Skip to main content
The key server can run on AWS Lambda behind API Gateway. Lambda scales to zero when idle and scales automatically under load — no containers to manage.

When to use Lambda

Quick start

Install the keys package:
Create your Lambda handler:
Deploy with SAM, CDK, or the Serverless Framework.

Full example with authentication

SAM template

Minimal template.yaml for API Gateway HTTP API + Lambda:
Never store MASTER_KEY or SALT as plaintext in your template. Use AWS Secrets Manager, Systems Manager Parameter Store, or Lambda encrypted environment variables.

Endpoints

The Lambda key server exposes:

Leases on Lambda

The in-memory LeaseStore does not work across Lambda invocations — each invocation may run in a different execution context. Use the Postgres lease store instead:
The Postgres connection pool persists across warm Lambda invocations, so connections are reused efficiently. You can also implement your own LeaseStore against any persistent backend — the interface is provider-agnostic.

Differences from Docker

Security

Do not enable API Gateway’s built-in CORS when using the Lambda adapter. The adapter handles CORS internally via corsOrigins. Enabling both causes duplicate or conflicting Access-Control-Allow-Origin headers.
  • Store key material in AWS Secrets Manager or Systems Manager Parameter Store — not as plaintext environment variables in your SAM/CDK template
  • Use Lambda resource policies or API Gateway authorizers for additional auth layers
  • Enable CloudWatch logging for key request auditing

Player configuration

The player connects to a Lambda key server the same way as Docker — just point to the API Gateway URL:

When to choose Docker instead

Use the Docker key server when:
  • You want the bundled presign endpoint without writing custom code
  • You want SQLite lease storage (no external database needed)
  • You’re already running containers and don’t need serverless scaling
  • You want to avoid Lambda cold starts