close search

Add Messaging, Voice, and Authentication to your apps with Vonage Communications APIs

Visit the Vonage API Developer Portal

Amazon S3 server-side encryption

Amazon Web Services provides a server-side encryption feature you can use when uploading OpenTok archives to an S3 target.

This uses Amazon S3-managed encryption keys for encryption. For more information, see this Amazon web services documentation. (OpenTok supports using only Amazon S3-managed encryption keys and not KMS or customer-provided keys.)

To use this feature, set the sse property to "s3" when you call the OpenTok REST API to set the OpenTok archive upload target.

Submit an HTTP PUT request to the following URL:<apiKey>/archive/storage

Replace <apiKey> with your OpenTok API key.

Authenticate the REST API request using a custom HTTP header: X-OPENTOK-AUTH. Set this to a JSON Web token (see the OpenTok REST API documentation):

X-OPENTOK-AUTH: <JSON_web_token>

Include a JSON object as the POST data:

  "type": "s3",
  "config": {
    "bucket": "",
    "endpoint": "",
    "secretKey": "BvKwyshsmEATx5mngeloHwgKrYMbP+",
    "accessKey": "AWFS7BAO536E6MXA",
    "sse": "s3"
  "fallback": "none",

Set bucket to the name of the Amazon S3 bucket you want to use for archive upload. Set the secretKey and accessKey properties to the Amazon S3 secret key and access key for that bucket.

Set the endpoint property if you want to use an S3-compliant storage provider other than Amazon. This is optional. Set this to the endpoint base URL, including the protocol (http or https), such as "". The default endpoint is "" (the Amazon S3 endpoint URL).

Set the sse property to "s3" to use Amazon S3 server-side encryption. Set the sse property to "none" to upload archives to a non-encrypted S3 bucket.

Set the fallback property to "none" to prevent archive files from being stored in the OpenTok cloud if the upload fails. Set the property to "opentok" to have the archive available at the OpenTok dashboard if upload fails.

REST API responses

A response with status code 200 indicates success.

A response with a 400 status code indicates that you have included invalid JSON data or that you did not specify the upload target.

A response with a 403 status code indicates you passed in an invalid OpenTok API key or API secret.


The following command line example securely sets the server-side encryption flag for TokBox to use when archives are uploaded to an Amazon S3 bucket:

data='{"type":"s3","config":{"bucket": "your-s3-bucket","secretKey": "your-s3-secret-key","accessKey": "your-s3-access-key","sse" : "s3"}, "fallback" : "none"}'
curl \
     -i \
     -H "Content-Type: application/json" \
     -X PUT \
     -H "X-OPENTOK-AUTH:$json_web_token" \
     -d "$data" \$api_key/archive/storage

Set the value for api_key to your OpenTok API key. Set the value for json_web_token to a JSON web token. Set the values for your-s3-bucket and your-s3-access-key to credentials that have appropriate access to your Amazon S3 account.

For more information, see Using an Amazon S3 bucket with OpenTok archiving.