API Overview¶

The LightPane REST API provides programmatic access to cloud infrastructure discovery. Use it from scripts, CI/CD pipelines, Excel/Power Query, or any HTTP client.

Base URL¶

https://api.lightpane.cloud

For dedicated deployments (Business tier and above), your base URL is:

https://{your-slug}.api.lightpane.cloud

Authentication¶

Every request must include a bearer token in the Authorization header:

Authorization: Bearer csl_ak_YOUR_KEY_HERE

Three authentication methods are supported, in order of precedence:

Bearer token — access key in the Authorization header (API keys, embed keys)
Session cookie — set by the LightPane web application after login
Anonymous — falls back to the demo account (public demos only)

See Authentication for the full token resolution flow.

Request format¶

All requests use POST with a JSON body. Set the Content-Type header:

Content-Type: application/json

Response format¶

All responses are JSON. A successful discovery response looks like this:

{
    "results": [
        {
            "metadata": {
                "service": "ec2",
                "service_label": "EC2 Instances",
                "provider": "aws",
                "region": "eu-west-2",
                "count": 3,
                "timestamp": "2026-03-28T14:30:00Z"
            },
            "columns": [
                { "key": "name", "label": "Name" },
                { "key": "instance_id", "label": "Instance ID" },
                { "key": "state", "label": "State" }
            ],
            "rows": [
                { "name": "web-1", "instance_id": "i-0abc123def", "state": "running" },
                { "name": "web-2", "instance_id": "i-0def456abc", "state": "running" },
                { "name": "worker-1", "instance_id": "i-0ghi789jkl", "state": "stopped" }
            ]
        }
    ]
}

Endpoints¶

Method	Path	Description
`POST`	`/discovery`	Discover cloud resources. Accepts a batch of service requests.
`GET`	`/keys`	List your access keys. Requires session auth.
`POST`	`/keys`	Create a new access key. Requires session auth.
`DELETE`	`/keys/{grant_id}`	Revoke an access key. Requires session auth.

Rate limits¶

Access keys may have per-key rate limits (requests per minute). If you exceed the limit, the API returns 429 Too Many Requests. Default limits depend on your plan tier.

CORS¶

The API supports CORS for browser-based requests. Embed keys with allowed_origins constraints return the matching origin in the Access-Control-Allow-Origin header.

Quick example¶

curlPythonJavaScript

curl -X POST https://api.lightpane.cloud/discovery \
  -H "Authorization: Bearer csl_ak_YOUR_KEY_HERE" \
  -H "Content-Type: application/json" \
  -d '{
    "services": [{
      "service": "s3",
      "provider": "aws",
      "region": "eu-west-2",
      "attributes": ["bucket_name", "creation_date", "region"]
    }]
  }'

import requests

response = requests.post(
    "https://api.lightpane.cloud/discovery",
    headers={
        "Authorization": "Bearer csl_ak_YOUR_KEY_HERE",
        "Content-Type": "application/json"
    },
    json={
        "services": [{
            "service": "s3",
            "provider": "aws",
            "region": "eu-west-2",
            "attributes": ["bucket_name", "creation_date", "region"]
        }]
    }
)

data = response.json()
for result in data["results"]:
    print(result["metadata"]["service_label"])
    for row in result["rows"]:
        print(row)

const response = await fetch('https://api.lightpane.cloud/discovery', {
    method: 'POST',
    headers: {
        'Authorization': 'Bearer csl_ak_YOUR_KEY_HERE',
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({
        services: [{
            service: 's3',
            provider: 'aws',
            region: 'eu-west-2',
            attributes: ['bucket_name', 'creation_date', 'region']
        }]
    })
});

const data = await response.json();
console.log(data.results);