Authentication
Every API request passes a token in the header:
Authorization: Bearer <token>
There are two types of access:
hotdoc API key
For programmatic access to document processing. Token format: hotdoc_<id>.<secret>. Created in the dashboard; the full token is shown once, after which only a masked version is kept (hotdoc_<id>). A key has an optional expiration (expiresAt; without it, the key never expires) and a last-used timestamp (lastUsedAt); a key can be revoked.
Dashboard session token (JWT)
For managing your account, keys, and billing from the dashboard.
The processing methods (/v1/jobs*) accept both an API key and a JWT. All management methods (account, keys, billing) require a dashboard session token (JWT) — they’re not available with an API key.
Key-management endpoints
| Method | Endpoint | Purpose |
|---|---|---|
GET | /v1/account/api-keys | list keys (masked) |
POST | /v1/account/api-keys | create a key; the full token is returned once |
DELETE | /v1/account/api-keys/{id} | revoke a key |
Key security
- don’t put keys in client-side code or public repositories;
- if a key leaks, revoke it immediately and create a new one;
- revocation takes effect with a delay of up to 5 minutes (server-side caching);
- the model provider key (BYOK) is a separate secret; it’s never stored in plaintext (only encrypted) and is deleted along with the job.