Several storage backends are supported and they are configurable per user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, an S3 user that exposes a GCS bucket (or part of it) on a specified path and an encrypted local filesystem on another one.
Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
description:'If you have 2FA configured, for the HTTP protocol, for the user attempting to log in you need to set the authentication code using this header parameter'
description:'Returns the recovery codes for the logged in admin. Recovery codes can be used if the admin loses access to their second factor auth device. Recovery codes are returned unencrypted'
operationId:get_admin_recovery_codes
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/RecoveryCode'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
post:
security:
- BearerAuth:[]
tags:
- admins
summary:Generate recovery codes
description:'Generates new recovery codes for the logged in admin. Generating new recovery codes you automatically invalidate old ones'
operationId:generate_admin_recovery_codes
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
type:string
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/admin/totp/configs:
get:
security:
- BearerAuth:[]
tags:
- admins
summary:Get available TOTP configuration
description:Returns the available TOTP configurations for the logged in admin
operationId:get_admin_totp_configs
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/TOTPConfig'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/admin/totp/generate:
post:
security:
- BearerAuth:[]
tags:
- admins
summary:Generate a new TOTP secret
description:'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in admin'
operationId:generate_admin_totp_secret
requestBody:
required:true
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
description:'name of the configuration to use to generate the secret'
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
issuer:
type:string
secret:
type:string
qr_code:
type:string
format:byte
description:'QR code png encoded as BASE64'
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/admin/totp/validate:
post:
security:
- BearerAuth:[]
tags:
- admins
summary:Validate a one time authentication code
description:'Checks if the given authentication code can be validated using the specified secret and config name'
operationId:validate_admin_totp_secret
requestBody:
required:true
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
description:'name of the configuration to use to validate the passcode'
passcode:
type:string
description:'passcode to validate'
secret:
type:string
description:'secret to use to validate the passcode'
responses:
'200':
description:successful operation
content:
application/json:
schema:
$ref:'#/components/schemas/ApiResponse'
example:
message:Passcode successfully validated
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/admin/totp/save:
post:
security:
- BearerAuth:[]
tags:
- admins
summary:Save a TOTP config
description:'Saves the specified TOTP config for the logged in admin'
description:Starts a new quota scan for the given user. A quota scan updates the number of files and their total size for the specified user and the virtual folders, if any, included in his quota
operationId:start_user_quota_scan
responses:
'202':
description:successful operation
content:
application/json:
schema:
$ref:'#/components/schemas/ApiResponse'
example:
message:Scan started
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'404':
$ref:'#/components/responses/NotFound'
'409':
$ref:'#/components/responses/Conflict'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/quotas/users/{username}/usage:
parameters:
- name:username
in:path
description:the username
required:true
schema:
type:string
- in:query
name:mode
required:false
description:the update mode specifies if the given quota usage values should be added or replace the current ones
schema:
type:string
enum:
- add
- reset
description:|
Update type:
*`add` - add the specified quota limits to the current used ones
*`reset` - reset the values to the specified ones. This is the default
example:reset
put:
tags:
- quota
summary:Update quota usage limits
description:Sets the current used quota limits for the given user
operationId:user_quota_update_usage
parameters:
- in:query
name:mode
required:false
description:the update mode specifies if the given quota usage values should be added or replace the current ones
schema:
type:string
enum:
- add
- reset
description:|
Update type:
*`add` - add the specified quota limits to the current used ones
*`reset` - reset the values to the specified ones. This is the default
example:reset
requestBody:
required:true
description:'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is "add" the current value, for the missing field, will remain unchanged, if mode is "reset" the missing field is set to 0'
content:
application/json:
schema:
$ref:'#/components/schemas/QuotaUsage'
responses:
'200':
description:successful operation
content:
application/json:
schema:
$ref:'#/components/schemas/ApiResponse'
example:
message:Quota updated
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'404':
$ref:'#/components/responses/NotFound'
'409':
$ref:'#/components/responses/Conflict'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/quotas/folders/scans:
get:
tags:
- quota
summary:Get active folder quota scans
description:Returns the active folder quota scans
operationId:get_folders_quota_scans
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/FolderQuotaScan'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/quotas/folders/{name}/scan:
parameters:
- name:name
in:path
description:folder name
required:true
schema:
type:string
post:
tags:
- quota
summary:Start a folder quota scan
description:Starts a new quota scan for the given folder. A quota scan update the number of files and their total size for the specified folder
operationId:start_folder_quota_scan
responses:
'202':
description:successful operation
content:
application/json:
schema:
$ref:'#/components/schemas/ApiResponse'
example:
message:Scan started
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'404':
$ref:'#/components/responses/NotFound'
'409':
$ref:'#/components/responses/Conflict'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/quotas/folders/{name}/usage:
parameters:
- name:name
in:path
description:folder name
required:true
schema:
type:string
- in:query
name:mode
required:false
description:the update mode specifies if the given quota usage values should be added or replace the current ones
schema:
type:string
enum:
- add
- reset
description:|
Update type:
*`add` - add the specified quota limits to the current used ones
*`reset` - reset the values to the specified ones. This is the default
example:reset
put:
tags:
- quota
summary:Update folder quota usage limits
description:Sets the current used quota limits for the given folder
operationId:folder_quota_update_usage
parameters:
- in:query
name:mode
required:false
description:the update mode specifies if the given quota usage values should be added or replace the current ones
schema:
type:string
enum:
- add
- reset
description:|
Update type:
*`add` - add the specified quota limits to the current used ones
*`reset` - reset the values to the specified ones. This is the default
example:reset
requestBody:
required:true
description:'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is "add" the current value, for the missing field, will remain unchanged, if mode is "reset" the missing field is set to 0'
description:'The only user mandatory fields are username, used_quota_size and used_quota_files. Please note that if the quota fields are missing they will default to 0, this means that if mode is "add" the current value will remain unchanged, if mode is "reset" the missing field is set to 0'
description:'The only folder mandatory fields are mapped_path,used_quota_size and used_quota_files. Please note that if the used quota fields are missing they will default to 0, this means that if mode is "add" the current value will remain unchanged, if mode is "reset" the missing field is set to 0'
description:'Returns an array with one or more filesystem events applying the specified filters. This API is only available if you configure an "eventsearcher" plugin'
operationId:get_fs_events
parameters:
- in:query
name:start_timestamp
schema:
type:integer
format:int64
minimum:0
default:0
required:false
description:'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'
- in:query
name:end_timestamp
schema:
type:integer
format:int64
minimum:0
default:0
required:false
description:'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'
- in:query
name:actions
schema:
type:array
items:
$ref:'#/components/schemas/FsEventAction'
description:'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'
explode:false
required:false
- in:query
name:username
schema:
type:string
description:'the event username must be the same as the one specified. Empty or missing means omit this filter'
required:false
- in:query
name:ip
schema:
type:string
description:'the event IP must be the same as the one specified. Empty or missing means omit this filter'
required:false
- in:query
name:ssh_cmd
schema:
type:string
description:'the event SSH command must be the same as the one specified. Empty or missing means omit this filter'
required:false
- in:query
name:protocols
schema:
type:array
items:
$ref:'#/components/schemas/EventProtocols'
description:'the event protocol must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:statuses
schema:
type:array
items:
$ref:'#/components/schemas/FsEventStatus'
description:'the event status must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:instance_ids
schema:
type:array
items:
type:string
description:'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:exclude_ids
schema:
type:array
items:
type:string
description:'the event id must not be included among those specified. This is useful for cursor based pagination. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:limit
schema:
type:integer
minimum:1
maximum:1000
default:100
required:false
description:'The maximum number of items to return. Max value is 500, default is 100'
- in:query
name:order
required:false
description:Ordering events by timestamp. Default DESC
schema:
type:string
enum:
- ASC
- DESC
example:DESC
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/FsEvent'
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/events/provider:
get:
tags:
- events
summary:Get provider events
description:'Returns an array with one or more provider events applying the specified filters. This API is only available if you configure an "eventsearcher" plugin'
operationId:get_provider_events
parameters:
- in:query
name:start_timestamp
schema:
type:integer
format:int64
minimum:0
default:0
required:false
description:'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'
- in:query
name:end_timestamp
schema:
type:integer
format:int64
minimum:0
default:0
required:false
description:'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'
- in:query
name:actions
schema:
type:array
items:
$ref:'#/components/schemas/ProviderEventAction'
description:'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'
explode:false
required:false
- in:query
name:username
schema:
type:string
description:'the event username must be the same as the one specified. Empty or missing means omit this filter'
required:false
- in:query
name:ip
schema:
type:string
description:'the event IP must be the same as the one specified. Empty or missing means omit this filter'
required:false
- in:query
name:object_name
schema:
type:string
description:'the event object name must be the same as the one specified. Empty or missing means omit this filter'
description:'the event object type must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:instance_ids
schema:
type:array
items:
type:string
description:'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:exclude_ids
schema:
type:array
items:
type:string
description:'the event id must not be included among those specified. This is useful for cursor based pagination. Empty or missing means omit this filter. Values must be specified comma separated'
explode:false
required:false
- in:query
name:limit
schema:
type:integer
minimum:1
maximum:1000
default:100
required:false
description:'The maximum number of items to return. Max value is 500, default is 100'
- in:query
name:order
required:false
description:Ordering events by timestamp. Default DESC
description: 'Updates an existing admin. Recovery codes and TOTP configuration cannot be set/updated using this API:each admin must use the specific APIs. You are not allowed to update the admin impersonated using an API key'
description:'Disables second factor authentication for the given admin. This API must be used if the admin loses access to their second factor auth device and has no recovery codes'
description: 'Updates an existing user and optionally disconnects it, if connected, to apply the new settings. Recovery codes and TOTP configuration cannot be set/updated using this API:each user must use the specific APIs'
description:'Disables second factor authentication for the given user. This API must be used if the user loses access to their second factor auth device and has no recovery codes'
description:'Backups data as data provider independent JSON. The backup can be saved in a local file on the server, to avoid exposing sensitive data over the network, or returned as response body. The output of dumpdata can be used as input for loaddata'
description:Path for the file to write the JSON serialized data to. This path is relative to the configured "backups_path". If this file already exists it will be overwritten. To return the backup as response body set `output_data` to true instead.
*`0` no quota scan is done, the imported users/folders will have used_quota_size and used_quota_files = 0 or the existing values if they already exists. This is the default
*`1` scan quota
*`2` scan quota if the user has quota restrictions
description:'Restores SFTPGo data from a JSON backup file on the server. Users, folders and admins will be restored one by one and the restore is stopped if a user/folder/admin cannot be added or updated, so it could happen a partial restore'
description:Path for the file to read the JSON serialized data from. This can be an absolute path or a path relative to the configured "backups_path". The max allowed file size is 10MB
description:'Restores SFTPGo data from a JSON backup. Users, folders and admins will be restored one by one and the restore is stopped if a user/folder/admin cannot be added or updated, so it could happen a partial restore'
description:'Returns the recovery codes for the logged in user. Recovery codes can be used if the user loses access to their second factor auth device. Recovery codes are returned unencrypted'
operationId:get_user_recovery_codes
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/RecoveryCode'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
post:
security:
- BearerAuth:[]
tags:
- users API
summary:Generate recovery codes
description:'Generates new recovery codes for the logged in user. Generating new recovery codes you automatically invalidate old ones'
operationId:generate_user_recovery_codes
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
type:string
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/totp/configs:
get:
security:
- BearerAuth:[]
tags:
- users API
summary:Get available TOTP configuration
description:Returns the available TOTP configurations for the logged in user
operationId:get_user_totp_configs
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/TOTPConfig'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/totp/generate:
post:
security:
- BearerAuth:[]
tags:
- users API
summary:Generate a new TOTP secret
description:'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in user'
operationId:generate_user_totp_secret
requestBody:
required:true
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
description:'name of the configuration to use to generate the secret'
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
issuer:
type:string
secret:
type:string
qr_code:
type:string
format:byte
description:'QR code png encoded as BASE64'
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/totp/validate:
post:
security:
- BearerAuth:[]
tags:
- users API
summary:Validate a one time authentication code
description:'Checks if the given authentication code can be validated using the specified secret and config name'
operationId:validate_user_totp_secret
requestBody:
required:true
content:
application/json:
schema:
type:object
properties:
config_name:
type:string
description:'name of the configuration to use to validate the passcode'
passcode:
type:string
description:'passcode to validate'
secret:
type:string
description:'secret to use to validate the passcode'
responses:
'200':
description:successful operation
content:
application/json:
schema:
$ref:'#/components/schemas/ApiResponse'
example:
message:Passcode successfully validated
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/totp/save:
post:
security:
- BearerAuth:[]
tags:
- users API
summary:Save a TOTP config
description:'Saves the specified TOTP config for the logged in user'
description:Path to the folder to read. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the root folder is assumed
schema:
type:string
responses:
'200':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/DirEntry'
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/dirs:
get:
tags:
- users API
summary:Read directory contents
description:Returns the contents of the specified directory for the logged in user
description:Path to the folder to read. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the root folder is assumed
description:Path to the folder to create. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir"
schema:
type:string
required:true
responses:
'201':
description:successful operation
content:
application/json:
schema:
type:array
items:
$ref:'#/components/schemas/ApiResponse'
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
patch:
tags:
- users API
summary:Rename a directory
description:Rename a directory for the logged in user. The rename is allowed for empty directory or for non empty, local directories, with no virtual folders inside
description:Path to the file to download. It must be URL encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt"
schema:
type:string
responses:
'200':
description:successful operation
content:
'*/*':
schema:
type:string
format:binary
'206':
description:successful operation
content:
'*/*':
schema:
type:string
format:binary
'400':
$ref:'#/components/responses/BadRequest'
'401':
$ref:'#/components/responses/Unauthorized'
'403':
$ref:'#/components/responses/Forbidden'
'500':
$ref:'#/components/responses/InternalServerError'
default:
$ref:'#/components/responses/DefaultResponse'
/user/files:
get:
tags:
- users API
summary:Download a single file
description:Returns the file contents as response body
description:Path to the file to download. It must be URL encoded, for example the path "my dir/àdir/file.txt" must be sent as "my%20dir%2F%C3%A0dir%2Ffile.txt"
description:Upload one or more files for the logged in user
operationId:create_user_files
parameters:
- in:query
name:path
description:Parent directory for the uploaded files. It must be URL encoded, for example the path "my dir/àdir" must be sent as "my%20dir%2F%C3%A0dir". If empty or missing the root path is assumed. If a file with the same name already exists, it will be overwritten
summary:Download multiple files and folders as a single zip file
description:A zip file, containing the specified files and folders, will be generated on the fly and returned as response body. Only folders and regular files will be included in the zip
description:'hash map with directory as key and an array of permissions as value. Directories must be absolute paths, permissions for root directory ("/") are required'
*`Email` - notify results by email. The admin starting the retention check must have an associated email address and the SMTP server must be configured for this to work
description:'Recovery codes to use if the user loses access to their second factor auth device. Each code can only be used once, you should use these codes to login and disable or reset 2FA for your account'
BaseTOTPConfig:
type:object
properties:
enabled:
type:boolean
config_name:
type:string
description:'This name must be defined within the "totp" section of the SFTPGo configuration file. You will be unable to save a user/admin referencing a missing config_name'
secret:
$ref:'#/components/schemas/Secret'
AdminTOTPConfig:
allOf:
- $ref:'#/components/schemas/BaseTOTPConfig'
UserTOTPConfig:
allOf:
- $ref:'#/components/schemas/BaseTOTPConfig'
- type:object
properties:
protocols:
type:array
items:
$ref:'#/components/schemas/MFAProtocols'
description:'TOTP will be required for the specified protocols. SSH protocol (SFTP/SCP/SSH commands) will ask for the TOTP passcode if the client uses keyboard interactive authentication. FTP has no standard way to support two factor authentication, if you enable the FTP support, you have to add the TOTP passcode after the password. For example if your password is "password" and your one time passcode is "123456" you have to use "password123456" as password. WebDAV is not supported since each single request must be authenticated and a passcode cannot be reused.'
description:'exposed virtual path, if no other specific filter is defined, the filter applies for sub directories too. For example if filters are defined for the paths "/" and "/sub" then the filters for "/" are applied for any file outside the "/sub" directory'
description:'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example "192.0.2.0/24" or "2001:db8::/32"'
description:'filters based on shell like file patterns. These restrictions do not apply to files listing for performance reasons, so a denied file cannot be downloaded/overwritten/renamed but it will still be in the list of files. Please note that these restrictions can be easily bypassed'
description:'maximum allowed size, as bytes, for a single file upload. The upload will be aborted if/when the size of the file being sent exceeds this limit. 0 means unlimited. This restriction does not apply for SSH system commands such as `git` and `rsync`'
description:'defines the TLS certificate field to use as username. For FTP clients it must match the name provided using the "USER" command. For WebDAV, if no username is provided, the CN will be used as username. For WebDAV clients it must match the implicit or provided username. Ignored if mutual TLS is disabled'
description:Disable checks for existence and automatic creation of home directory and virtual folders. SFTPGo requires that the user's home directory, virtual folder root, and intermediate paths to virtual folders exist to work properly. If you already know that the required directories exist, disabling these checks will speed up login. You could, for example, disable these checks after the first login
description:The secret is encrypted before saving, so to set a new secret you must provide a payload and set the status to "Plain". The encryption key and additional data will be generated automatically. If you set the status to "Redacted" the existig secret will be preserved
description:'the buffer size (in MB) to use for multipart uploads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5.'
description:'the number of parts to upload in parallel. If this value is set to zero, the default value (5) will be used'
download_part_size:
type:integer
description:'the buffer size (in MB) to use for multipart downloads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5. Ignored for partial downloads'
download_concurrency:
type:integer
description:'the number of parts to download in parallel. If this value is set to zero, the default value (5) will be used. Ignored for partial downloads'
description:'the maximum time allowed, in seconds, to download a single chunk (the chunk is defined via "download_part_size"). 0 means no timeout. Ignored for partial downloads.'
force_path_style:
type:boolean
description:'Set this to "true" to force the request to use path-style addressing, i.e., "http://s3.amazonaws.com/BUCKET/KEY". By default, the S3 client will use virtual hosted bucket addressing when possible ("http://BUCKET.s3.amazonaws.com/KEY")'
description:'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole bucket contents will be available'
description:'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole bucket contents will be available'
description:'Google Cloud Storage configuration details. The "credentials" field must be populated only when adding/updating a user. It will be always omitted, since there are sensitive data, when you search/get users'
description:'optional endpoint. Default is "blob.core.windows.net". If you use the emulator the endpoint must include the protocol, for example "http://127.0.0.1:10000"'
description:'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole container contents will be available'
description:'SHA256 fingerprints to use for host key verification. If you don''t provide any fingerprint the remote host key will not be verified, this is a security risk'
description:Concurrent reads are safe to use and disabling them will degrade performance. Some servers automatically delete files once they are downloaded. Using concurrent reads is problematic with such servers.
description:The size of the buffer (in MB) to use for transfers. By enabling buffering, the reads and writes, from/to the remote SFTP server, are split in multiple concurrent requests and this allows data to be transferred at a faster rate, over high latency networks, by overlapping round-trip times. With buffering enabled, resuming uploads is not supported and a file cannot be opened for both reading and writing at the same time. 0 means disabled.
description:'Defines the filesystem for the virtual folder and the used quota limits. The same folder can be shared among multiple users and each user can have different quota limits or a different virtual path.'
description:'Quota as size in bytes. 0 menas unlimited, -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'
description:'Quota as number of files. 0 menas unlimited, , -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'
description:'A virtual folder is a mapping between a SFTPGo virtual path and a filesystem path outside the user home directory. The specified paths must be absolute and the virtual path cannot be "/", it must be a sub directory. The parent directory for the specified virtual path must exist. SFTPGo will try to automatically create any missing parent directory for the configured virtual folders at user login.'
description:password or public key/SSH user certificate are mandatory. If the password has no known hashing algo prefix it will be stored, by default, using bcrypt, argon2id is supported too. You can send a password hashed as bcrypt ($2a$ prefix), argon2id, pbkdf2 or unix crypt and it will be stored as is. For security reasons this field is omitted when you search/get users
description:path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path
description:mapping between virtual SFTPGo paths and filesystem paths outside the user home directory. Supported for local filesystem only. If one or more of the specified folders are not inside the dataprovider they will be automatically created. You have to create the folder on the filesystem yourself
description:'if you run SFTPGo as root user, the created files and directories will be assigned to this uid. 0 means no change, the owner will be the user that runs SFTPGo. Ignored on windows'
description:'if you run SFTPGo as root user, the created files and directories will be assigned to this gid. 0 means no change, the group will be the one of the user that runs SFTPGo. Ignored on windows'
description:Quota as size in bytes. 0 menas unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed
description:Quota as number of files. 0 menas unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed
description:'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example "192.0.2.0/24" or "2001:db8::/32"'
description:'exposed virtual directory path, if no other specific retention is defined, the retention applies for sub directories too. For example if retention is defined for the paths "/" and "/sub" then the retention for "/" is applied for any file outside the "/sub" directory'
example:'/'
retention:
type:integer
description:retention time in hours. All the files with a modification time older than the defined value will be deleted. 0 means exclude this path
example:24
delete_empty_dirs:
type:boolean
description:if enabled, empty directories will be deleted
ignore_user_permissions:
type:boolean
description:'if enabled, files will be deleted even if the user does not have the delete permission. The default is "false" which means that files will be skipped if the user does not have permission to delete them. File patterns filters will always be silently ignored'
RetentionCheck:
type:object
properties:
username:
type:string
description:username to which the retention check refers
folders:
type:array
items:
$ref:'#/components/schemas/FolderRetention'
start_time:
type:integer
format:int64
description:check start time as unix timestamp in milliseconds
description:'if the notification method is set to "Email", this is the e-mail address that receives the retention check report. This field is automatically set to the email address associated with the administrator starting the check'
description:the score increases whenever a violation is detected, such as an attempt to log in using an incorrect password or invalid username. If the score exceeds the configured threshold, the IP is banned. Omitted for banned IPs
ban_time:
type:string
format:date-time
description:date time until the IP is banned. For already banned hosts, the ban time is increased each time a new violation is detected. Omitted if the IP is not banned
description:'Features for the current build. Available features are "portable", "bolt", "mysql", "sqlite", "pgsql", "s3", "gcs", "metrics". If a feature is available it has a "+" prefix, otherwise a "-" prefix'
description:'API key to use for authentication. API key authentication is intrinsically less secure than using a short lived JWT token. You should prefer API key authentication only for machine-to-machine communications in trusted environments. If no admin/user is associated to the provided key you need to add ".username" at the end of the key. For example if your API key is "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof" and you want to impersonate the admin with username "myadmin" you have to use "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof.myadmin" as API key. When using API key authentication you cannot manage API keys, update the impersonated admin, change password or public keys for the impersonated user.'