Authentication

Every API request passes a token in the header:

Authorization: Bearer <token>

There are two types of access:

hotdoc API key

For programmatic access to document processing. Token format: hotdoc_<id>.<secret>. Created in the dashboard; the full token is shown once, after which only a masked version is kept (hotdoc_<id>). A key has an optional expiration (expiresAt; without it, the key never expires) and a last-used timestamp (lastUsedAt); a key can be revoked.

Dashboard session token (JWT)

For managing your account, keys, and billing from the dashboard.

The processing methods (/v1/jobs*) accept both an API key and a JWT. All management methods (account, keys, billing) require a dashboard session token (JWT) — they’re not available with an API key.

Key-management endpoints

MethodEndpointPurpose
GET/v1/account/api-keyslist keys (masked)
POST/v1/account/api-keyscreate a key; the full token is returned once
DELETE/v1/account/api-keys/{id}revoke a key

Key security

  • don’t put keys in client-side code or public repositories;
  • if a key leaks, revoke it immediately and create a new one;
  • revocation takes effect with a delay of up to 5 minutes (server-side caching);
  • the model provider key (BYOK) is a separate secret; it’s never stored in plaintext (only encrypted) and is deleted along with the job.