diff --git a/src/api/k2v/api_server.rs b/src/api/k2v/api_server.rs
index 0efa5d8e..39b6f267 100644
--- a/src/api/k2v/api_server.rs
+++ b/src/api/k2v/api_server.rs
@@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer {
 			return handle_options_s3api(garage, &req, Some(bucket_name)).await;
 		}
 
-		let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
+		let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
 		let api_key = api_key.ok_or_else(|| {
 			Error::Forbidden("Garage does not support anonymous access yet".to_string())
 		})?;
diff --git a/src/api/s3/api_server.rs b/src/api/s3/api_server.rs
index 04e3727f..d908f84a 100644
--- a/src/api/s3/api_server.rs
+++ b/src/api/s3/api_server.rs
@@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer {
 			return handle_options_s3api(garage, &req, bucket_name).await;
 		}
 
-		let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
+		let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
 		let api_key = api_key.ok_or_else(|| {
 			Error::Forbidden("Garage does not support anonymous access yet".to_string())
 		})?;
diff --git a/src/api/s3/post_object.rs b/src/api/s3/post_object.rs
index a060c8fb..86fa7880 100644
--- a/src/api/s3/post_object.rs
+++ b/src/api/s3/post_object.rs
@@ -119,7 +119,15 @@ pub async fn handle_post_object(
 	};
 
 	let date = parse_date(date)?;
-	let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?;
+	let api_key = verify_v4(
+		&garage,
+		"s3",
+		credential,
+		&date,
+		signature,
+		policy.as_bytes(),
+	)
+	.await?;
 
 	let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;
 
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index 2a41b307..59d7ff6a 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -19,6 +19,7 @@ use crate::error::*;
 
 pub async fn check_payload_signature(
 	garage: &Garage,
+	service: &str,
 	request: &Request<Body>,
 ) -> Result<(Option<Key>, Option<Hash>), Error> {
 	let mut headers = HashMap::new();
@@ -64,6 +65,7 @@ pub async fn check_payload_signature(
 
 	let key = verify_v4(
 		garage,
+		service,
 		&authorization.credential,
 		&authorization.date,
 		&authorization.signature,
@@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result<DateTime<Utc>, Error> {
 
 pub async fn verify_v4(
 	garage: &Garage,
+	service: &str,
 	credential: &str,
 	date: &DateTime<Utc>,
 	signature: &str,
@@ -289,9 +292,10 @@ pub async fn verify_v4(
 	let (key_id, scope) = parse_credential(credential)?;
 
 	let scope_expected = format!(
-		"{}/{}/s3/aws4_request",
+		"{}/{}/{}/aws4_request",
 		date.format(SHORT_DATE),
-		garage.config.s3_api.s3_region
+		garage.config.s3_api.s3_region,
+		service
 	);
 	if scope != scope_expected {
 		return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));