DoCreate
Sign Up

Authentication

How to authenticate with the DoCreate API

Every request to the DoCreate API must be authenticated using an API key. This page explains how to create, use, and manage your API keys.

Creating API Keys

  1. Sign in to your DoCreate dashboard.
  2. Navigate to the project you want to generate PDFs for.
  3. Open the API Keys section in the project settings.
  4. Click Create API Key.
  5. Give the key a descriptive label (e.g., "Production Server" or "Staging Environment").
  6. Copy the key immediately. For security reasons, the full key is only displayed once at creation time.

You can create multiple API keys per project. This is useful for separating access across environments or revoking a single key without affecting others.

Using Your API Key

Include your API key in the Authorization header of every request as a Bearer token:

curl -X POST https://api.docreate.io/api/pdf/external \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "html": "<h1>Hello</h1>" }'

In application code, the pattern is the same. Here is an example using JavaScript:

const response = await fetch("https://api.docreate.io/api/pdf/external", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.DOCREATE_API_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    html: "<h1>Hello from my app</h1>",
  }),
});

const pdfBuffer = await response.arrayBuffer();

Revoking API Keys

If a key is compromised or no longer needed, you can revoke it from the dashboard:

  1. Go to the API Keys section in your project settings.
  2. Find the key you want to revoke.
  3. Click Revoke.

The key is deactivated immediately. Any requests using the revoked key will return a 401 Unauthorized response.

Security Best Practices

Never expose your API key in client-side code. API keys should only be used in server-side environments (backend servers, serverless functions, etc.). If your key is included in frontend JavaScript, anyone can extract it from the browser.

Use environment variables. Store your API key in an environment variable rather than hardcoding it in your source code:

# .env file (never commit this to version control)
DOCREATE_API_KEY=your-api-key-here

Use separate keys for each environment. Create distinct API keys for development, staging, and production. This way, you can revoke a compromised key without disrupting other environments.

Rotate keys periodically. As a general security practice, consider rotating your API keys on a regular schedule. Create a new key, update your application, and then revoke the old key.

Restrict access. Only share API keys with team members and systems that genuinely need them. Use your project's team management features to control who can view and create keys.

Error Responses

If authentication fails, the API returns one of the following responses:

Status CodeMeaning
401 UnauthorizedThe API key is missing, invalid, or has been revoked.
403 ForbiddenThe API key is valid but does not have permission for the requested resource.

Check that your Authorization header is formatted correctly as Bearer <key> and that the key belongs to an active project.