Hosts
| Environment | Host |
|---|---|
| Pre-production | https://storage-authorization.acc.cleverbase.com |
| Production | https://storage-authorization.cleverbase.com |
OpenAPI / Swagger
An interactive Swagger UI is available at /swagger-ui/index.html on each host:
- Pre-production: https://storage-authorization.acc.cleverbase.com/swagger-ui/index.html
- Production: https://storage-authorization.cleverbase.com/swagger-ui/index.html
Credentials
POST /v1/credentials
Description
Provisions an S3 bucket for the authenticated client–user pair (if it does not yet exist) and returns temporary S3-compatible credentials scoped exclusively to that bucket. Subsequent calls return fresh credentials for the same bucket.
Input headers
| Header | Presence | Value | Description |
|---|---|---|---|
| Authorization | REQUIRED | String | Must be of type Bearer. The access token must have been issued with scope com.cleverbase.storage. |
Response — 200 OK
Credentials issued successfully.
| Field | Type | Description |
|---|---|---|
bucket | String | Name of the S3 bucket assigned to this client–user pair. |
endpoint | String | Base URL of the S3-compatible storage server. Use this as the endpoint URL in your S3 client. |
credentials.accessKeyId | String | Temporary AWS-style access key ID. |
credentials.secretAccessKey | String | Temporary secret access key. |
credentials.sessionToken | String | Session token required alongside the access key. Pass this as AWS_SESSION_TOKEN in your S3 SDK or CLI. |
credentials.expiration | String | ISO 8601 timestamp indicating when the credentials expire. Default lifetime is 1 hour. |
Permitted S3 operations
The credentials are restricted via an inline session policy to the following operations on the assigned bucket only:
s3:GetObjects3:PutObjects3:DeleteObjects3:ListBucket
Error responses
All error responses use the RFC 9457 Problem Details format.
| Field | Type | Description |
|---|---|---|
type | URI | URI identifying the problem type. |
title | String | Short, human-readable summary. |
status | Integer | HTTP status code. |
detail | String | Human-readable explanation of this occurrence. |
instance | URI | URI identifying this specific occurrence. |
| Status | Cause |
|---|---|
400 | Bearer token is missing required claims (sub or client_id). |
401 | The Authorization header is absent or the token is invalid / inactive. |
500 | Unexpected internal error. |
502 | The identification or storage service is unavailable. |
Examples
-
Sample request
POST /v1/credentials HTTP/1.1 Host: storage-authorization.cleverbase.com Authorization: Bearer <access_token> -
Sample response
HTTP/1.1 200 OK Content-Type: application/json { "bucket": "97f836e151c8ef6bf8bed303d6dd0bc7e54e131dc608bc24e460faf07bcf123", "endpoint": "https://storage.cleverbase.com", "credentials": { "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "sessionToken": "FwoGZXIvY...", "expiration": "2026-03-15T14:00:00Z" } } -
Using the credentials (AWS CLI)
export AWS_ACCESS_KEY_ID=<accessKeyId> export AWS_SECRET_ACCESS_KEY=<secretAccessKey> export AWS_SESSION_TOKEN=<sessionToken> # Upload a file aws s3 cp file.txt s3://<bucket>/file.txt --endpoint-url <endpoint> # List bucket contents aws s3 ls s3://<bucket> --endpoint-url <endpoint>