diff --git a/cmd/verstak-server/server.go b/cmd/verstak-server/server.go
index c6f6665..6900e04 100644
--- a/cmd/verstak-server/server.go
+++ b/cmd/verstak-server/server.go
@@ -2,10 +2,12 @@ package main
 
 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -167,6 +169,12 @@ CREATE TABLE IF NOT EXISTS server_ops (
     created_at TEXT NOT NULL,
     pushed_at TEXT NOT NULL DEFAULT (datetime('now'))
 );
+
+CREATE TABLE IF NOT EXISTS server_blobs (
+    sha256 TEXT PRIMARY KEY,
+    size INTEGER NOT NULL,
+    created_at TEXT NOT NULL
+);
 `
 
 // ============================================================
@@ -364,7 +372,76 @@ func (s *Server) handleBlobs(w http.ResponseWriter, r *http.Request) {
 	if !s.requireAPIKey(w, r) {
 		return
 	}
-	jsonOK(w, map[string]string{"status": "ok", "message": "blob endpoint ready (not yet implemented)"})
+	switch r.Method {
+	case "POST":
+		// Upload: accept multipart file, store by SHA-256.
+		if err := r.ParseMultipartForm(200 << 20); err != nil {
+			jsonErr(w, 400, "multipart error: "+err.Error())
+			return
+		}
+		file, header, err := r.FormFile("file")
+		if err != nil {
+			jsonErr(w, 400, "file field required")
+			return
+		}
+		defer file.Close()
+
+		// Read content and compute SHA-256.
+		data, err := io.ReadAll(file)
+		if err != nil {
+			jsonErr(w, 500, "read error")
+			return
+		}
+		hash := sha256.Sum256(data)
+		shaHex := hex.EncodeToString(hash[:])
+
+		// Store at blobs/ab/cd/sha256.
+		blobDir := filepath.Join(s.blobsDir, shaHex[:2], shaHex[2:4])
+		if err := os.MkdirAll(blobDir, 0750); err != nil {
+			jsonErr(w, 500, "mkdir error")
+			return
+		}
+		blobPath := filepath.Join(blobDir, shaHex)
+		if err := os.WriteFile(blobPath, data, 0640); err != nil {
+			jsonErr(w, 500, "write error")
+			return
+		}
+		_ = header
+
+		// Record in blobs table.
+		now := time.Now().UTC().Format(time.RFC3339)
+		s.db.Exec("INSERT OR IGNORE INTO server_blobs (sha256, size, created_at) VALUES (?, ?, ?)",
+			shaHex, len(data), now)
+
+		jsonOK(w, map[string]interface{}{
+			"sha256": shaHex,
+			"size":   len(data),
+		})
+
+	case "GET":
+		// Download: GET /api/v1/blobs/{sha256}
+		shaHex := strings.TrimPrefix(r.URL.Path, "/api/v1/blobs/")
+		if len(shaHex) != 64 {
+			jsonErr(w, 400, "invalid SHA-256")
+			return
+		}
+		blobPath := filepath.Join(s.blobsDir, shaHex[:2], shaHex[2:4], shaHex)
+		if _, err := os.Stat(blobPath); os.IsNotExist(err) {
+			jsonErr(w, 404, "blob not found")
+			return
+		}
+		data, err := os.ReadFile(blobPath)
+		if err != nil {
+			jsonErr(w, 500, "read error")
+			return
+		}
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("Content-Disposition", "attachment; filename=\""+shaHex+"\"")
+		w.Write(data)
+
+	default:
+		jsonErr(w, 405, "method not allowed")
+	}
 }
 
 func (s *Server) handleAdminLogin(w http.ResponseWriter, r *http.Request) {