Security Token Service (STS)

The MinIO Security Token Service (STS) APIs allow applications to generate temporary credentials for accessing the MinIO deployment.

The STS API is required for MinIO deployments configured to use external identity managers, as the API allows conversion of the external IDP credentials into AWS Signature v4-compatible credentials.

STS API Endpoints

MinIO supports the following STS API endpoints:


Supported IDP



OpenID Connect

Generates an access key and secret key using the JWT token returned by the OIDC provider


Active Directory / LDAP

Generates an access key and secret key using the AD/LDAP credentials specified to the API endpoint.


MinIO Identity Plugin

Generates a token for use with an external identity provider and the MinIO Identity Plugin.