Skip to main content

Private Apps in faynoSync — Keep Your Software Secure

· 6 min read
Serhii Kuianov
Serhii Kuianov
DevOps

When developing software, sometimes you need to keep things private. Whether it's internal tools, beta versions, or enterprise applications — not everything should be publicly accessible. That's why faynoSync comes with built-in support for private applications.

This post covers what private apps are, how to create one, how downloads are gated, and how private apps combine with team access control. Every flag and endpoint here is verified against the Create Application and private download docs.

What are Private Apps? 🤔

Private apps in faynoSync are applications that are stored in a separate, private S3 bucket. This gives you an extra layer of security and control over who can access your software.

Once an app is marked as private, it stays private forever — this is a one-way decision to ensure consistency and security.

How to Create a Private App? 🛠️

There are two ways to create a private app:

1. Using the Web Dashboard 🖥️

Simply check the "Private" option when creating your app through the dashboard interface. It's that simple!

2. Using the API 📡

When making a POST request to /app/create, include the private parameter. The endpoint uses multipart/form-data, so the JSON goes in a data form field:

curl --location 'http://localhost:9000/app/create' \
--header 'Authorization: Bearer <jwt_token>' \
--form 'data="{\"app\":\"appName\", \"private\": true}"'
{ "createAppResult.Created": "641459ffb8760d74164e7e3c" }

The private field sits alongside the other creation flags — description, a logo file, tuf, and cdn (the edge cache toggle). Only app is required.

Heads up: private is irreversible. Once it's true, the app cannot be made public later. Decide before you create, not after.

How Private Apps Work? 🔐

  1. Storage: Private apps are stored in a separate S3 bucket (defined by S3_BUCKET_NAME_PRIVATE in your environment)
  2. Access Control: You control who can download private apps through the ENABLE_PRIVATE_APP_DOWNLOADING setting:
    • If true: apps in the private bucket can be downloaded through the public API — the request redirects straight to the file
    • If false: download links require authentication, and the API returns a short-lived signed URL instead

Both settings live in your .env; see the Environment Variables Overview for the full storage configuration (the private bucket is configured per provider — MinIO, AWS, DigitalOcean Spaces, or GCS).

Downloading from a private bucket

Artifacts in the private bucket aren't served by a plain public URL. You fetch them through GET /download, passing the object key:

curl -X GET --location 'http://localhost:9000/download?key=secondapp%2Fstable%2Flinux%2Famd64%2Fsecondapp-0.0.1.deb'

The key is URL-encoded and follows the layout {app_name}/{channel}/{platform}/{arch}/{filename}. What comes back depends on ENABLE_PRIVATE_APP_DOWNLOADING:

  • true — the request is redirected directly to the file.
  • false — authentication is required, and the response is a JSON download_url: a signed URL with a limited lifetime (typically 15 minutes).
{
  "download_url": "https://<bucket>.s3.amazonaws.com/secondapp/stable/linux/amd64/secondapp-0.0.1.deb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=900&X-Amz-Signature=..."
}

Short-lived signed URLs are the key property: even if a link leaks, it expires in minutes, so it can't be reshared as a permanent public download. Full contract in the download docs.

Security Features 🛡️

Think of private apps in faynoSync as your software's VIP section! Here's what makes them special:

  • 🔒 Separate Storage: Your private apps live in their own secure S3 bucket, like having a private vault for your most valuable assets
  • 🔐 One-Way Privacy: Once you mark an app as private, it stays private forever. This might sound strict, but it's actually a good thing — it ensures your security settings can't be accidentally changed
  • 👥 Smart Access Control: You're in charge! You can decide whether your private apps need authentication to download, giving you perfect control over who gets access
  • 🚫 Download Protection: Want to make sure only your team can download the app? Just set ENABLE_PRIVATE_APP_DOWNLOADING=false, and only authenticated requests will get a signed URL

Private apps and team access control

Privacy and team-based authorization stack cleanly. The private bucket decides where artifacts live and whether downloads need authentication; team permissions decide who on your team can manage and download them via the apps.download permission and their allowed apps. Use ENABLE_PRIVATE_APP_DOWNLOADING=false plus scoped team users when you need both restricted distribution and internal least-privilege access.

The same private bucket (S3_BUCKET_NAME_PRIVATE) is reused by report ingestion for storing debug blobs — sensitive payloads never touch the public/CDN bucket, and are only retrievable through the same short-lived presigned-URL mechanism.

Best Practices 💡

  1. Use private apps for:

    • Internal tools and utilities
    • Beta versions of your software
    • Enterprise-specific applications
    • Software requiring license validation

  2. Decide on private before creating the app — it can't be undone.

  3. Set ENABLE_PRIVATE_APP_DOWNLOADING=false when you need strict access control, and always send an auth token when fetching from /download in that mode.

  4. Treat signed URLs as ephemeral — generate them on demand rather than caching or sharing them; they expire by design.

Common questions

Can I make a private app public later? No. The private flag is irreversible by design. Create a new public app instead.

Why does /download return a URL instead of the file? You're running with ENABLE_PRIVATE_APP_DOWNLOADING=false, so the API hands back a short-lived signed URL that requires authentication — that's the strict mode.

Where do private artifacts actually live? In the bucket named by S3_BUCKET_NAME_PRIVATE, separate from your public artifact bucket, on whichever provider your STORAGE_DRIVER points to.

How to try faynoSync?

  1. Follow the Getting Started guide:
    👉 https://faynosync.com/docs/getting-started

  2. Create your app using the REST API or web dashboard:
    📦 API Docs: https://faynosync.com/docs/api
    🖥️ Dashboard UI: https://github.com/ku9nov/faynoSync-dashboard

  3. Upload at least two versions of your application.

  4. Check for updates with this simple request:
    📡 /info/latest

If you find this project helpful, please consider subscribing, leaving a comment, or giving it a star, create Issue or feature request on GitHub.
Your support keeps the project alive and growing 💚