BucketDock — your S3 browser, on your macOS desktop.
BucketDock is built for AWS S3, Cloudflare R2, Hetzner Object Storage, and other S3-compatible providers when you want a desktop UI instead of the CLI or a browser dashboard.

This is an unsigned developer-preview build. It is not signed with Apple Developer ID and is not notarized.
macOS may say: "the app is damaged or cannot be opened". To run it:
xattr -dr com.apple.quarantine /Applications/BucketDock.app
open /Applications/BucketDock.app
For screenshots and step-by-step first-launch help, see the download and install guide.
Current builds are ad-hoc signed but not Apple-notarized. macOS may block them after download. This is expected for early developer-preview builds.
Official signed and notarized builds are planned later.
Content-Type returned by the server (fetched via batched HEAD requests after the listing loads); it falls back to the default S3 type (application/octet-stream for files, — for folders) until the HEAD response arrivesimages/photo.jpg)— in the Size column of any folder rowAccessDenied, SignatureDoesNotMatch, InvalidAccessKeyId, NoSuchBucket, network failures)The following items are not implemented in the current codebase and should not be treated as shipped features:
Current object browser shortcuts:
Delete or Backspace with a selection: delete selected itemsEnter with one selected folder: open that folderCmd+A or Ctrl+A: select all visible itemsCmd+I or Ctrl+I: open info for one selected fileBucketDock uses a split desktop architecture:
Next.js frontend
-> Tauri command bridge
-> Rust backend
-> AWS SDK for S3 / R2 / Hetzner / compatible providers
The frontend never talks directly to S3.
All storage requests are executed by the Rust backend through Tauri commands. That keeps request signing logic and secrets out of the browser runtime.
Connection metadata is stored in:
~/Library/Application Support/BucketDock/connections.json
Stored there:
Secret access keys are stored separately in the macOS Keychain under the service name:
com.bucketdock.app
If a connection was created before native Keychain persistence was enabled, edit that connection, enter the Secret Access Key again, and save it once so the secret is written into the macOS Keychain.
Tauri setup instructions:
https://tauri.app/start/prerequisites/
pnpm install
pnpm tauri dev
This starts the Next.js frontend on port 1420 and launches the Tauri shell.
pnpm dev --port 1420
This is useful for UI work, but storage operations require the Tauri shell and Rust backend.
pnpm tauri build
The Next.js frontend is exported to out/, and Tauri bundles the macOS app from there.
Build artifacts are written under:
src-tauri/target/release/bundle/
cargo check --manifest-path src-tauri/Cargo.toml
The project ships two suites that both run in CI before any release build:
# Frontend unit tests (Vitest + jsdom): IPC bridge, app store, copy-to
# self-overwrite guard, MIME helper, secret-leak invariants.
pnpm test
# Backend unit tests (Rust): connection metadata round-trip, validation,
# bucket-filter parsing, S3 key percent-encoding, rename_prefix edges,
# keychain service / bundle account constants.
cargo test --manifest-path src-tauri/Cargo.toml
Typical AWS S3 setup:
Provider: AWS S3
Region: eu-central-1
Endpoint: leave empty
Buckets: leave empty to auto-list, or set one or more names
Use the account endpoint and keep the bucket name separate.
Standard R2 setup:
Provider: Cloudflare R2
Endpoint: https://<ACCOUNT_ID>.r2.cloudflarestorage.com
Region: auto
Buckets: your-bucket-name
If you have access to more than one bucket, the Buckets field can contain a comma-, space-, newline-, or semicolon-separated list.
Important rules:
autoBuckets fieldCorrect:
Endpoint: https://<ACCOUNT_ID>.r2.cloudflarestorage.com
Buckets: media-assets
Region: auto
Incorrect:
Endpoint: https://<ACCOUNT_ID>.r2.cloudflarestorage.com/media-assets
Buckets: media-assets
Region: auto
Example:
Provider: S3-Compatible
Endpoint: https://s3.example.com
Region: us-east-1
Buckets: my-bucket
Example:
Provider: Hetzner Object Storage
Endpoint: https://fsn1.your-objectstorage.com
Region: hidden in the form
Buckets: my-bucket
If opening a bucket fails with an error like:
Failed to list objects: S3 error: service error: unhandled error (SignatureDoesNotMatch)
check the following first:
auto.Buckets field.For bucket-scoped R2 credentials, BucketDock skips the account-wide ListBuckets call and uses the configured bucket names directly.
If typing the secret into the edit form makes Test pass, but testing the saved connection fails, the saved secret is missing. Open Edit Connection, enter the Secret Access Key again, and click Save so BucketDock can write it into the macOS Keychain.
BucketDock source code is licensed under the Apache License, Version 2.0.
See LICENSE for details.
The BucketDock name, logo, icon, domain, and official release assets are not licensed for use in a way that suggests endorsement by the official project.
$ claude mcp add bucketdock \
-- python -m otcore.mcp_server <graph>