Skip to content

Create an Access Key

Access keys control what cloud data can be accessed, from where, and by whom. You need one to embed panes or call the API.

Key types

Type Prefix Use case
Embed csl_em_ Web pages that display panes. Viewers do not need a LightPane account.
API key csl_ak_ Scripts, CI/CD pipelines, Excel/Power Query, automation.
Demo csl_dm_ Public demo pages with restricted access.

The prefix has no security function. It helps you identify the key type at a glance and enables secret scanning tools (GitHub, GitGuardian) to detect leaked tokens.

Create a key

  1. Log in to app.lightpane.cloud
  2. Go to Access Keys
  3. Click Create New Key

  4. Fill in the form:

    Field Description
    Label A name you will recognise, e.g. "Production status page" or "Nightly inventory script"
    Type embed, api_key, or demo
    Cloud account Select one or more linked cloud accounts this key can access
    Services All services, or a specific set (e.g. only EC2 and S3)
    Expiry Choose a duration — 30 days, 90 days, 1 year, or custom

  5. Optionally, add constraints

  6. Click Create

Copy the token immediately

The token is displayed once. It cannot be retrieved again. LightPane stores only a SHA-256 hash of the token — the raw value is not kept.

csl_em_8Gk4lM0nO3qR5sT7uV9wX1yZ2aB4cD6eF8gH0iJ

If you lose the token, revoke the key and create a new one.

Constraints

Constraints restrict how and where a key can be used. They are optional but recommended for embed and demo keys.

Constraint What it does Example
allowed_origins Restricts requests to specific domains. Checked against the Origin header, which browsers set automatically and cannot be spoofed from JavaScript. https://status.example.com
allowed_ips Restricts requests to specific IP addresses or CIDR ranges. 203.0.113.0/24
rate_limit_rpm Maximum requests per minute. Prevents abuse and cost amplification. 30
require_referer Requires a Referer header. Blocks direct API calls from tools like curl. Useful for embed keys. true
max_batch_size Maximum number of services in a single batch request. 5

Choosing constraints for your use case

Set allowed_origins to the domains where the pane will be displayed. Enable require_referer for an additional layer of protection. Set a rate_limit_rpm to prevent abuse.

{
    "allowed_origins": ["https://status.example.com"],
    "require_referer": true,
    "rate_limit_rpm": 30
}

Set allowed_ips to the IP range of your CI runners or office network. Set a rate_limit_rpm appropriate for your use case.

{
    "allowed_ips": ["203.0.113.0/24"],
    "rate_limit_rpm": 60
}

Set allowed_origins to your marketing domain. Set a low rate_limit_rpm and max_batch_size to control costs.

{
    "allowed_origins": ["https://lightpane.cloud"],
    "rate_limit_rpm": 10,
    "max_batch_size": 5
}

Security model

The token is visible in page source for embed and demo keys. This is the same model used by Google Maps API keys and Stripe publishable keys. Security comes from server-side constraints, not token secrecy.

Layer What it prevents
Origin/Referer check Requests from unauthorised domains
Rate limiting Bulk data extraction, cost amplification
Service scoping Limits discovery to specific services even if the token leaks
Cloud account scoping Token can only access the accounts it was created for
Revocation One-click revoke from the Access Keys page

Manage existing keys

Go to Access Keys in your LightPane account to see all keys you have created. Each key shows its label, type, cloud account, creation date, expiry, and the token prefix with the last 4 characters (e.g. csl_em_...0iJ).

You can revoke a key at any time. Revoking a key immediately stops all requests using that token. This cannot be undone — create a new key if needed.

What next