authentication

Authentication

Every request must include a bearer token with your API key.

Header

Authorization: Bearer sk_live_abc...

Key types

sk_live_* — hits production, counts against your real quota.
sk_test_* — sandboxed, unlimited. Used for CI and local dev.

Scopes

Create keys with least-privilege scopes for defence-in-depth.

pdf:read      — extract-text, metadata GET, extract-pages
pdf:write     — all mutation ops (merge, sign, watermark, ...)
keys:manage   — create/revoke/rotate API keys
webhooks:*    — manage webhook subscriptions
billing:read  — read-only access to invoices + usage

Rotating keys

Rotation issues a new secret. The old one stays valid for 24 hours so you can roll your deployments.