Kraterion
Try Kraterion →

Storage

API keys

Kraterion uses two kinds of credentials. Picking the right one depends on which surface you're calling.

Two credential types

S3 keys are AWS-style access key / secret pairs used to sign requests to the storage API. Bearer tokens are kr_live_… / kr_test_… strings used for the REST control API, agent chat, and MCP. They are not interchangeable.

S3 keys

An S3 key is an access key id starting with AKIA (20 characters) plus a 40-character secret. You use it to sign requests to s3.kraterion.com with SigV4, exactly like an AWS key. See the S3 API.

Bearer tokens

A bearer token goes in an Authorization: Bearer … header. Use it for control-plane endpoints (buckets, knowledge, agents), the agent chat API, and MCP. The kr_live_ and kr_test_ prefixes tell you which network the token is bound to.

Generating

Create either type from the dashboard, or over the API. The secret (or token) is returned once at creation time and never again — store it somewhere safe.

curl -X POST https://api.kraterion.com/v1/projects/<project_id>/api-keys \
  -H "Authorization: Bearer kr_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "name": "uploader" }'
# → { "api_key": { "access_key_id": "AKIA..." }, "secret": "..." }

Revoking

Revoke any key with POST /v1/api-keys/:id/revoke. A revoked key stops working immediately for new requests.

Which key goes where

  • S3 API (s3.kraterion.com) → S3 key, SigV4.
  • REST, agent chat (api.kraterion.com) → bearer token.
  • MCP (mcp.kraterion.com) → bearer token (or OAuth). S3 keys do not work on MCP.