Access Keys
Access Key ID and Secret Access Key for NFYio S3 API. Create via Console and API. Use with AWS SDK. Scopes: read, write, delete, admin. Security best practices.
NFYio uses Access Key ID and Secret Access Key for S3 API authentication — the same credential model as AWS. Use these keys with the AWS CLI, AWS SDKs, or any S3-compatible client.
Credential Format
- Access Key ID — Public identifier (e.g.,
AKIAIOSFODNN7EXAMPLE) - Secret Access Key — Private secret; shown only at creation time
Never commit secrets to version control. Store them in environment variables or a secrets manager.
Creating Access Keys
Web Console
- Log in to the NFYio dashboard
- Go to Settings → Access Keys (or Storage → Access Keys)
- Click Create Access Key
- Enter a name (e.g.,
production-cli) - Select scopes (permissions)
- Click Create
- Copy the Secret Access Key immediately — it will not be shown again
API
curl -X POST "https://api.yourdomain.com/v1/access-keys" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "ci-cd-pipeline",
"scopes": ["read:objects", "write:objects"]
}'Response includes access_key_id and secret_access_key (secret only in create response).
Scopes
Control what the key can do:
| Scope | Description |
|---|---|
read:objects | GetObject, ListObjects, HeadObject |
write:objects | PutObject, CopyObject, multipart upload |
delete:objects | DeleteObject, DeleteObjects |
admin | Create/delete buckets, manage lifecycle, CORS, policies |
Create keys with minimal required scopes. For example, a read-only reporting key:
{ "scopes": ["read:objects"] }Using with AWS SDK (JavaScript)
import { S3Client, ListBucketsCommand } from '@aws-sdk/client-s3';
const client = new S3Client({
endpoint: process.env.NFYIO_STORAGE_ENDPOINT, // https://storage.yourdomain.com
region: 'us-east-1',
credentials: {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
},
forcePathStyle: true, // Required for non-AWS endpoints
});
const { Buckets } = await client.send(new ListBucketsCommand({}));
console.log(Buckets);Environment Variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_ENDPOINT_URL=https://storage.yourdomain.comThen in code:
const client = new S3Client({
endpoint: process.env.AWS_ENDPOINT_URL,
region: 'us-east-1',
credentials: {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
},
forcePathStyle: true,
});Using with AWS CLI
# Configure profile
aws configure --profile nfyio
# AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key: wJalrXUtn...
# Default region: us-east-1
# Use with endpoint
aws s3 ls --profile nfyio --endpoint-url https://storage.yourdomain.comOr via environment:
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_ENDPOINT_URL=https://storage.yourdomain.com
aws s3 ls --endpoint-url $AWS_ENDPOINT_URLSecurity Best Practices
1. Rotate Keys Every 90 Days
Create a new key, update your applications, then revoke the old key. Never reuse revoked keys.
2. Use Environment Variables
# .env (never commit)
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...Load in your app:
require('dotenv').config();
// process.env.AWS_ACCESS_KEY_ID, process.env.AWS_SECRET_ACCESS_KEY3. Never Commit Secrets
Add to .gitignore:
.env
.env.local
*.pemUse pre-commit hooks or secret scanning to catch accidental commits.
4. Least Privilege
Grant only the scopes needed. A backup script needs read:objects; a web upload form needs write:objects (and possibly read:objects for presigned URL generation).
5. Separate Keys per Environment
Use different keys for development, staging, and production. Revoke dev keys if compromised without affecting production.
6. Monitor Usage
Check audit logs for unusual access patterns. Revoke keys that are no longer in use.
Revoking Keys
Revoke a key immediately if it may be compromised:
- Web Console — Access Keys → select key → Revoke
- API —
DELETE /v1/access-keys/:id
After revocation, requests with that key return 403 Forbidden.
Next Steps
- Working with Objects — Upload and download with your keys
- Presigned URLs — Temporary URLs without exposing keys
- CORS Configuration — Enable browser-based uploads