Destination type

AWS S3 Destination

Use AWS S3 destinations to archive routed events as objects in a client-provided S3 bucket for audit trails, recovery, lake ingestion, or downstream batch workflows.

AWS_S3Client AWS S3 bucketPOSTStorage
All destination typesDestinations docs
AWS S3 destination delivery flowFastHook routes accepted events through a connection to a AWS S3 destination and stores delivery attempt evidence.AcceptedRequestsource verifiedConnectionRoute branchfilters and transformsretry policyAWS_S3AWS S3Client AWS S3 bucketPOSTAttemptEvidencestatus + bodyDestination config owns target, auth, method, rate limit, disabled state, and delivery attempt evidence.
For HTTP destinations, FastHook sends the configured method to the receiver URL and stores response status, body, latency, and retry evidence.

When to use this destination type

Choose AWS_S3 when the receiver target is Client AWS S3 bucket. Destinations are outbound delivery targets: they do not decide whether a source request should be accepted, and they do not own connection filters or transformations. They own where the final delivery goes and how FastHook should authenticate, pace, disable, and inspect that delivery.

A destination can be reused by multiple connections when several source branches should feed the same receiver. Reuse keeps receiver capacity, credentials, and attempt evidence attached to one destination id.

FastHook dashboard fields

In the dashboard, create a destination, set Destination Type to AWS_S3, then fill the fields below.

AWS region

Region for the target S3 bucket and request signing.

Bucket

Client S3 bucket to write objects into.

S3 endpoint

Optional custom S3 endpoint. Leave blank for the AWS regional endpoint.

Force path-style URL

Use endpoint/bucket/key addressing for buckets or compatible endpoints that require it.

Access Key ID

AWS access key ID with write access to the bucket.

Secret Access Key

AWS secret access key for signing PutObject requests.

Session token

Optional token for temporary STS credentials.

Object key template

S3 object key template using FastHook tokens such as {{team_id}}, {{source_id}}, {{event_id}}, and payload paths.

Content type

Stored object media type, usually application/json or text/plain.

Body template

Optional custom stored body. Leave empty to store the standard metadata and payload JSON envelope.

Include metadata

Controls standard envelope metadata when body template is empty.

Max delivery rate

Optional pacing for archive writes.

API config fields

The REST API stores destination-specific behavior under config. Use PATCH for focused edits and PUT only when your request contains the full config you want to keep.

config.region

Required AWS region used for Signature Version 4 signing, such as eu-central-1.

config.endpoint

Optional S3 endpoint. Defaults to https://s3.<region>.amazonaws.com.

config.bucket

Required client S3 bucket name.

config.force_path_style

Optional boolean for path-style S3 URLs instead of virtual-hosted bucket URLs.

config.key_template

Required S3 object key template. Defaults to archives/{{team_id}}/{{source_id}}/{{event_id}}.json.

config.content_type

Object content type. Defaults to application/json.

config.body_template

Optional archive body template. When omitted, FastHook stores a JSON envelope with metadata and payload.

config.include_metadata

Optional boolean. When body_template is empty, controls whether metadata is included with the stored payload.

config.auth_type

Use AWS_ACCESS_KEY.

config.auth.access_key_id

Required AWS Access Key ID.

config.auth.secret_access_key

Required AWS Secret Access Key.

config.auth.session_token

Optional session token for temporary AWS credentials.

config.rate_limit

Optional delivery pacing for archive writes.

config.rate_limit_period

Rate-limit period: second, minute, or hour.

AWS S3 destination config
{
  "name": "event-s3-archive",
  "type": "AWS_S3",
  "config": {
    "region": "eu-central-1",
    "endpoint": "https://s3.eu-central-1.amazonaws.com",
    "bucket": "client-bucket",
    "force_path_style": false,
    "key_template": "archives/{{team_id}}/{{source_id}}/{{event_id}}.json",
    "content_type": "application/json",
    "body_template": null,
    "include_metadata": true,
    "auth_type": "AWS_ACCESS_KEY",
    "auth": {
      "access_key_id": "your-aws-access-key-id",
      "secret_access_key": "your-aws-secret-access-key"
    },
    "rate_limit": null,
    "rate_limit_period": "second"
  }
}
Create AWS S3 destination with cURL
curl -X POST "https://api.fasthook.io/v1/destinations" \
  -H "Authorization: Bearer $FASTHOOK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "event-s3-archive",
  "type": "AWS_S3",
  "config": {
    "region": "eu-central-1",
    "endpoint": "https://s3.eu-central-1.amazonaws.com",
    "bucket": "client-bucket",
    "force_path_style": false,
    "key_template": "archives/{{team_id}}/{{source_id}}/{{event_id}}.json",
    "content_type": "application/json",
    "body_template": null,
    "include_metadata": true,
    "auth_type": "AWS_ACCESS_KEY",
    "auth": {
      "access_key_id": "your-aws-access-key-id",
      "secret_access_key": "your-aws-secret-access-key"
    },
    "rate_limit": null,
    "rate_limit_period": "second"
  }
}'

Authentication

Destination authentication is outbound. It helps the receiver trust or accept FastHook delivery, and it is separate from source authentication that verifies the original webhook producer.

  • AWS access key with s3:PutObject permission
  • Optional temporary session token

HTTP methods and rate limit

This destination type uses the methods below for delivery attempts. Rate limits apply at the destination boundary, so every connection that targets the same destination shares that capacity.

POST

Rate limit: Optional. Configure a max archive write rate per second, minute, or hour.

Delivery behavior

  • FastHook signs a PutObject request with AWS Signature Version 4 and writes the routed payload to the configured client S3 bucket.
  • Without a body_template, the stored object is a JSON envelope with delivery metadata and the parsed payload when possible.
  • With a body_template, FastHook renders the template and stores the rendered body using the configured content type.
  • If a connection has no transformation, the archive stores the original routed payload. If a transformation runs first, the archive stores the transformed payload.
  • Successful attempts store a requested URL like s3://bucket/archives/... so the object key is visible in delivery evidence.

Setup checklist

  1. Create or choose a client S3 bucket and an IAM access key with s3:PutObject permission for that bucket.
  2. Create a FastHook destination and choose AWS_S3 as the destination type.
  3. Set AWS region, bucket, access key ID, and secret access key.
  4. Leave endpoint blank for AWS S3, or set a custom HTTPS S3-compatible endpoint when required.
  5. Set an object key template such as archives/{{team_id}}/{{source_id}}/{{event_id}}.json.
  6. Keep content type as application/json unless body_template produces another format.
  7. Connect one or more sources to the S3 destination, adding transformations only when you want to archive transformed payloads.

Troubleshooting

Attempts fail with 403 or SignatureDoesNotMatch.

Check region, endpoint, bucket, access key ID, secret access key, session token, and IAM permissions for s3:PutObject.

Attempts fail because the object key is invalid.

Check config.key_template. It must render to a relative S3 object key, cannot be empty, and cannot contain .. path segments.

Archived body is not the original inbound request.

Check the connection rules. A transformation before the destination changes the payload that S3 stores.

Endpoint or bucket addressing fails.

Use force_path_style for endpoints or bucket names that cannot be addressed as bucket.endpoint.

Related docs