Docs

Reference

Release Notes

TypeScript SDK

Authentication

A complete guide to authenticating the Pdffillr SDK - covering how API key authentication works, the recommended environment variable pattern, managing keys across multiple environments, and rotating keys safely in production.

API key authEnvironment variablesPer-environment keysZero-downtime rotation

What this page covers

How API key authentication works under the hood

Where to find and copy your API key from the dashboard

Configuring auth via environment variables with dotenv

When it is acceptable to pass an API key explicitly

Managing separate keys for development, staging, and production

Rotating a key in production with zero downtime

A security checklist for every environment you deploy to

1. How Authentication Works

The Pdffillr API uses API key authentication. Every request the SDK sends to the API includes your key in the Authorization HTTP header as a bearer token. The API server validates the key on every request - there is no separate login step, no session cookie, and no token expiry to manage. If the key is valid, the request proceeds; if it is missing, malformed, or revoked, the server returns a 401 Unauthorized response immediately.

You do not need to write any authentication code yourself. The SDK reads your API key from the constructor options and attaches it to every outbound request automatically. From your application's perspective, authentication is a one-time configuration step at startup - after that, every call to client.sdk.* is authenticated without any additional work on your part.

You provide the API key oncePass your key via the PDFFILLR_API_KEY environment variable or the apiKey constructor option. The SDK stores it internally for the lifetime of the client instance.

The SDK attaches it to every requestBefore sending any HTTP request to the Pdffillr API, the SDK automatically sets the Authorization: Bearer <key> header. You never need to set this manually.

The API validates the key server-sideThe Pdffillr server verifies the key on every request. A valid key lets the request through. An invalid or missing key returns 401 Unauthorized, which the SDK surfaces as a rejected Promise.

2. Your API Key

Your API key is a long, randomly generated string that uniquely identifies your Pdffillr account. It is displayed only once when you create it - copy it immediately and store it somewhere secure, such as a password manager or a secrets vault. If you lose it, you will need to generate a new one and update all environments that use the old key.

Shown once on creationThe full key value is displayed only when you first generate it. After you navigate away, the dashboard shows only a masked preview. Copy it before you close the page.

Store it securelySave your key in a password manager, a secrets manager (AWS Secrets Manager, HashiCorp Vault), or your deployment platform's environment variable store. Never save it in a plain text file.

Rotate if compromisedIf your key is ever exposed - through a commit, a log file, or a support ticket - generate a new key and revoke the old one immediately. See the key rotation section below.

Your key grants full API access

Anyone who obtains your API key can make requests to the Pdffillr API on behalf of your account, consuming your quota and accessing your data. Treat it with the same level of care you would give a root database password.

3. Environment Variable (Recommended)

The recommended way to supply your API key is through an environment variable. You can name the variable anything you like - PDFFILLR_API_KEY is just a common convention, not a requirement. Whatever name you choose, pass its value to the apiKey constructor option and the SDK will use it for every request. This pattern keeps your secret out of source code entirely - it lives only in your runtime environment, never in a file that could be committed, cached, or logged.

Add .env to your .gitignore first

Before creating the file, ensure it is ignored by git. Doing this first eliminates the possibility of accidentally committing the file even in the same commit you create it.

.gitignore

# .gitignore  -  add these before your first commit
.env
.env.local
.env.development
.env.staging
.env.production

Create the .env file and set the variable

Create a .env file at the root of your project - the same directory as package.json - and set a variable for your API key. You can use any variable name you prefer; replace the placeholder value with your real secret from the dashboard.

.env

# .env
# You can name this variable anything you like - the name shown here is
# just a convention. Pass whatever name you choose to the apiKey option.
# Never commit this file to version control.
PDFFILLR_API_KEY=your_api_key_here

# Custom variable name - works exactly the same way:
# MY_APP_PDFFILLR_KEY=your_api_key_here

Load the variable and initialise the client

Import dotenv/config at the very top of your application entry point - before any other module that reads process.env. Then instantiate the SDK client as you normally would; the key is picked up from the environment automatically.

src/index.ts

// src/index.ts  -  load env vars before any other import
import 'dotenv/config';

import Pdffillr from '@pdffillr/sdk';

// Pass whichever env variable name you chose - the SDK accepts any value
// supplied to the apiKey option, regardless of what the variable is called.
const client = new Pdffillr({
  apiKey: process.env['PDFFILLR_API_KEY'],
  // or: apiKey: process.env['MY_APP_PDFFILLR_KEY'],
});

In production, skip dotenv entirely

Managed deployment platforms - AWS, Vercel, Render, Railway, Fly.io - have a native environment variable interface. Set your secret under whatever variable name you chose in your platform's settings instead of shipping a .env file. Node.js surfaces those platform variables through process.env automatically - dotenv is only needed for local development.

4. Explicit Key in Constructor

You can pass the API key directly to the constructor through the apiKey option. The SDK treats an explicitly provided key identically to one read from the environment - it is attached to every request in the Authorization header. The difference is entirely about where the key value originates and how visible it is at runtime.

script.ts

import Pdffillr from '@pdffillr/sdk';

// Acceptable for local one-off scripts and automated tests.
// Do NOT use this pattern in long-lived production services.
const client = new Pdffillr({
  apiKey: 'my-pdffillr-api-key',
});

When to use each approach

Approach	Use when	Avoid when
Environment variable	Any long-lived service - API servers, background workers, serverless functions, CI pipelines	Never avoid - this is always the safest option
Explicit key in constructor	Throwaway local scripts, automated tests that need a predictable value, quick debugging	Any code that is committed to a repository, deployed to a server, or visible in logs

An explicit key in committed code is a security incident

If you accidentally commit a source file that contains a hard-coded API key, treat it as a compromise and rotate immediately - even if the repository is private. Private repositories can become public, can be cloned by team members whose machines are later compromised, and are indexed by tools like GitHub Copilot.

5. Managing Multiple Environments

Professional deployments use a separate API key for each environment - development, staging, and production at minimum. This limits the blast radius of a key leak: an exposed development key cannot be used to access production data, and revoking it does not disrupt live traffic. It also makes it straightforward to audit which environment made which API calls from the Pdffillr dashboard.

.env.development

# .env.development
PDFFILLR_API_KEY=sk_dev_xxxxxxxxxxxxxxxx

.env.production

# .env.production  (or set in your deployment platform's UI)
PDFFILLR_API_KEY=sk_prod_xxxxxxxxxxxxxxxx

Loading the correct file based on NODE_ENV

src/config.ts

// Load the correct .env file based on NODE_ENV
import * as dotenv from 'dotenv';

dotenv.config({
  path: `.env.${process.env.NODE_ENV ?? 'development'}`,
});

import Pdffillr from '@pdffillr/sdk';

const client = new Pdffillr({
  apiKey: process.env['PDFFILLR_API_KEY'],
});

Recommended key naming convention

Environment	File	Key prefix (example)
Local development	.env.development	sk_dev_…
Staging / QA	.env.staging	sk_stg_…
Production	Platform env vars	sk_prod_…
CI / CD pipeline	CI secret store	sk_ci_…

Never share keys across environments

Using one key for both development and production creates a single point of failure. A developer accidentally leaking the development key would expose production. Keep keys strictly scoped to their environment and rotate them independently.

6. Key Rotation

Key rotation is the process of replacing an active API key with a newly generated one. You should rotate keys on a regular schedule - quarterly for low-risk environments, immediately for any key that may have been compromised. Because the SDK reads the key from process.env, rotation is an infrastructure operation: no code changes are required in your application.

rotation-guide.ts (comments only)

// Step 1 - generate the new key in the Pdffillr dashboard
// Step 2 - add the new key to your environment alongside the old one
//           (both keys are active during the transition window)
// Step 3 - deploy your application with the new key value
// Step 4 - revoke the old key from the dashboard once all
//           instances are running with the new key

// In your .env (during transition):
// PDFFILLR_API_KEY=sk_new_xxxxxxxxxxxxxxxx

// In your application code - no changes needed:
const client = new Pdffillr({
  apiKey: process.env['PDFFILLR_API_KEY'],
});

Zero-downtime rotation steps

Generate a new key in the Pdffillr dashboardCreate the new key before revoking the old one. Both keys remain active during the transition window, so live traffic continues uninterrupted.

Update the key in every environment and deploymentSet the new value for PDFFILLR_API_KEY in your deployment platform, secret store, and any CI pipeline that uses the key. Do not restart anything yet.

Deploy or restart your application instancesOnce all instances have restarted and are reading the new key from the environment, they authenticate successfully with the new key. The old key is still active as a fallback.

Verify, then revoke the old keyConfirm in your monitoring dashboard that all instances are using the new key - no 401 errors, and API call attribution shows the new key ID. Then revoke the old key from the Pdffillr dashboard.

If a key is compromised, rotate immediately

Do not wait for a scheduled rotation window. Generate a new key, update all environments, deploy, then revoke the old key - ideally within minutes of discovering the exposure. Every minute a compromised key remains active is a window for unauthorised access.

7. Security Checklist

Use this checklist to verify your authentication setup is production-ready before you deploy. Each item addresses a common misconfiguration that has led to real API key leaks in production systems.

.env is listed in .gitignore before any commits

API key is stored in an environment variable, not in source code

Separate API keys exist for development, staging, and production

Production key is set in the deployment platform UI, not in a .env file

API key does not appear in application logs or error stack traces

A key rotation procedure is documented and has been tested

git history has been audited - no key was ever committed, even temporarily

Audit your git history before going public

Run git log --all -S 'PDFFILLR' to search your full commit history for any occurrence of the variable name. If a key appears in any commit - including deleted files - rotate it and consider using a tool like git filter-repo to purge the history before making the repository public.

Next steps

SDK OverviewThe API namespace, TypeScript types, first request, and error handling.Read more SDK InstallationInstalling the package, dotenv setup, and verifying your environment.Read more API referenceFull documentation for every endpoint, parameter, and response field.Read more

SDK Installation Fundamentals

Was this page helpful?

PDFFILLR.AI

The intelligent layer for modern fund
administration. Automating high-stakes
documentation with precision and speed.

Powered byEngineersMind

Legal & Privacy

Terms & Conditions

User Agreement

Service Level Agreement

Data Processing Addendum

Resources

API Documentation

Security Overview