Key Management¶

Access keys are managed through the key management API. These endpoints require session authentication — you must be logged in to app.lightpane.cloud or pass a valid session token.

UI alternative

You can also manage keys in the LightPane application at Access Keys (app.lightpane.cloud/keys). The UI calls these same endpoints.

List keys¶

List all access keys owned by the authenticated user.

GET /keys

Response¶

{
    "grants": [
        {
            "grant_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "grant_type": "embed",
            "label": "Production status page",
            "token_prefix": "csl_em_...9hI",
            "cloud_bindings": [
                { "provider": "aws", "account_id": "079910999060", "region": "eu-west-2" }
            ],
            "allowed_services": ["ec2", "s3", "lambda_functions"],
            "constraints": {
                "allowed_origins": ["https://status.acmecorp.com"],
                "rate_limit_rpm": 30
            },
            "created_at": "2026-03-15T10:00:00Z",
            "expires_at": "2027-03-15T10:00:00Z",
            "last_used_at": "2026-03-28T09:15:00Z",
            "revoked": false
        }
    ]
}

The raw token is never returned. Only the prefix and last 4 characters are shown (token_prefix).

Create a key¶

Create a new access key.

POST /keys
Content-Type: application/json

Request body¶

{
    "grant_type": "embed",
    "label": "Compliance dashboard",
    "cloud_accounts": [
        {
            "provider": "aws",
            "account_id": "079910999060"
        }
    ],
    "allowed_services": ["s3", "kms_keys", "cloudtrail_trails"],
    "constraints": {
        "allowed_origins": ["https://compliance.acmecorp.com"],
        "rate_limit_rpm": 30,
        "require_referer": true
    },
    "expires_in_days": 365
}

Field	Type	Required	Description
`grant_type`	string	Yes	`embed`, `api_key`, or `demo`
`label`	string	Yes	Human-readable name for the key
`cloud_accounts`	array	Yes	Cloud accounts to bind. Must be accounts in your profile.
`allowed_services`	array	No	Service IDs this key can access. Omit or `["*"]` for all.
`constraints`	object	No	Constraints to apply. See Authentication.
`expires_in_days`	number	No	Days until expiry. Default: 30 for API keys, 365 for embed keys.
`group_id`	string	No	Account group ID. If set, `cloud_accounts` is ignored — the key inherits the group's accounts.

Response¶

{
    "grant_id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
    "token": "csl_em_8Gk4lM0nO3qR5sT7uV9wX1yZ2aB4cD6eF8gH0iJ",
    "grant_type": "embed",
    "label": "Compliance dashboard",
    "expires_at": "2027-03-28T14:30:00Z"
}

Save the token immediately

The token field is returned once only. It cannot be retrieved again. If you lose it, revoke the key and create a new one.

Revoke a key¶

Revoke an access key immediately. Any page or script using this key will stop working.

DELETE /keys/{grant_id}

Response¶

{
    "grant_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "revoked": true,
    "revoked_at": "2026-03-28T14:35:00Z"
}

Revocation is immediate and irreversible

Revoking a key immediately breaks any page or script using it. There is no undo. Create a replacement key before revoking the old one if you need uninterrupted service.