Bucket policies
Each bucket has a read_policy, a write_policy and an optional path_prefix_template. Together they decide what SDK callers can do — your console (the owner) is never affected.
publicAnyone — even without signing in — can perform this action.
Use it for: Marketing assets, public profile pictures, downloadable PDFs.
authenticatedAny signed-in end-user of this project can perform this action.
Use it for: Shared documents inside a workspace, comment attachments.
owner_onlyBlocks the SDK entirely. Only this console can read or write.
Use it for: Internal backups, admin uploads, anything users should never touch.
path_prefix_templateA template like {user_id}/ scopes the bucket so each user can only see and write inside their own folder. Combined with authenticated read + write, this gives you row-level isolation with zero policy SQL.
// User Alice (id "a1b2…") uploads here:
await zmesh.storage.from("docs").upload("a1b2.../resume.pdf", file);
// User Bob trying to read Alice's file gets 403:
await zmesh.storage.from("docs").createSignedUrl("a1b2.../resume.pdf");
// → ZMeshError: Object name must start with 'b9c0.../'
// Bob's list() auto-scopes to his own folder:
await zmesh.storage.from("docs").list();
// → only Bob's objects| Caller | public | authenticated | owner_only |
|---|---|---|---|
| Anonymous (no token) | read ok | 401 | 403 |
| Signed-in end-user | read + write | read + write* | 403 |
| Console (owner) | full | full | full |
* Scoped to path_prefix_template if set. Writes outside the user's prefix get 403.
Policies are edited per bucket in Storage → Bucket settings (gear icon).