🔑 Create S3 Keys
S3 credentials (an access key + secret key pair) authenticate every request to the S3 API. You create them yourself using your existing Lighthouse API key — one call, no dashboard round-trip.
Your Lighthouse API key is a bearer token; S3 clients instead sign every request with a secret that never travels over the wire (AWS Signature V4). That's what makes presigned URLs and tamper-proof requests possible. Your API key stays server-side; the S3 keypair is what you put into aws configure, CI, and apps.
Create your keys
Send your Lighthouse API key as a Bearer token:
- curl
- Node.js
- Python
curl -X POST https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"
const res = await fetch('https://s3.lighthouse.storage/-/keys', {
method: 'POST',
headers: { Authorization: `Bearer ${process.env.LIGHTHOUSE_API_KEY}` },
})
const keys = await res.json()
console.log(keys.accessKey, keys.secretKey) // store the secret NOW
import os, requests
res = requests.post(
"https://s3.lighthouse.storage/-/keys",
headers={"Authorization": f"Bearer {os.environ['LIGHTHOUSE_API_KEY']}"},
)
keys = res.json()
print(keys["accessKey"], keys["secretKey"]) # store the secret NOW
Response:
{
"accessKey": "LHAK7F3A9C21D48E55B0",
"secretKey": "3q9Zt...",
"region": "us-east-1",
"message": "save the secret key now — it cannot be shown again"
}
The secret key is returned only in this response and cannot be recovered afterwards — not by you, not by support. If it's lost, revoke and re-create.
Calling POST /-/keys again while you already have active keys is safe — it returns your existing access key with "existing": true (and no secret) instead of creating duplicates. One active keypair per Lighthouse account.
The endpoint rejects JWTs with a 400. Your token is stored as the upload key for your account, and JWTs expire — uploads would break later. Always use your permanent Lighthouse API key here.
Check your keys
curl https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"
{"accessKey": "LHAK7F3A9C21D48E55B0", "created": "2026-07-13T17:34:27Z", "region": "us-east-1"}
Revoke your keys
curl -X DELETE https://s3.lighthouse.storage/-/keys \
-H "Authorization: Bearer YOUR_LIGHTHOUSE_API_KEY"
Revocation takes effect within about 30 seconds; all requests signed with the old keys (including presigned URLs) start failing with InvalidAccessKeyId. Your buckets and files are untouched.
To rotate keys: DELETE, then POST again for a fresh pair.
After a revoke + re-create, update the credentials everywhere they're configured (CI secrets, ~/.aws/credentials, app configs). Note that buckets created with the old keys remain owned by your account and accessible with the new pair only if issued for the same Lighthouse account.
Response codes
| Code | Meaning |
|---|---|
201 | Keys created — the only time you'll see the secret |
200 + "existing": true | You already have active keys |
400 | Token is a JWT — use your permanent API key |
401 | Lighthouse rejected the API key |
429 | Slow down — the endpoint is rate-limited |