses', Key: result.objectKey });
// const decrypted = decrypt(s3Object.Body, yourPrivateKey);

# Python — requests with S3 delivery
import requests
import boto3

response = requests.post(
    'https://opsalis.com/api/demo/api/bb-webhook-receiver',
    headers={
        'Content-Type': 'application/json',
        'X-Consumer-Key': 'demo-public-key-2026'
    },
    json={
        'action': 'getStatus',
        'delivery': 's3',
        'bucket': 'demo-responses'
    }
)

result = response.json()
print(f"S3 Object: {result['objectKey']}")
print(f"Cipher: {result['cipher']}")

# Download from your MinIO / S3 bucket
# s3 = boto3.client('s3', endpoint_url='https://minio.your-server.com')
# obj = s3.get_object(Bucket='demo-responses', Key=result['objectKey'])

Self-Host with Your Own S3 Storage

Pull the Opsalis Docker Container

The control center runs on your own hardware — a VPS, bare metal, or local machine.

$ docker pull opsalis/control-center:latest
$ docker run -d --name opsalis -p 3000:3000 opsalis/control-center:latest

Configure S3-Compatible Storage

Add your storage credentials in the control center. Any S3-compatible provider works: AWS, MinIO, Backblaze B2, Wasabi, Cloudflare R2, and more.

# In the Opsalis control center, navigate to:
# Settings → Cloud Storage → Add Provider
#
# Required fields:
#   Endpoint:   https://minio.your-server.com
#   Access Key: your-access-key
#   Secret Key: your-secret-key
#   Bucket:     api-responses
#   Region:     us-east-1 (or your region)

Enable Cloud Delivery on Subscriptions

When subscribing to an API, select "Cloud Storage" as your delivery preference. Responses will be encrypted and uploaded to your bucket automatically.

# Via the subscription API:
$ curl -X POST https://your-node:3000/subscribe \
  -d '{"apiId": "target-api", "delivery": "s3", "bucket": "api-responses"}'

Retrieve and Decrypt Responses

Download objects from your bucket and decrypt with your ECDH private key. The platform never sees the plaintext.

$ aws s3 cp s3://api-responses/resp_latest.enc ./response.enc
$ opsalis decrypt --key ~/.opsalis/private.pem --in response.enc --out response.json

Store API Responses in Your Own S3 Bucket