DoCreate
Sign Up

API Keys

Create and manage API keys for your projects

API keys authenticate your requests to the DoCreate API. Each key is scoped to a specific project, ensuring isolated and secure access.

Creating an API Key

  1. Navigate to your project in the dashboard.
  2. Go to the API Keys section.
  3. Click Create API Key.
  4. Enter a name for the key (e.g., "Production Server", "CI/CD Pipeline", "Development").
  5. Click Create.

Your new API key will be displayed once. Copy it immediately and store it in a secure location, such as your application's environment variables or a secrets manager. You will not be able to see the full key again after leaving the page.

Using an API Key

Include your API key in every request to the DoCreate API using the Authorization header with the Bearer scheme:

Authorization: Bearer YOUR_API_KEY

Example request:

curl -X POST https://api.docreate.io/api/pdf/external \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"html": "<h1>Test</h1>"}'

Key Rotation

Regularly rotating your API keys reduces the risk of compromised credentials. To rotate a key:

  1. Create a new API key in the same project.
  2. Update your application to use the new key.
  3. Verify that your application works correctly with the new key.
  4. Delete the old key from the dashboard.

This approach ensures zero downtime during the rotation process. Your application continues to work with the old key until you have confirmed the new key is functioning correctly.

When to Rotate Keys

Consider rotating your API keys in the following situations:

  • A team member who had access to the key leaves the organization.
  • You suspect a key may have been exposed (e.g., committed to a public repository).
  • As part of a regular security review (e.g., quarterly rotation).
  • After a security incident.

Revoking an API Key

If you need to immediately disable an API key:

  1. Navigate to the project's API Keys section.
  2. Find the key you want to revoke.
  3. Click Delete.
  4. Confirm the deletion.

The key will stop working immediately. Any application using the revoked key will receive a 401 Unauthorized response.

Security Best Practices

Store Keys Securely

  • Use environment variables to store API keys in your application. Never hard-code them in source files.
  • Use a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, or your hosting platform's built-in secrets) for production deployments.
  • Never commit API keys to version control. Add your .env files to .gitignore.

Limit Exposure

  • Server-side only. Never include API keys in client-side code, browser JavaScript, or mobile applications. Always make DoCreate API calls from your server.
  • Separate keys per environment. Use different API keys for development, staging, and production.
  • Separate keys per service. If multiple services within your infrastructure use DoCreate, give each service its own key. This makes it easy to revoke access for a single service without affecting others.

Monitor Usage

  • Review your project's usage dashboard regularly to detect unusual activity.
  • If you notice unexpected spikes in usage, check whether any keys have been compromised and rotate them immediately.

Troubleshooting

401 Unauthorized

If you receive a 401 Unauthorized response:

  • Verify that the Authorization header is formatted correctly: Bearer YOUR_API_KEY (note the space after "Bearer").
  • Confirm that the API key has not been deleted or revoked.
  • Check that you are using a key from the correct project.

403 Forbidden

If you receive a 403 Forbidden response:

  • Your account or project may have been suspended. Check the dashboard for notifications.
  • Your plan may have reached its usage limit. Visit the Usage & Billing page to check your current usage.