API keys
Carbone Cloud API Keys
Use API keys to authenticate API requests.
Carbone authenticates your API requests using your account’s API keys by joining the header Authorization with the API key as value.
If a request doesn’t include a valid key, Carbone API returns an invalid request error (Status 401).
If a request includes a deleted or expired key, Carbone API returns an authentication error (Status 401).
You can use the Account dashboard to reveal, and roll API keys.
Test versus Live keys
| API Key type | When to use | File export supported | Effect on credits usage | Effect on templates storage | Considerations |
|---|---|---|---|---|---|
| Test key | For testing purpose: use the test API keys, as you build your integration | PDF only (with a watermark) | When generating a document with POST /render/:templateId, it will not consume credits. You can generate unlimited | When adding a template on your storage with POST /template, the template is non-persistant and will be deleted automatically in 30 days. You can upload unlimited templates. | If the export format is not pdf, an error is returned. |
| Live key | For production purpose: use the Live API key, when you’re ready to launch your integration | All files formats (without watermark) | When generating a document with POST /render/:templateId, it will consume credits based on the request body size. Learn more. | When adding a template on your storage with POST /template, the template is persistant. Your plan gives you a storage quota, if the quota is exceed, exceeding templates are charged. | The Sandbox Plan is available for free, giving 100 monthly credits and a storage of 100 templates. If you need more credits, you can upgrade the subscription. |
All accounts have one API keys by default: the test API key. To unlock the live API key, a cloud subscription is required.
Keep your keys safe 🔒
Anyone can use your live secret API key to make any API call on behalf of your account, such as creating a report or deleting templates. Keep your keys safe by following these best practices:
Grant Administration access to your Carbone account only to those who need it.
Don’t store keys in a version control system.
Control access to keys with a password manager or secrets management service.
Don’t embed a key where it could be exposed to an attacker, such as in a mobile application.
Delete an API key
It is not possible to delete an API key, but you can roll the API key. After generating a new key, any code that used the previous key can no longer make API calls.
Updated on: 10/09/2023
Thank you!