Skip to content

Access Keys & Constraints

Access keys authenticate requests to the LightPane API. Each key is an access grant that specifies which cloud accounts and services the holder can discover, with optional constraints that restrict how and from where the key can be used.

Key types

Type Prefix Use case Typical lifetime
Embed csl_em_ Web pages where viewers are not logged into LightPane 1 year
API key csl_ak_ Scripts, CI/CD, Excel, automation 30 days
Demo csl_dm_ Public demo pages Indefinite

Token format

Keys are 32-byte cryptographically random values, base64url-encoded, with a type prefix:

csl_em_8Gk4lM0nO3qR5sT7uV9wX1yZ2aB4cD6eF8gH0iJ

The prefix helps identify key type at a glance and enables secret scanning tools (GitHub, GitGuardian) to detect leaked tokens.

Token storage

Raw tokens are never stored by LightPane. Only the SHA-256 hash is saved. When you create a key, the raw token is shown once and cannot be retrieved again.

Token in page source is acceptable

For embed keys, the token is visible in the HTML source. This is the same model used by:

  • Google Maps API keys — visible in page source, restricted by HTTP referrer
  • Stripe publishable keys — visible in client code, scoped to read-only operations
  • Analytics tracking IDs — completely public, restricted by domain

Security comes from server-side constraints, not token secrecy.

Constraints

Each key can have server-side constraints that are validated on every request:

Origin restriction

Restrict the key to specific domains. The API checks the Origin and Referer headers:

{
    "allowed_origins": [
        "https://status.acmecorp.com",
        "https://dashboard.acmecorp.com"
    ]
}

The Origin header is set by browsers and cannot be spoofed from JavaScript (it is a forbidden header in the Fetch specification).

IP restriction

Restrict the key to specific IP addresses or CIDR ranges:

{
    "allowed_ips": ["203.0.113.0/24", "198.51.100.42"]
}

Useful for CI/CD runners and automation scripts running from known infrastructure.

Rate limiting

Limit requests per minute:

{
    "rate_limit_rpm": 30
}

Batch size limit

Limit the number of services per request:

{
    "max_batch_size": 5
}

Require Referer

Block requests that do not include a Referer header:

{
    "require_referer": true
}

This prevents casual use of an embed key with curl or Postman while allowing normal browser requests.

Defence in depth

Multiple layers protect against misuse, even if a token is exposed:

Layer What it prevents
Origin/Referer check Use from unauthorised domains
Rate limiting Bulk data extraction, cost amplification
Service scoping Discovery of services the key should not access
Cloud binding scoping Access to cloud accounts the key is not bound to
Monitoring and revocation Alert on unusual patterns, one-click revoke
Token rotation Create a new key and revoke the old one at any time

Scope

Each key has two scope dimensions:

Cloud bindings — which cloud accounts (AWS accounts, GCP projects, Azure subscriptions) the key can access. A key can only access accounts selected at creation time, which must be a subset of the creator's linked accounts.

Service scope — which services the key can discover. ["*"] for all services, or a specific list:

{
    "allowed_services": ["ec2", "s3", "lambda_functions"]
}

Key lifecycle

  • Create: In the LightPane app or via the Key Management API
  • Use: Include in Authorization: Bearer header or SDK accessKey config
  • Monitor: Check last_used_at in the key list
  • Revoke: Immediate — stops all requests using this key
  • Rotate: Create a new key, update your page/script, revoke the old key