Valet Key
Valet Key issues a scoped, short-lived token so clients access a specific storage resource directly, offloading bulk transfer from app servers. It improves scalability with least-privilege access but requires careful scope and short expiry.
The Valet Key pattern gives a client a token that grants restricted, time-bound, direct access to a specific resource, typically in a storage service. The client then reads or writes the data directly, bypassing the application for the bulk transfer.
The problem is that routing large uploads and downloads through application servers wastes compute and bandwidth and limits scalability. At the same time, you cannot simply hand clients full storage credentials.
How It Works
When a client needs to transfer data, it asks the application, which authenticates and authorizes the request. The application then generates a narrowly scoped credential, such as an AWS S3 pre-signed URL or an Azure Storage shared access signature (SAS). The token is limited to one resource, specific operations (read or write), and a short expiry. The client uses it to access storage directly. After expiry or revocation, the token is useless.
This is like a valet key for a car: it lets the valet drive and park but not open the trunk or glovebox. The application never sees the bulk data and never exposes its master keys.
When to Use It
Use it for direct upload and download of large objects (media, backups, documents) where proxying through the app is wasteful. Use it when clients need temporary, least-privilege access to a single resource without long-lived credentials.
Avoid it when fine-grained server-side processing of every byte is required during transfer, or when the storage service cannot issue scoped tokens.
Trade-offs
Tokens, once issued, are valid until they expire and are hard to revoke individually for many backends, so keep expiry short. If the token leaks before expiry, an attacker can use it within its scope; tight scoping limits the blast radius. The application loses the ability to inspect or transform data in transit.
Misconfiguration (overly broad scope or long expiry) is a common security mistake and should be caught in review.
Related Patterns
It pairs with Claim Check, where the valet key grants access to the externally stored payload. Gatekeeper validates and brokers requests before keys are issued. Federated Identity establishes who the client is before authorization.
Example
A photo app lets users upload images directly to cloud storage. The browser requests an upload slot; the backend verifies the user's quota and returns an S3 pre-signed PUT URL scoped to one object key, allowing PUT only, valid for five minutes. The browser uploads the file straight to S3. The application servers never handle the image bytes, so a viral upload event scales on storage capacity rather than app-server bandwidth.