Authentication

Docyard uses API key authentication for all endpoints. This guide explains how to authenticate as a distributor or collector.

API Key Authentication

All API requests require authentication headers:

curl -X POST https://api.docyard.io/v1/ramp/artifacts \
  -H "X-API-Key: your_api_key" \
  -H "X-API-Secret: your_api_secret" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Authentication Headers

Header	Description	Example
`X-API-Key`	Your API key	`dk_live_xxxxxxxxxxxx`
`X-API-Secret`	Your API secret	`dk_secret_xxxxxxxxxxxx`

Key Types

Distributor Keys

Obtained when creating a ramp:

{
  "ramp_id": "ramp-abc123",
  "api_key": "dk_live_dist_xxxxxxxxxxxx",
  "api_secret": "dk_secret_dist_xxxxxxxxxxxx"
}

Prefix: dk_live_dist_ (production) or dk_test_dist_ (sandbox)

Collector Keys

Obtained when creating a dock:

{
  "dock_id": "dock-xyz789",
  "api_key": "dk_live_coll_aaaaaaaa",
  "api_secret": "dk_secret_coll_bbbbbbbb"
}

Prefix: dk_live_coll_ (production) or dk_test_coll_ (sandbox)

Authentication Errors

Missing Credentials

{
  "error": "authentication_required",
  "message": "API key and secret are required"
}

Invalid Key

{
  "error": "invalid_api_key",
  "message": "The provided API key is invalid"
}

Invalid Secret

{
  "error": "invalid_api_secret",
  "message": "The provided API secret is incorrect"
}

Expired Keys

{
  "error": "api_key_expired",
  "message": "The API key has expired. Please rotate your keys."
}

Revoked Keys

{
  "error": "api_key_revoked",
  "message": "The API key has been revoked"
}

Key Rotation

Rotate your API keys regularly for security.

Rotate Distributor Keys

curl -X POST https://api.docyard.io/v1/ramps/ramp-abc123/rotate-keys \
  -H "X-API-Key: dk_live_dist_xxxxxxxxxxxx" \
  -H "X-API-Secret: dk_secret_dist_xxxxxxxxxxxx"

Response:

{
  "new_api_key": "dk_live_dist_yyyyyyyyyyyy",
  "new_api_secret": "dk_secret_dist_yyyyyyyyyyyy",
  "old_key_expires_at": "2026-03-16T10:30:00Z"
}

Rotate Collector Keys

curl -X POST https://api.docyard.io/v1/docks/dock-xyz789/rotate-keys \
  -H "X-API-Key: dk_live_coll_aaaaaaaa" \
  -H "X-API-Secret: dk_secret_coll_bbbbbbbb"

Environment-Based Keys

Production Keys

dk_live_*

Used for real transactions
Rate limits apply
Full access

Test/Sandbox Keys

dk_test_*

Used for development
Higher rate limits available
Test data only

Best Practices

1. Store Keys Securely

Never commit API keys to version control:

# .gitignore
api_keys.txt
.env

Use environment variables:

export DOCYARD_API_KEY="dk_live_xxxxxxxxxxxx"
export DOCYARD_API_SECRET="dk_secret_xxxxxxxxxxxx"

2. Use Separate Keys Per Environment

# Development
export DOCYARD_API_KEY="dk_test_dist_xxxxxxxxxxxx"

# Production
export DOCYARD_API_KEY="dk_live_dist_xxxxxxxxxxxx"

3. Rotate Keys Regularly

Set a calendar reminder to rotate keys every 90 days.

4. Limit Key Scope

Use the least permissive keys necessary. Distributor keys shouldn’t be used for collector actions and vice versa.

Code Examples

Node.js

const docyard = require('docyard-sdk');

const client = new docyard.Client({
  apiKey: process.env.DOCYARD_API_KEY,
  apiSecret: process.env.DOCYARD_API_SECRET
});

// Upload artifact
const artifact = await client.ramp.upload({
  templateId: 'tmpl-abc123',
  locks: {
    policy_number: { value: 'POL-12345678' }
  },
  threshold: 20,
  content: pdfBuffer
});

Python

import docyard

client = docyard.Client(
    api_key=os.environ['DOCYARD_API_KEY'],
    api_secret=os.environ['DOCYARD_API_SECRET']
)

# Upload artifact
artifact = client.ramp.upload(
    template_id='tmpl-abc123',
    locks={
        'policy_number': {'value': 'POL-12345678'}
    },
    threshold=20,
    content=pdf_bytes
)

Go

import "github.com/docyard/docyard-go"

client := docyard.NewClient(
    os.Getenv("DOCYARD_API_KEY"),
    os.Getenv("DOCYARD_API_SECRET"),
)

// Upload artifact
artifact, err := client.Ramp.Upload(&docyard.UploadRequest{
    TemplateID: "tmpl-abc123",
    Locks: map[string]LockValue{
        "policy_number": {Value: "POL-12345678"},
    },
    Threshold: 20,
    Content:   pdfBytes,
})

Rate Limits

Rate limits are applied per API key:

Endpoint Type	Limit	Window
Upload (distributor)	100	per minute
Search (collector)	300	per minute
Retrieve (collector)	100	per minute

When rate limited, you’ll receive:

{
  "error": "rate_limit_exceeded",
  "message": "Too many requests. Please retry after 60 seconds.",
  "retry_after": 60
}

Next Steps

Errors - Error handling
API Reference - Full API documentation

Get Started

Core Concepts

Guides

Industry Examples

API Reference

Artifact Types

Ramps (Distributor)

Docks (Collector)

Artifacts

Audit

Design Discussion

Admin

​Authentication

​API Key Authentication

​Authentication Headers

​Key Types

​Distributor Keys

​Collector Keys

​Authentication Errors

​Missing Credentials

​Invalid Key

​Invalid Secret

​Expired Keys

​Revoked Keys

​Key Rotation

​Rotate Distributor Keys

​Rotate Collector Keys

​Environment-Based Keys

​Production Keys

​Test/Sandbox Keys

​Best Practices

​1. Store Keys Securely

​2. Use Separate Keys Per Environment

​3. Rotate Keys Regularly

​4. Limit Key Scope

​Code Examples

​Node.js

​Python

​Go

​Rate Limits

​Next Steps