Skip to main content


The DynamicPDF API values our client's security. On this page we outline the security in place to ensure your data is safe and never compromised.

DynamicPDF API protects your data both in transit and residing in your cloud storage space on DynamicPDF API. Your client's private data is never stored in our environment.


DynamicPDF does not recommend nor support calling any of the DynamicPDF API endpoints directly from an end-user's browser. DynamicPDF users that improperly secure API keys are liable for any excessive usage from improper key storage. Secure your DynamicPDF API key.

Additionally, we offer isolated environments for those who demand the highest level of security. DynamicPDF API ensures security by

  • using the HTTPS protocol,
  • requiring an authentication token on all endpoints,
  • allowing flexibility to assign different authentication tokens for different applications,
  • authentication and authorization for all users using the Dashboard,
  • never storing your data unless you explicitly decided to store it,
  • and never storing generated results from any endpoint calls.

Refer to the topic on Security in the pdf endpoint's Instructions schema for more information securing generated PDFs. PDF security is not discussed here.

Calling any of the DynamicPDF API endpoints is secure from the moment you make the request until the moment you receive the response.

  • The request is secure in route via HTTPS.
  • The data sent to the endpoint is not saved by DynamicPDF API.
  • DyamicPDF API does not save the PDF created by the endpoint; the PDF is returned immediately as binary data to the calling service.

HTTPS Endpoints

All of the DynamicPDF API's endpoints use the Hypertext Transfer Protocol Secure (HTTPS) for communication. HTTPS extends HTTP by using encryption for secure transmission. The encryption is accomplished using the Transport Layer Security (TLS).


All DynamicPDF API endpoints use HTTPS for communication. See Endpoint Zones for more information.

HTTPS ensures the privacy and integrity of exchanged data in transit, protecting your service from being eavesdropped or tampered with.


All DynamicPDF CloudAPI endpoints require an authentication token sent in the header of the HTTP request. DynamicPDF CloudAPI only processes requests with a valid token. For example, in the following cURL command, the Authorization:Bearer <your token> adds your token to a header named Authorization.

curl -X POST "" 
-H "accept: application/json"
-H "Authorization: Bearer <your token>"
-H "Content-Type: application/pdf"
--data-binary "@c:/holding/pdf-xmp/fw4.pdf"

You do not add the Bearer key word when using one of the client libraries.

Apps and API Keys

Create applications and API keys through the Apps and API Keys in the Dashboard.

The Apps and API Keys is where you add, regenerate, and remove API keys.

  • See Authentication for more information on adding your API key to your REST call's authorization header.
  • See Apps and API Keys for more documentation on working with authorization keys.

Never embed you authorization key in source code available on a platform like GitHub. Keep your API key secure.


Change your API key often through the Dashboard's Apps and API Keys. Be certain to notify other team members and modify apps accordingly.

DynamicPDF API Users

Only properly authenticated users can log into their DynamicPDF API account. Users have access to only portions of the Dashboard they are specifically granted access to.

You can add and remove users from your DynamicPDF API Account through the User Manager. You can add new users, remove users, and assign specific permissions.


Refer to the User Manager documentation for more information on users and user permissions.


Avoid storing API Keys, or any other sensitive information, on your user's browser at all costs. Even though the DynamicPDF API uses HTTPS to ensure secure communication, a user's browser remains unsecure and contains data an user can easily access.

The proper architecture for using DynamicPDF CloudAPI is as follows.

  • Your client's browser communicates with your server.
  • Your server communicates with the DynamicPDF API.
  • The DynamicPDF API returns response to your server.
  • Your server forwards the response to the client's browser.

You should not, however, use the following architecture. Do not send requests directly to a DynamicPDF API endpoint from a client browser.

Consider the following cURL request.

curl -H "Authorization:Bearer" 
-F "Instructions=@C:/temp/example/instructions.json"
-F "Resource=@c:/temp/example/DocumentA.pdf"
-o simple-out.pdf

The API key is embedded in the request. If you embed the key in a client-side browser code, then the key is visible to your users. The user could then use that key to call the DynamicPDF API using your DynamicPDF account and incur significant usage costs.

Custom Environments

We understand that despite our efforts to secure your organization's vital assets, there are situations where you still desire greater security. To recognize this security need, we also offer isolated and dedicated environments.


DynamicPDF API offers both isolated and dedicated environments.

For more information, contact or and someone can provide the details.