API ReferenceAuthentication

Authentication

doczap uses API keys to authenticate requests. You can manage your API keys in the Dashboard.

API Key Format

All API keys follow this format:

sk_live_{prefix}_{random}
  • sk_live_ - Required prefix for all production keys
  • {prefix} - Organization identifier
  • {random} - Random string for uniqueness

Example: sk_live_abc123_xyz789def456

Using Your API Key

Include your API key in the Authorization header using Bearer authentication:

Authorization: Bearer sk_live_your_api_key_here
⚠️

Never expose your API key in client-side code or public repositories.

Example Request

curl -X POST https://api.doczap.app/api/v1/your-org/templates/invoice/documents \
  -H "Authorization: Bearer sk_live_abc123_xyz789def456" \
  -H "Content-Type: application/json" \
  -d '{"customer": "Acme Corp"}'

Test Mode

You can test the API without consuming your monthly quota by adding "isTest": true to your request:

{
  "customer": "Test Customer",
  "isTest": true
}

Test mode limitations:

  • 10 requests per day (all plans)
  • PDFs include a “TEST” watermark
  • Requests don’t count toward monthly usage
  • Resets daily at 00:00 UTC

Security Best Practices

  1. Environment Variables - Store API keys in environment variables

    const apiKey = process.env.DOCZAP_API_KEY;

  2. Server-Side Only - Never use API keys in client-side code

    // ❌ Bad - Exposed in browser
fetch(url, {
  headers: { 'Authorization': 'Bearer sk_live_abc123' }
});
 
// ✅ Good - Server-side only
app.post('/generate-pdf', async (req, res) => {
  const response = await fetch(url, {
    headers: { 'Authorization': `Bearer ${process.env.DOCZAP_API_KEY}` }
  });
});

  3. Rotate Regularly - Rotate your API keys periodically

  4. Restrict by IP - Use IP allowlists in production (Enterprise plan)

Error Responses

Invalid or missing authentication returns a 401 error:

{
  "error": {
    "message": "Invalid API key",
    "type": "authentication_error",
    "code": "invalid_api_key"
  }
}

Common authentication errors:

Error CodeDescription
missing_api_keyNo Authorization header provided
invalid_api_keyAPI key format is incorrect
expired_api_keyAPI key has been revoked
unauthorized_orgAPI key doesn’t match organization

Managing API Keys

In the dashboard, you can:

  • Create new API keys
  • View key metadata (created date, last used)
  • Revoke compromised keys
  • Set key descriptions for organization

API keys are shown only once when created. Store them securely immediately.

Quick StartDocuments