Authentication
All API requests require a Bearer token in the Authorization header. Keys are scoped per organisation and can be revoked at any time.
API keys
Create and manage keys from Account → API Keys. Each key belongs to one organisation and inherits that org's plan limits.
Sending your key
Include the key in the Authorization header using the Bearer scheme on every request:
Never expose API keys client-side. Always call the PDFox API from your server. If a key is leaked, rotate it immediately from the dashboard.
Key prefixes
| Prefix | Environment | Notes |
|---|---|---|
sk_live_ | Production | Consumes credits. Use in production only. |
sk_test_ | Test | No credit deduction. Watermarked PDFs. |
Errors
| Status | Meaning |
|---|---|
401 | Missing or malformed Authorization header |
403 | Key is valid but has been revoked or lacks permission for this endpoint |
Session cookies (used by the dashboard) are never accepted by the external API. Only Bearer tokens work.
curl https://api.pdfox.com/v1/generate \ -H "Authorization: Bearer sk_live_••••••••••••••••"