"Serverless SFTP" sounds like a contradiction — SFTP is, after all, a stateful protocol over SSH. The trick is where the file goes. A traditional SFTP server is a long-lived box with a filesystem: you provision it, harden it, rotate its keys, watch its disk fill, and eventually answer a 3am page when it falls over. FTPasHTTPS keeps the SFTP front door but removes the box behind it. The connection is terminated for you, and the bytes are handed to your HTTPS endpoint as they arrive.
How a serverless SFTP endpoint works
- You create a server in the dashboard and pick a protocol — SFTP with SSH key auth, FTPS over TLS, or plain FTP for legacy clients.
- You add each partner as a user and paste their SSH public key. No shell accounts, no OS users.
- A partner connects and runs
STOR. FTPasHTTPS streams those bytes into an HTTPS POST to your configured endpoint. - Your endpoint replies.
200becomes226 Transfer completefor the client; a5xxbecomes451 Action aborted. - Webhooks are HMAC-SHA256 signed; failed deliveries retry with exponential backoff and land in a dead-letter queue. Everything is logged.
Add a user + receive the upload
Provisioning a partner is two pieces of config: the user with their key, and the endpoint that receives their files.
# Serverless SFTP server config { "protocol": "sftp", "host": "sftp.yourcompany.com", # custom domain (Professional+) "users": [ { "username": "acme-logistics", "auth": { "type": "ssh-key", "publicKey": "ssh-ed25519 AAAAC3Nz..." } } ], "endpoint": { "type": "webhook", "url": "https://api.yourcompany.com/ingest", "hmac": { "algorithm": "sha256", "secret": "${WEBHOOK_SECRET}" } } }
Your endpoint verifies the signature and reads the file from the request body — here in Node, but any HTTP framework works:
// POST /ingest — the SFTP upload arrives as the request body import { createHmac, timingSafeEqual } from "node:crypto"; export function ingest(req, res) { const sig = req.header("X-FTPasHTTPS-Signature"); const mac = createHmac("sha256", process.env.WEBHOOK_SECRET) .update(req.rawBody).digest("hex"); if (!timingSafeEqual(Buffer.from(sig), Buffer.from(mac))) { return res.status(401).end(); // -> client sees 451 } const name = req.header("X-FTPasHTTPS-Filename"); void process(name, req.rawBody); return res.status(200).end(); // -> client sees 226 }
Don't want to run an endpoint at all? Skip the webhook and set the target to S3, GCS, Azure Blob, or another SFTP server. The same serverless front door then drops files straight into storage with zero application code on your side.
Serverless endpoint vs. running your own SFTP box
| Concern | Self-hosted SFTP server | FTPasHTTPS serverless endpoint |
|---|---|---|
| OS & daemon patching | Yours, forever | Managed for you |
| Scaling for spikes | Resize the box, hope | Handled by the platform |
| Where files live | On a disk you secure | Streamed — never on disk |
| Partner onboarding | OS users, chroot, keys | Add a user + public key |
| Delivery to your app | Cron polls the directory | Direct HTTPS POST on upload |
| Failure handling | Custom scripts | Retries + dead-letter queue |
| Audit / compliance | Parse logs yourself | Built-in audit log |
| Custom domain & SSO | You wire it up | Custom domain, SSO/SAML on Enterprise |
When to use it (and the limits)
A serverless SFTP endpoint fits when partners mandate SFTP/FTPS but you have no appetite to own a file server: SaaS products onboarding enterprise customers, fintechs receiving bank files, retailers ingesting supplier feeds. Start on the Free tier (FTP, 100 transfers/month, no credit card) to prove the flow, move to Professional for SFTP, custom domain and transformations, and Enterprise for unlimited users, SSO/SAML and a dedicated IP.
The limits are worth stating plainly: this is an upload-driven model, so it shines for receiving files rather than serving a large browsable directory tree back to clients. SFTP requires the Professional plan or above. And sustained throughput is governed by your plan's monthly transfer and storage caps, so size the tier to your busiest partner.
Security and compliance posture
A serverless endpoint changes your security story in a meaningful way: the most common SFTP attack surface — a long-lived, internet-facing box with a writable filesystem and shell users — simply isn't there. There is no OS to harden, no chroot to get wrong, and no accumulating directory of sensitive files waiting to be exfiltrated, because uploads stream through rather than landing on disk. Authentication stays standard: SSH public keys for SFTP, TLS 1.2/1.3 for FTPS.
On the integrity side, every webhook delivery is HMAC-SHA256 signed so your endpoint can prove a payload came from FTPasHTTPS and was not tampered with in transit. Failed deliveries retry with exponential backoff and fall back to a dead-letter queue, and each transfer — success or failure — is recorded in an audit log. That log is what auditors and incident responders actually ask for: a per-file record of who connected, what they uploaded, and where it went. Enterprise adds SSO/SAML for your own team and a dedicated IP for partners that allowlist by address.
Frequently asked questions
Can I run SFTP without managing a server?
Yes. FTPasHTTPS gives you a hosted SFTP endpoint you never patch, scale or provision. Partners connect with standard clients and SSH key auth, and every upload streams to your HTTPS webhook or cloud storage instead of a disk you own.
What does serverless SFTP actually mean here?
There is no long-lived file server or storage volume in your infrastructure. FTPasHTTPS terminates the SFTP connection and streams uploaded bytes directly into an HTTPS POST to your endpoint. You manage an API handler, not an OS.
How do partners authenticate to a hosted SFTP endpoint?
SFTP uses SSH key authentication — you add each partner's public key to their user. FTPS uses TLS 1.2/1.3 client connections, and plain FTP is available on lower tiers for legacy systems.
Can I use my own domain for the SFTP endpoint?
Yes. Custom domains are available from the Professional plan, so partners connect to sftp.yourcompany.com. Enterprise adds a dedicated IP and SSO/SAML for your team.
Is a serverless SFTP endpoint reliable for production traffic?
Yes. Uploads map FTP transfer codes to HTTP responses, failed webhook deliveries retry with exponential backoff and fall back to a dead-letter queue, and every transfer is captured in an audit log.
Get a serverless SFTP endpoint
Create a server, add a partner's public key, point them at it. No daemon, no disk, no 3am page.
Start free — no credit card