Bring Your Own Bucket
By default, your data lives in Mixedbread-managed object storage. Bring your own bucket (BYOB) lets enterprise customers use object storage they own and control as the backend instead.
With BYOB, your bucket holds all user content (documents, metadata) and derived artifacts (chunks, generated content, the search index). Mixedbread reads and writes it with ephemeral compute and retains nothing beyond memory: we keep only usage metering for billing.
BYOB is enabled per organization. Contact us and we'll turn it on for your account.
Supported providersLink to section
| Provider | Status | Authentication |
|---|---|---|
| AWS S3 | Available | IAM role (recommended) or access keys |
| Google Cloud Storage | Coming soon | N/A |
| Azure Blob Storage | Coming soon | N/A |
Other S3-compatible services can work via access keys and a custom endpoint, but aren't officially supported yet. Contact us if you need one, or a provider that isn't listed.
AuthenticationLink to section
For AWS S3, authenticate one of two ways:
- IAM role (recommended). Mixedbread assumes a cross-account role in your account via STS, scoped with a unique external ID. We do not store any long-lived secrets. Access can be granted or revoked entirely through the role's trust policy.
- Access keys. An access key ID and secret. Keys are encrypted at rest, never returned by the API, and can be rotated at any time. Use this for S3-compatible endpoints.
EncryptionLink to section
Data is encrypted in transit and at rest. If your bucket uses
SSE-KMS,
provide the KMS key ARN and grant the role or identity Mixedbread uses
kms:Encrypt,
kms:Decrypt, and kms:GenerateDataKey on that key. Mixedbread encrypts writes
with your key, so you hold the encryption material and can revoke it at any time.
Omit the key to use the bucket's default encryption.
The KMS key is fixed when you connect the bucket and can't be changed afterward, because objects stay encrypted under the key they were written with. To switch keys, recreate the connection.
SetupLink to section
Contact us to enable BYOB for your organization. We'll confirm once it's on.
Create a dedicated S3 bucket in us-east-1 (see performance). Optionally set a key prefix to namespace Mixedbread's objects, and configure SSE-KMS to use your own key.
Create an IAM role Mixedbread can assume with the external ID we provide, or create access keys. If the bucket uses SSE-KMS, grant the same identity access to your KMS key.
In the dashboard, add the bucket with its name, region, optional prefix, the role ARN or access keys, and the KMS key ARN if applicable.
Mixedbread validates the bucket before storing anything, checking reachability and running a write/delete probe, so a misconfigured or unreachable bucket is rejected immediately.
Once connected, new stores point to your bucket automatically.
Does BYOB affect performance?Link to section
No. Keep your bucket in us-east-1, colocated with Mixedbread's compute, and indexing and search perform the same as without BYOB. Buckets in other regions work but add cross-region latency and data-transfer cost.
What happens to my existing stores?Link to section
Connecting a bucket changes where new content lives; it does not move existing data.
- Stores created after setup persist all content in your bucket.
- Stores created before setup keep reading and writing from the Mixedbread-owned bucket; they are not migrated.
To move existing data into your bucket today, recreate those stores after connecting it. Automated migration of existing stores is coming soon.
What does it cost?Link to section
- Mixedbread charges for the compute cost of indexing and search.
- You pay your cloud provider directly for the bucket's storage, requests, data transfer, and any encryption services you use (such as KMS).
How do I revoke access?Link to section
You control access from your own cloud and can revoke it at any time. How quickly Mixedbread loses access depends on how you revoke it:
- Access keys. Once you deactivate or delete the key, Mixedbread loses access within a few minutes (AWS IAM is eventually consistent).
- IAM role. Once you remove the trust policy, Mixedbread can no longer obtain new credentials. Because it uses short-lived STS sessions, any session it already holds expires shortly after; to cut access immediately, use IAM's revoke active sessions.
After Mixedbread loses access, your stores and files are no longer reachable from our service. Content already loaded into the retrieval engine may stay in an ephemeral in-memory cache for a short period until it is evicted.