The key server can run on AWS Lambda behind API Gateway. Lambda scales to zero when idle and scales automatically under load — no containers to manage.
When to use Lambda
Quick start
Install the keys package:
Create your Lambda handler:
Deploy with SAM, CDK, or the Serverless Framework.
Full example with authentication
SAM template
Minimal template.yaml for API Gateway HTTP API + Lambda:
Never store MASTER_KEY or SALT as plaintext in your template. Use AWS Secrets Manager, Systems Manager Parameter Store, or Lambda encrypted environment variables.
Endpoints
The Lambda key server exposes:
Leases on Lambda
The in-memory LeaseStore does not work across Lambda invocations — each invocation may run in a different execution context. Use the Postgres lease store instead:
The Postgres connection pool persists across warm Lambda invocations, so connections are reused efficiently.
You can also implement your own LeaseStore against any persistent backend — the interface is provider-agnostic.
Differences from Docker
Security
Do not enable API Gateway’s built-in CORS when using the Lambda adapter. The adapter handles CORS internally via corsOrigins. Enabling both causes duplicate or conflicting Access-Control-Allow-Origin headers.
- Store key material in AWS Secrets Manager or Systems Manager Parameter Store — not as plaintext environment variables in your SAM/CDK template
- Use Lambda resource policies or API Gateway authorizers for additional auth layers
- Enable CloudWatch logging for key request auditing
Player configuration
The player connects to a Lambda key server the same way as Docker — just point to the API Gateway URL:
When to choose Docker instead
Use the Docker key server when:
- You want the bundled presign endpoint without writing custom code
- You want SQLite lease storage (no external database needed)
- You’re already running containers and don’t need serverless scaling
- You want to avoid Lambda cold starts