Authentication

Secure your API requests with bearer token authentication.

How Authentication Works

PARSEKIT uses a two-step authentication flow:

1. Create an API key from the Dashboard — give it a name like "production" or "staging"

2. Exchange it for a bearer token via POST /authorize

3. Use the bearer token in the Authorization header for all API requests

Your API key stays secret on your server. Only the short-lived bearer token (1 hour) is sent in requests. You can create multiple API keys per account (Free: 2, Starter: 10, Pro: 25) — all keys share your plan's usage limits.

Step 1: Create an API Key

1. Sign in at parsekit.dev with Google or GitHub

2. Go to API Keys in the dashboard

3. Create a key and give it a name (e.g. "production", "ci", "staging")

4. Copy the key immediately — it's only shown once

API keys follow the format df_live_ followed by a 32-character string:

```

df_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

```

Step 2: Generate a Bearer Token

Exchange your API key for a short-lived access token:

curl -X POST https://api.parsekit.dev/authorize \
  -H "Content-Type: application/json" \
  -d '{"api_key": "df_live_your_key_here"}'

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "bearer",
  "expires_in": 3600
}

Step 3: Use the Bearer Token

Include the access_token in the Authorization header:

```

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

```

Full Example

TOKEN=$(curl -s -X POST https://api.parsekit.dev/authorize \
  -H "Content-Type: application/json" \
  -d '{"api_key": "df_live_your_key_here"}' | jq -r '.access_token')

# 2. Upload a file
UPLOAD=$(curl -s -X POST https://api.parsekit.dev/upload \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@document.pdf")
FILE_ID=$(echo $UPLOAD | jq -r '.file_id')

# 3. Convert using file_id
curl -X POST https://api.parsekit.dev/convert \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{"file_id": "$FILE_ID", "from": "pdf", "to": "text"}"

Token Expiration

Bearer tokens expire after 1 hour. When a token expires, generate a new one from your API key. Your API key does not expire.

Security Best Practices

•Never expose your API key in client-side code. Exchange tokens on your server.
•Use environment variables. Store keys in .env files, never commit them to version control.
•Tokens are short-lived. Even if intercepted, they expire in 1 hour.
•Monitor usage. Check the dashboard for unexpected spikes.

Error Responses

Status	Error	Description
401	`unauthorized`	Missing, invalid, or expired bearer token
401	`invalid_api_key`	API key not recognized on /authorize
429	`rate_limited`	Too many requests, back off and retry

← Getting Started File Uploads →