Learn
Authentication
PDF4.dev supports two authentication methods depending on the context.
API key authentication
For external API calls (from your backend, scripts, CI/CD), use a Bearer token in the Authorization header:
Authorization: Bearer p4_live_xxx...Creating an API key
- Go to Settings
- Click Create API key
- Copy the full token immediately (it's only shown once)
Keys always start with the p4_live_ prefix.
Permission scopes
| Scope | Access |
|---|---|
full_access | All endpoints: render, templates CRUD, logs, stats |
render_only | Only POST /api/v1/render |
Use render_only keys in environments where you only need to generate PDFs, like a backend service. Use full_access for admin scripts that also manage templates.
Security
- API keys are hashed with SHA-256 before storage. We never store the plain token.
- Deleting a key immediately revokes it. Any requests using that key will fail.
- Rotate keys regularly and never commit them to version control.
Session authentication
The dashboard uses cookie-based sessions managed by better-auth. Session auth is used for:
- All dashboard pages
POST /api/v1/render/preview(live preview in the editor)- API key management endpoints
- Account deletion
Session auth is not available for external API calls. Use API keys instead.
Error responses
Invalid or missing authentication returns a 401 with a structured error:
{
"error": {
"type": "authentication_error",
"code": "unauthorized",
"message": "Unauthorized"
}
}Using a render_only key on a full_access endpoint returns:
{
"error": {
"type": "authentication_error",
"code": "insufficient_permissions",
"message": "This API key does not have permission to access this resource"
}
}