Authentication
All requests to the DocDigitizer API require authentication. This guide explains how to authenticate your requests and manage your API credentials securely.
Overview
DocDigitizer uses API key authentication to secure access to the document extraction API. Every request must include a valid API key in the request headers.
Authentication Flow
- Obtain your API key from DocDigitizer (provided during account setup)
- Include the API key in the
x-api-keyheader of every request - The API validates your key and processes the request
- If authentication fails, an error response is returned
Required Credentials
| Credential | Header/Parameter | Required | Description |
|---|---|---|---|
| API Key | x-api-key (header) |
Yes | Your unique API key for authentication |
| Context ID | contextId (body) |
Yes | UUID identifying your processing configuration |
API Key Authentication
Your API key is a unique identifier that authenticates your application with the DocDigitizer API. It must be included in every request.
API Key Format
API keys are alphanumeric strings. Example format:
dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Key Types
| Key Type | Prefix | Usage |
|---|---|---|
| Production | dd_live_ |
Use in production environments. Full API access. |
| Test | dd_test_ |
Use in development/testing. May have usage limits. |
Note: Contact your account manager to request separate keys for different environments.
Request Headers
Include the following header in all API requests:
| Header | Value | Required |
|---|---|---|
x-api-key |
Your API key | Yes |
Content-Type |
multipart/form-data |
Yes (for file uploads) |
Header Format
x-api-key: dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Authentication Examples
cURL
curl -X POST https://apix.docdigitizer.com/sync \
-H "x-api-key: dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" \
-F "files=@document.pdf" \
-F "id=550e8400-e29b-41d4-a716-446655440000" \
-F "contextId=your-context-id"
PowerShell
$headers = @{
"x-api-key" = "dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
}
$form = @{
files = Get-Item -Path "document.pdf"
id = [guid]::NewGuid().ToString()
contextId = "your-context-id"
}
$response = Invoke-RestMethod -Uri "https://apix.docdigitizer.com/sync" `
-Method Post `
-Headers $headers `
-Form $form
Python
import requests
import uuid
url = "https://apix.docdigitizer.com/sync"
headers = {
"x-api-key": "dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
}
files = {
"files": open("document.pdf", "rb")
}
data = {
"id": str(uuid.uuid4()),
"contextId": "your-context-id"
}
response = requests.post(url, headers=headers, files=files, data=data)
JavaScript (Node.js)
const FormData = require('form-data');
const fs = require('fs');
const fetch = require('node-fetch');
const { v4: uuidv4 } = require('uuid');
const form = new FormData();
form.append('files', fs.createReadStream('document.pdf'));
form.append('id', uuidv4());
form.append('contextId', 'your-context-id');
const response = await fetch('https://apix.docdigitizer.com/sync', {
method: 'POST',
headers: {
'x-api-key': 'dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'
},
body: form
});
C# (.NET)
using var client = new HttpClient();
using var form = new MultipartFormDataContent();
// Set API key header
client.DefaultRequestHeaders.Add("x-api-key", "dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6");
// Add file
var fileContent = new ByteArrayContent(File.ReadAllBytes("document.pdf"));
fileContent.Headers.ContentType = new MediaTypeHeaderValue("application/pdf");
form.Add(fileContent, "files", "document.pdf");
// Add parameters
form.Add(new StringContent(Guid.NewGuid().ToString()), "id");
form.Add(new StringContent("your-context-id"), "contextId");
var response = await client.PostAsync("https://apix.docdigitizer.com/sync", form);
Java
HttpClient client = HttpClient.newHttpClient();
String boundary = UUID.randomUUID().toString();
String body = buildMultipartBody(boundary, file, documentId, contextId);
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://apix.docdigitizer.com/sync"))
.header("x-api-key", "dd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6")
.header("Content-Type", "multipart/form-data; boundary=" + boundary)
.POST(HttpRequest.BodyPublishers.ofString(body))
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
API Key Management
Obtaining Your API Key
API keys are provided during the account onboarding process. To request an API key:
- Contact the DocDigitizer sales team at docdigitizer.com/contact
- Complete the account setup process
- Your API key will be provided securely by your account manager
Requesting Additional Keys
You may need multiple API keys for:
- Separate development and production environments
- Different applications or services
- Team members with different access levels
Contact support@docdigitizer.com to request additional keys.
Rotating API Keys
If you need to rotate your API key (recommended periodically or if compromised):
- Contact support to request a new API key
- Update your applications with the new key
- Test the new key in a non-production environment
- Deploy the change to production
- Request deactivation of the old key
Revoking API Keys
If your API key is compromised or no longer needed:
- Contact support@docdigitizer.com immediately
- Request immediate revocation of the compromised key
- Request a new key if needed
Security Best Practices
Do’s
- Store keys securely – Use environment variables, secrets managers, or encrypted configuration
- Use HTTPS only – All API calls are over HTTPS; never use HTTP
- Limit key exposure – Only share keys with team members who need them
- Monitor usage – Regularly review API usage for unexpected patterns
- Rotate keys periodically – Change your API keys on a regular schedule
- Use separate keys – Use different keys for development, staging, and production
Don’ts
- Don’t commit keys to version control – Never include API keys in Git repositories
- Don’t embed keys in client-side code – Never expose keys in JavaScript, mobile apps, or browser code
- Don’t share keys via insecure channels – Avoid email, chat, or other unencrypted methods
- Don’t log API keys – Ensure your logging doesn’t capture sensitive headers
- Don’t hardcode keys – Always use configuration or environment variables
Secure Storage Options
| Platform | Recommended Storage |
|---|---|
| Local Development | Environment variables, .env files (gitignored) |
| AWS | AWS Secrets Manager, Parameter Store |
| Azure | Azure Key Vault |
| Google Cloud | Secret Manager |
| Kubernetes | Kubernetes Secrets |
| Docker | Docker Secrets, environment variables |
Authentication Errors
When authentication fails, the API returns an error response. Below are common authentication errors and how to resolve them.
Error Responses
| HTTP Status | Error | Cause | Solution |
|---|---|---|---|
401 |
Unauthorized | Missing or invalid API key | Verify the x-api-key header is present and contains a valid key |
401 |
API Key Expired | The API key has been revoked or expired | Contact support to obtain a new API key |
403 |
Forbidden | Valid key but insufficient permissions | Verify your Context ID and account permissions |
403 |
Invalid Context | The Context ID doesn’t match the API key | Use the Context ID associated with your API key |
429 |
Rate Limited | Too many requests in a short period | Implement backoff and retry logic; contact support for higher limits |
Error Response Format
{
"StateText": "ERROR",
"TraceId": "XYZ9876",
"Messages": [
"Authentication failed: Invalid API key"
]
}
Troubleshooting Steps
- Verify the header name – Ensure you’re using
x-api-key(lowercase) - Check for typos – Copy the API key directly from your secure storage
- Verify no extra whitespace – Ensure no leading/trailing spaces in the key
- Check environment variables – Ensure the variable is set in the current shell/process
- Test with cURL – Use a simple cURL command to isolate the issue
- Contact support – If issues persist, contact support with your TraceId
Testing Authentication
Test if your API key is valid with a minimal request:
curl -I -X POST https://apix.docdigitizer.com/sync \
-H "x-api-key: YOUR_API_KEY"
A valid key returns headers (even if the request body is incomplete). An invalid key returns 401 Unauthorized.