Authentication

Secure your API requests with scoped API keys.

Bearer Token

All API requests must include your API key in the Authorization header using the Bearer scheme:

http

Authorization: Bearer dh_live_abc123def456...

Requests without a valid key receive a 401 Unauthorized response.

Key Format

DocuHub API keys follow a predictable format that makes them easy to identify in logs and secret scanners:

text

dh_live_<random>

Examples:
  dh_live_sk7Gx2mP9qRtW4nB8vJ6yZ
  dh_live_aB3cD5eF7gH9iJ1kL3mNpQ

The dh_live_ prefix indicates a production key. Keys are 32 characters long including the prefix.

Scopes

Each key is created with a scope that limits which endpoints it can access. Use the narrowest scope that satisfies your needs.

API key scopes and their allowed endpoints
Scope	Description	Allowed Endpoints
FULL	Unrestricted access to all API endpoints.	All
CONVERT_ONLY	Can only call conversion endpoints.	/v1/convert, /v1/jobs/*
PDF_ONLY	Can only call PDF operation endpoints.	/v1/pdf/, /v1/jobs/
READ_ONLY	Can only read job statuses and download files.	/v1/jobs/, /v1/files/

If a key attempts to access an endpoint outside its scope, the API returns a 403 insufficient_scope error.

IP Allowlist

For additional security, you can restrict each API key to a set of IP addresses or CIDR ranges. Requests from unlisted IPs receive a 403 ip_not_allowed error.

Configure allowed IPs when creating or editing a key in your Developer Settings. Supported formats:

text

Single IP:    203.0.113.42
CIDR range:   10.0.0.0/24
IPv6:         2001:db8::1

Key Rotation

We recommend rotating your keys periodically. DocuHub supports a seamless rotation workflow:

Create a new key with the same scope and IP allowlist.
Deploy the new key to your application.
Verify traffic is using the new key (check the key's "Last Used" timestamp).
Revoke the old key.

Both keys remain valid simultaneously, so there is zero downtime during the rotation window.

Security Best Practices

Never commit keys to source control

Add .env to your .gitignore. If a key is accidentally committed, revoke it immediately and create a new one.

Use environment variables

Store keys in environment variables or a secrets manager, never hard-code them.

javascript

# .env (never commit this file)
DOCUHUB_API_KEY=dh_live_sk7Gx2mP9qRtW4nB8vJ6

# In your code
const apiKey = process.env.DOCUHUB_API_KEY;

Rotate regularly

We recommend rotating keys every 90 days, and immediately after any team member with access leaves your organization.

Use the narrowest scope

If a service only converts files, use CONVERT_ONLYinstead of FULL. This limits the blast radius if a key is compromised.

Key Format

DocuHub API keys follow a predictable format that makes them easy to identify in logs and secret scanners:

text

dh_live_<random>

Examples:
  dh_live_sk7Gx2mP9qRtW4nB8vJ6yZ
  dh_live_aB3cD5eF7gH9iJ1kL3mNpQ

The dh_live_ prefix indicates a production key. Keys are 32 characters long including the prefix.

Scopes

Each key is created with a scope that limits which endpoints it can access. Use the narrowest scope that satisfies your needs.

API key scopes and their allowed endpoints
Scope	Description	Allowed Endpoints
FULL	Unrestricted access to all API endpoints.	All
CONVERT_ONLY	Can only call conversion endpoints.	/v1/convert, /v1/jobs/*
PDF_ONLY	Can only call PDF operation endpoints.	/v1/pdf/, /v1/jobs/
READ_ONLY	Can only read job statuses and download files.	/v1/jobs/, /v1/files/

If a key attempts to access an endpoint outside its scope, the API returns a 403 insufficient_scope error.

IP Allowlist

For additional security, you can restrict each API key to a set of IP addresses or CIDR ranges. Requests from unlisted IPs receive a 403 ip_not_allowed error.

Configure allowed IPs when creating or editing a key in your Developer Settings. Supported formats:

text

Single IP:    203.0.113.42
CIDR range:   10.0.0.0/24
IPv6:         2001:db8::1

Key Rotation

We recommend rotating your keys periodically. DocuHub supports a seamless rotation workflow:

Create a new key with the same scope and IP allowlist.

Deploy the new key to your application.

Verify traffic is using the new key (check the key's "Last Used" timestamp).

Revoke the old key.

Both keys remain valid simultaneously, so there is zero downtime during the rotation window.

Security Best Practices

Never commit keys to source control

Add .env to your .gitignore. If a key is accidentally committed, revoke it immediately and create a new one.

Use environment variables

Store keys in environment variables or a secrets manager, never hard-code them.

javascript

# .env (never commit this file)
DOCUHUB_API_KEY=dh_live_sk7Gx2mP9qRtW4nB8vJ6

# In your code
const apiKey = process.env.DOCUHUB_API_KEY;

Rotate regularly

We recommend rotating keys every 90 days, and immediately after any team member with access leaves your organization.

Use the narrowest scope

If a service only converts files, use CONVERT_ONLYinstead of FULL. This limits the blast radius if a key is compromised.