I am only just starting out with Uppy, so please excuse me if this is already documented or should be obvious.

First, let's briefly describe my requirements, I would assume those are pretty common:

1. There is a web application with different users that can authenticate.
2. These users shall be able to upload large files from their computer or from remote URLs to a user-specific tree in an S3 bucket.
3. The users must not be able to upload to a tree that belongs to another user.
4. Unauthenticated third parties must not be able to upload anything.

It seems to me as if a standard deployment of the Companion with S3 credentials will allow anybody with access to the companion to perform arbitrary uploads to the S3 buckets without any authentication.

That doesn't seem like a good idea, but looking through the Companion documentation, I could not find much information how I can configure any form of access control.

Could you provide some pointers how companion can be deployed more securely, for example by requiring client requests to be signed with a secret that is only known to the trusted web application, or any other method?