Master keys stay in your browser. The server holds scoped, revocable grants — never a key — and files are end-to-end encrypted, so storage only ever sees ciphertext. crypto self-test…
Admin: use your COORDINATOR_ADMIN_TOKEN. Delegate: use the token you were given.
Your key is used here only to mint two revocable stored-access-policy grants (write + read) and is never sent to the server.
One-time per storage account: allow this app's origin in its CORS so the browser can talk to Azure directly —
az storage cors add --services b --methods GET PUT OPTIONS HEAD POST --origins this origin --allowed-headers '*' --exposed-headers '*' --max-age 3600 --account-name <account> --account-key <key>
Make a shareable encrypted portal on one of your own connections — no delegate needed. The link appears in the recipient box below.
You never see a key — only the scoped grant the admin issued. Files are encrypted in your browser before upload.
Uses only the read-grant and content-key from the link #fragment. No login, no key.