How to Build Private Storage Into Any App: Inside DMAIL’s Integration with Storacha.
This guest post comes from Dhruv Varshney (Devrel @Storacha).
This guest post comes from Dhruv Varshney (Devrel @Storacha).
What if “add private storage” was just an iframe?
DMAIL wanted private, wallet-native storage without trashing UX, so Storacha shipped an iframe pattern that drops military-grade encrypted storage into any SSO in ~30 minutes. DMAIL’s the first case study; any app can copy-paste it.
Encryption Without the Headache
DMAIL’s users are already comfortable with decentralized systems, but that doesn’t mean they want to manage cryptographic keys. The challenge was building enterprise-grade encryption that felt as simple as dragging a file into a folder.
Here’s what Storacha built:
- Files encrypted before leaving the user’s device
- Zero-knowledge architecture (even Storacha can’t see their data)
- Seamless integration with their existing workspace
- Enterprise compliance without enterprise complexity
- The ability to share and revoke access instantly
The solution involved three key pieces: UCANs for authorization, client-side encryption for security, and an iframe integration that makes it feel native to their app.
How It Actually Works
In DMAIL’s workspace, users see various widgets for different services — crypto analytics, portfolio tracking, data platforms. When they click on the Storacha widget, the Storacha console opens as an embedded iframe. But the magic happens in the authentication handshake.
Instead of creating another login, Storacha built an SSO bridge. DMAIL sends the user’s credentials via postMessage, and Storacha grants access only if the credentials are valid and authorized by the DMAIL/provider auth service. The whole process takes about 3 seconds.
// DMAIL sends auth data to embedded Storacha console
parent.postMessage({
type: 'AUTH_DATA',
provider: 'dmail',
email: user.email,
userId: user.id,
sessionToken: user.token
}, '<https://console.storacha.network>')// Storacha validates SSO token and creates UCAN delegation
const userDID = await validateSSOToken(ssoData)
const delegation = await createSpaceDelegation({
issuer: serviceDID,
audience: userDID,
capabilities: ['space/*']
})Once authenticated, users can create “Private Spaces”- essentially encrypted folders where each space gets its own RSA key pair.
The Privacy and Encryption Architecture
The interesting part happens when someone uploads a file. Everything is private and encrypted on the client side using symmetric keys, but managing those keys securely required some creativity.
Here’s the flow:
Upload:
- User drags a file into their private space
- Browser generates a random 256-bit AES key
- File gets encrypted using AES-256-CTR as it’s read, allowing massive files to be processed without loading entirely into memory using streaming encryption
- The symmetric key gets sent to Storacha’s UCAN-KMS server
- UCAN-KMS validates the user’s permissions and encrypts the symmetric key
- Encrypted file + encrypted key metadata gets stored on IPFS
Download:
- User (or someone they’ve shared space with) requests the file
- Storacha validates their UCAN delegation to ensure they have access
- UCAN-KMS decrypts the symmetric key
- Browser receives the symmetric key and decrypts the file locally
The result is military-grade encryption that feels like using Dropbox, but with mathematical guarantees that only users can access the plaintext data.
UCANs: The Secret Sauce
The authorization system is built on User-Controlled Authorization Networks (UCANs) — think of them as decentralized permission slips that don’t require a centralized server to validate.
When Alice wants to share a file with Bob, she creates a UCAN that says “Bob can decrypt files in Alice’s Legal Documents space for the next 30 days.” Bob can use this UCAN to prove his access rights without Alice needing to be online or manage a sharing server.
The powerful part is granular permissions. Alice can give Bob access to decrypt files but not upload new ones. Or access to one space but not another. And she can revoke access instantly by marking the UCAN as revoked in the system.
She can also create delegation chains — Bob could re-delegate limited access to Carol, creating an auditable chain of permissions.
// Alice creates delegation for Bob
const delegation = await createDelegation({
issuer: alice.did,
audience: bob.did,
capabilities: ['space/content/decrypt'],
with: 'did:key:alice-legal-docs-space',
expiration: Math.floor(Date.now() / 1000) + (30 * 24 * 60 * 60) // 30 days
})// Bob uses delegation to access files
const file = await decryptFile(cid, {
delegation,
proofs: [delegation]
})The Architecture That Made It Possible
DMAIL’s integration revealed something important about building developer-friendly infrastructure. The key was making encryption invisible to the end user while keeping it auditable for developers.
The UCAN-KMS server acts as a bridge between UCAN delegations and enterprise Key Management Services. It validates UCAN tokens and performs cryptographic operations based on the proven capabilities, without ever seeing the plaintext data.
This means:
- Only users can see their files
- KMS never sees the UCAN tokens or user data
- Each space gets its own RSA key pair, cryptographically isolated from others
- All cryptographic operations are logged for audit compliance.
- Every operation requires valid UCAN proofs.
The modular design means DMAIL could swap between different KMS providers or even Lit Protocol without changing their client code. The CryptoAdapter interface makes it provider-agnostic.
Integration Patterns for Any Provider
The iframe integration pattern built for DMAIL works for any SSO provider. Whether you’re building a productivity app, a messaging platform, or a collaboration tool, you can embed private storage in about an hour.
Storacha provides a test environment at console.storacha.network/test-iframe where you can see exactly how it works. The integration requires:
- Embed Storacha console as an iframe
const iframe = document.createElement('iframe')
iframe.src = '<https://console.storacha.network/iframe?sso=your-provider>'
iframe.style.width = '400px'
iframe.style.height = '600px'
iframe.title = 'Storacha Console'
iframe.referrerPolicy = 'origin'
iframe.sandbox = 'allow-scripts allow-same-origin allow-forms allow-popups allow-top-navigation-by-user-activation allow-downloads'
iframe.allow = 'payment'
document.body.appendChild(iframe)2. Send user auth data via postMessage
let communicationPort = nullwindow.addEventListener('message', (event) => {
if (event.origin !== '<https://console.storacha.network>') return
if (event.data.type === 'CONSOLE_READY') {
if (event.ports && event.ports.length > 0) {
communicationPort = event.ports[0]
communicationPort.onmessage = handlePortMessage
}
}
})function handlePortMessage(event) {
const { data } = event
switch (data.type) {
case 'LOGIN_REQUEST':
const authData = {
type: 'AUTH_DATA',
authProvider: 'your-provider',
email: 'user@example.com',
externalUserId: 'user123',
externalSessionToken: 'session-jwt-token'
}
communicationPort.postMessage(authData)
break
}
}3. Handle the auth response and file operation callbacks.
function handlePortMessage(event) {
const { data } = event
switch (data.type) {
case 'LOGIN_REQUEST':
// Send auth data
break
case 'LOGIN_STATUS':
console.log('Auth status:', data.status)
break
case 'LOGIN_COMPLETED':
if (data.status === 'success') {
handleAuthSuccess(data)
} else {
handleAuthError(data.error)
}
break
}
}That’s it. Your users get client-side encrypted private storage without you having to build a cryptography team.
Storacha handles everything — key management, encryption, UCAN delegations, file sharing, access revocation. The iframe is just the entry point for apps to start using encrypted and private decentralized data storage. Applications just need to pass user credentials and listen for authentication callbacks.
The Bigger Picture
What started as DMAIL needing secure file storage turned into a pattern for embedding private storage in any application. The combination of UCANs for authorization and client-side encryption for privacy creates something interesting: truly user-owned data that applications can’t access without explicit permission.
DMAIL’s users now have private storage that feels native to their workspace. But more importantly, they have granular control over who can access what, with the ability to revoke permissions instantly. All without managing a single cryptographic key.
The technical implementation is more sophisticated than what most companies would build in-house (streaming encryption, key management, delegation chains, audit logging), but the integration is simple enough that it will take just an hour to integrate into applications.
The iframe pattern means any SSO provider can offer their users encrypted private storage without hiring cryptographers, managing key infrastructure, or worrying about compliance audits. What would typically require months of cryptography work becomes an afternoon of iframe integration.
Want to see how this works in practice? Try out the Storacha in Dmail at https://mail.dmail.ai/workspace or test the iframe integration at console.storacha.network/test-iframe. If you build something with these patterns, the community would love to hear about it in our discord. Want to go further inside the Storacha ecosystem? Check out the curated list: awesome-storacha
Happy building!
About Storacha
Storacha is building the foundation for a decentralized internet based on verifiable, self-sovereign data. Backed by a $6.5M Seed round led by Protocol Labs Venture Studio, Storacha enables portable, programmable private data at scale through DIDs and UCANs — a breakthrough in decentralized access control. Its infrastructure powers entirely new possibilities: from AI agents securely sharing data, to games and dApps exchanging off-chain assets without relying on servers or middlemen. Storacha’s vision is simple: your house, your key.
