Banks, payroll providers, and enterprise partners frequently mandate SFTP. Your platform, meanwhile, is a REST API. Rather than standing up an SSH server, writing an ingestion daemon, and securing both, FTPasHTTPS terminates the SFTP session and translates it directly into HTTP requests against your API — in both directions. This guide covers SSH key setup, the request your API receives, the download path, and inline transformations.
How SFTP-to-API works
FTPasHTTPS speaks SFTP (RFC-compliant SSH key auth) on the front and HTTP on the back. There is no disk in between — an upload is a stream, and a download is a stream.
- Register your partner's SSH public key against an SFTP user on your FTPasHTTPS server.
- The client connects and runs
put(SFTP write). FTPasHTTPS opens an HTTPSPOSTto your REST endpoint. - File bytes stream straight into the request body. Optional inline transforms (CSV→JSON, schema validation, PGP) run mid-stream.
- For downloads, the client runs
get(SFTP read); FTPasHTTPS calls your API and streams the response bytes back over SFTP. - Your API's HTTP status maps to the SFTP transfer result — 200 completes the transfer, 5xx aborts it so the client retries.
Config & example API request
Define an SFTP server with key-based auth and a REST target. Transformations are declared inline:
server.config# FTPasHTTPS — SFTP front, REST API back protocol: SFTP # SSH key auth (Professional+) endpoint: url: https://api.example.com/v1/files method: POST headers: Authorization: Bearer ${API_TOKEN} sign_with: hmac-sha256 transform: - csv_to_json # parse CSV body into JSON - validate_schema: orders.schema.json users: - username: payroll-bank ssh_keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...
When payroll-bank uploads payments.csv, FTPasHTTPS parses it, validates it against your schema, and POSTs JSON to your API:
Content-Type: application/json Authorization: Bearer ${API_TOKEN} X-FTPasHTTPS-Signature: sha256=4d7a3e9b6c0f... X-FTPasHTTPS-Event: file.uploaded { "event": "file.uploaded", "protocol": "SFTP", "user": "payroll-bank", "source_file": "payments.csv", "transformed": "csv_to_json", "records": [ { "iban": "NL91ABNA0417164300", "amount": 1840.50, "ref": "INV-0091" }, { "iban": "DE89370400440532013000", "amount": 920.00, "ref": "INV-0092" } ], "received_at": "2026-06-20T09:02:11Z" }
Respond 200 OK to acknowledge. For a download, your API simply returns the file bytes for the requested path and FTPasHTTPS streams them back to the SFTP client.
FTPasHTTPS vs the DIY way
The usual build is a self-hosted SFTP server with a cron job polling its inbox and a script that calls your API. Compared side by side:
| DIY: SFTP box + cron + script | FTPasHTTPS | |
|---|---|---|
| API delivery | Script you write and maintain | Native — upload is an HTTP POST |
| Downloads from API | Pre-stage files on the SFTP box | RETR streams live from your API |
| Transforms | Extra script, extra deps | Inline CSV/JSON/XML, schema, PGP |
| SSH key management | Manage authorized_keys by hand | Keys managed per user in the dashboard |
| At-rest files | Inbox sits on disk | Streamed — nothing at rest |
| Retries & DLQ | Build it yourself | Backoff + dead-letter queue built in |
When to use SFTP-to-API
- A counterparty mandates SFTP with SSH keys, but your system is a REST API.
- You want files validated against a schema before they ever hit your API.
- You need bidirectional flow — partners both push to and pull from your API over SFTP.
- You want to delete the SSH server, cron job, and glue script you maintain today.
- You need CSV/JSON/XML conversion or PGP without bolting on another service.
Want the raw bytes delivered as a webhook rather than a structured API call? See the FTP to Webhook guide. Comparing managed options? Read the AWS Transfer Family alternative breakdown.
Security model and which plan you need
SFTP authentication uses SSH keys, which you register per user, so there are no shared passwords to leak. Outbound calls to your API are signed with HMAC-SHA256, letting you reject any request that did not originate from FTPasHTTPS. Because nothing is written to disk, there is no ingestion inbox to harden or sweep, and every transfer — success or failure — is recorded in a full audit log you can hand to a security reviewer.
SFTP, custom domains, inline transformations, and schema validation begin on the Professional plan (€49/server/month: 10,000 transfers, 50GB, 25 users). If you also need PGP encryption, SSO/SAML, or a dedicated IP for an allow-listed partner, the Enterprise plan (€99) adds those with unlimited users. The Free and Starter tiers are FTP/FTPS only, so SFTP-to-API specifically starts at Professional — but you can still prototype the API contract on a lower tier using FTPS before your partner cuts over to SFTP.