Skip to main content

Authentication

Pdflet supports two authentication methods: API Keys (recommended) and JWT Tokens. API keys are the simplest way to authenticate. Include your key in the X-API-Key header: 
curl https://api.pdflet.dev/api/v1/pdf/ \
  -H "X-API-Key: pk_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"html": "<h1>Hello</h1>"}'

Creating API Keys

  1. Log in to your Pdflet Dashboard
  2. Navigate to API Keys
  3. Click Create API Key
  4. Enter a descriptive name (e.g., “Production Server”)
  5. Copy and securely store your key
API keys are shown only once. If you lose a key, revoke it and create a new one.

API Key Format

API keys follow this format:
  • Live keys: pk_live_ prefix (32 characters total)
  • Example: pk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Best Practices

Never hardcode API keys in your source code:
import os
api_key = os.environ.get('PDFLET_API_KEY')
Create different keys for development, staging, and production
Revoke and replace keys every 90 days for security
Create keys with only the permissions you need

JWT Authentication

For web applications where users interact directly, use JWT (JSON Web Token) authentication.

Obtaining Tokens

curl -X POST https://api.pdflet.dev/api/v1/auth/jwt/create/ \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "your_password"}'
Response: 
{
  "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}

Using Access Tokens

Include the access token in the Authorization header: 
curl https://api.pdflet.dev/api/v1/pdf/ \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." \
  -H "Content-Type: application/json" \
  -d '{"html": "<h1>Hello</h1>"}'

Refreshing Tokens

Access tokens expire after 5 minutes. Use the refresh token to get a new access token: 
curl -X POST https://api.pdflet.dev/api/v1/auth/jwt/refresh/ \
  -H "Content-Type: application/json" \
  -d '{"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."}'

Token Lifetimes

Token TypeLifetime
Access Token5 minutes
Refresh Token1 day

Which Should I Use?

Use CaseRecommended Method
Backend server-to-serverAPI Key
CLI tools or scriptsAPI Key
Web application (frontend)JWT
Mobile applicationJWT
MicroservicesAPI Key
API keys are simpler but cannot be revoked per-session. JWT tokens offer more granular control for user-facing applications.