Authentication
The DocPeel API uses bearer-token authentication. Every request must include an Authorization header with a valid API key.
Generate an API key
- Open the API Keys page in your dashboard.
- Click Create key and give it a memorable name (e.g.
production-webhook). - Copy the key immediately — it is shown only once.
Keys look like dpk_live_•••••••••••• and are scoped to a single workspace.
Send authenticated requests
Add the key to the Authorization header on every request:
curl https://api.docpeel.com/v1/me \
-H "Authorization: Bearer dpk_live_••••••••••••"The x-api-key header is also accepted as a fallback.
Scopes
Each key is granted one or more scopes:
| Scope | Allows |
|---|---|
extractions:read | Retrieve extractions. |
extractions:write | Create new extractions (also implies read). |
Rotating & revoking
From the dashboard you can revoke a key (immediately disables it) or delete it entirely. Revoked keys remain visible for audit purposes for 90 days, with their full request log preserved.
Best practices
- Store keys in environment variables — never commit them to source control.
- Use a separate key per environment (dev / staging / production).
- Rotate keys at least every 90 days.
- If a key is leaked, revoke it immediately and audit the request log.