Guides
  1. documentation

Authentication

MamuteCloud uses two authentication models. The management REST API accepts Bearer JWT or API Key. The S3 data plane uses Access Key plus Secret Access Key pairs through any standard AWS S3 SDK.

MamuteCloud exposes two authentication models. Choose the right one for the operation you are performing.

1. Management API

Use the management API for everything that is not raw object I/O: CDN distributions, DNS zones and records, SSL certificates, organization and user settings, IAM and API keys, billing and analytics, and the storage admin endpoints (creating buckets, generating S3 credentials, listing files metadata).

Pick one of two credentials:

  • Bearer JWT — issued by the dashboard for an authenticated user session. Send it as:

    Authorization: Bearer <jwt>

  • Project API Key — long-lived programmatic credential generated via POST /security/apikey. Send it as:

    X-API-Key: <api-key>

Example: list DNS zones with an API key.

curl https://api.mamutecloud.com/dns/zones \
  -H "X-API-Key: $MAMUTECLOUD_API_KEY"

The management API base URL is https://api.mamutecloud.com.

2. S3 Data Plane

Use the S3 data plane for object operations on a bucket — uploading, downloading, listing, deleting, multipart uploads, and similar s3:* actions. These operations do not use the project API key or the Bearer JWT. They use an AWS-style access_key_id + secret_access_key pair scoped to a single bucket.

Step 1 — Create the bucket via the management API

curl -X POST https://api.mamutecloud.com/storage/object-storage/buckets \
  -H "X-API-Key: $MAMUTECLOUD_API_KEY" \
  -H "content-type: application/json" \
  -d '{"name": "my-app-uploads", "storage_class": "Standard"}'

Step 2 — Generate S3 credentials for that bucket

curl -X POST "https://api.mamutecloud.com/storage/object-storage/buckets/${BUCKET_ID}/credentials" \
  -H "X-API-Key: $MAMUTECLOUD_API_KEY" \
  -H "content-type: application/json"

The response includes the access_key_id and secret_access_key. Store both securely — the secret is only returned once.

Step 3 — Use any AWS S3 SDK against the MamuteCloud proxy endpoint

Point the SDK's endpoint parameter at the MamuteCloud S3-compatible URL and pass the credentials from step 2.

Node.js (@aws-sdk/client-s3)

import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";

const s3 = new S3Client({
  endpoint: "https://s3-us-east-1.mamutecloud.com",
  region: "us-east-1",
  credentials: {
    accessKeyId: process.env.MAMUTECLOUD_S3_ACCESS_KEY,
    secretAccessKey: process.env.MAMUTECLOUD_S3_SECRET_KEY,
  },
  forcePathStyle: true,
});

await s3.send(new PutObjectCommand({
  Bucket: "my-app-uploads",
  Key: "hello.txt",
  Body: "Hello MamuteCloud",
}));

Python (boto3)

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://s3-us-east-1.mamutecloud.com",
    aws_access_key_id=os.environ["MAMUTECLOUD_S3_ACCESS_KEY"],
    aws_secret_access_key=os.environ["MAMUTECLOUD_S3_SECRET_KEY"],
    region_name="us-east-1",
)

s3.put_object(Bucket="my-app-uploads", Key="hello.txt", Body=b"Hello MamuteCloud")

Go (aws-sdk-go-v2)

cfg, _ := config.LoadDefaultConfig(ctx,
    config.WithRegion("us-east-1"),
    config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
        os.Getenv("MAMUTECLOUD_S3_ACCESS_KEY"),
        os.Getenv("MAMUTECLOUD_S3_SECRET_KEY"),
        "",
    )),
)
client := s3.NewFromConfig(cfg, func(o *s3.Options) {
    o.BaseEndpoint = aws.String("https://s3-us-east-1.mamutecloud.com")
    o.UsePathStyle = true
})

Credential lifecycle

The same management API exposes lifecycle operations for S3 credentials:

  • GET /storage/object-storage/buckets/{bucketId}/credentials — list credentials for a bucket.
  • POST /storage/object-storage/buckets/{bucketId}/credentials/{accessKeyId}/deactivate — temporarily disable a credential without losing it.
  • POST /storage/object-storage/buckets/{bucketId}/credentials/{accessKeyId}/activate — re-enable a previously deactivated credential.
  • POST /storage/object-storage/buckets/{bucketId}/credentials/{accessKeyId}/regenerate — rotate the secret (returns a new secret, invalidates the previous one).
  • DELETE /storage/object-storage/buckets/{bucketId}/credentials/{accessKeyId} — permanently delete the credential.

Which credential should I use?

  • Are you calling https://api.mamutecloud.com/...? → Bearer JWT or X-API-Key.
  • Are you uploading or downloading objects (or using an AWS S3 SDK)? → Access Key + Secret, scoped per bucket.
  • Are you using the dashboard? → It already uses a Bearer JWT under the hood.

Security notes

  • The project API key has full management privileges. Treat it like a password and rotate via POST /security/apikey if leaked.
  • S3 credentials are bucket-scoped — leaking one credential exposes only its bucket. Prefer creating a dedicated credential per environment or workload.
  • Use deactivate for temporary suspension and regenerate to rotate without redeploying calling code (only the secret changes, the access key ID remains stable).
  • Never embed secrets in client-side code or public repositories.

Updated 1 day ago