Authentication
Create an API key and sign your requests.
Every call to https://api.pdf-forge.dev/v1/* is authenticated with an API
key sent as a Bearer token:
Authorization: Bearer pf_live_xxxxxxxxxxxxxxxxxxxxxxxxKey types
| Prefix | Type | Behaviour |
|---|---|---|
pf_live_ | Live key | Production. Rate-limited per plan, counts against your monthly quota. |
pf_test_ | Test key | Development. Exempt from per-minute rate limiting. |
The key is shown only once
The full key appears a single time, at creation. Only the prefix
(pf_live_a1b2c3d4...) is stored and displayed afterwards. Copy it into a
secret manager immediately.
Create a key
Create your first key from the dashboard (API keys). You can also manage keys by API once you have one:
curl -X POST https://api.pdf-forge.dev/v1/keys \
-H "Authorization: Bearer $PDFFORGE_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "name": "CI pipeline", "isTest": false }'Returns 201 with id, key (full key — only time you see it), prefix,
name, isTest, rateLimit and createdAt.
curl https://api.pdf-forge.dev/v1/keys \
-H "Authorization: Bearer $PDFFORGE_API_KEY"Returns { "keys": [...] } — prefix, name, rate limit, lastUsedAt,
revokedAt, never the full key.
curl -X POST https://api.pdf-forge.dev/v1/keys/KEY_ID/rotate \
-H "Authorization: Bearer $PDFFORGE_API_KEY"Revokes the old key and returns a brand-new one (key field, shown once).
curl -X DELETE https://api.pdf-forge.dev/v1/keys/KEY_ID \
-H "Authorization: Bearer $PDFFORGE_API_KEY"The key stops working immediately.
The number of active keys is capped by your plan (1 on Free, up to 100 on Enterprise) — see Errors & limits.
Use the key
export PDFFORGE_API_KEY="pf_live_..."
curl -X POST https://api.pdf-forge.dev/v1/generate/html \
-H "Authorization: Bearer $PDFFORGE_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "html": "<h1>Hello</h1>" }' \
--output hello.pdfimport { PDFForge } from "@pdfforge/core";
// Reads the key from an environment variable — never hardcode it.
const client = new PDFForge(process.env.PDFFORGE_API_KEY!);The SDK validates the prefix at construction: a key that does not start with
pf_live_ or pf_test_ throws immediately.
Authentication errors
All auth failures return 401 with a JSON body:
error | Cause |
|---|---|
unauthorized | Missing or malformed Authorization header. |
invalid_key_format | Token does not start with pf_live_ / pf_test_. |
invalid_key | Key not found or revoked. |
{
"error": "unauthorized",
"message": "Missing or invalid Authorization header",
"hint": "Use: Authorization: Bearer pf_live_xxxxx"
}Next steps
- Your first PDF — make your first request in five minutes.
- Errors & limits — quotas, rate limits and error codes.
- JavaScript SDK — the official client.