Skip to main content

🔑 Create S3 Keys

S3 credentials (an access key + secret key pair) authenticate every request to the S3 API. You create them yourself using your existing Lighthouse API key — one call, no dashboard round-trip.

Why a separate keypair?

Your Lighthouse API key is a bearer token; S3 clients instead sign every request with a secret that never travels over the wire (AWS Signature V4). That's what makes presigned URLs and tamper-proof requests possible. Your API key stays server-side; the S3 keypair is what you put into aws configure, CI, and apps.


Create your keys

Send your Lighthouse API key as a Bearer token:

curl -X POST https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"

Response:

{
"accessKey": "LHAK7F3A9C21D48E55B0",
"secretKey": "3q9Zt...",
"region": "us-east-1",
"message": "save the secret key now — it cannot be shown again"
}
Secret shown once

The secret key is returned only in this response and cannot be recovered afterwards — not by you, not by support. If it's lost, revoke and re-create.

Calling POST /-/keys again while you already have active keys is safe — it returns your existing access key with "existing": true (and no secret) instead of creating duplicates. One active keypair per Lighthouse account.

Use your API key, not a JWT

The endpoint rejects JWTs with a 400. Your token is stored as the upload key for your account, and JWTs expire — uploads would break later. Always use your permanent Lighthouse API key here.


Check your keys

curl https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"
{"accessKey": "LHAK7F3A9C21D48E55B0", "created": "2026-07-13T17:34:27Z", "region": "us-east-1"}

Revoke your keys

curl -X DELETE https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"

Revocation takes effect within about 30 seconds; all requests signed with the old keys (including presigned URLs) start failing with InvalidAccessKeyId. Your buckets and files are untouched.

To rotate keys: DELETE, then POST again for a fresh pair.

caution

After a revoke + re-create, update the credentials everywhere they're configured (CI secrets, ~/.aws/credentials, app configs). Note that buckets created with the old keys remain owned by your account and accessible with the new pair only if issued for the same Lighthouse account.


Response codes

CodeMeaning
201Keys created — the only time you'll see the secret
200 + "existing": trueYou already have active keys
400Token is a JWT — use your permanent API key
401Lighthouse rejected the API key
429Slow down — the endpoint is rate-limited