Processing sensitive data and documents with PDF.co API
PDF.co provides a set of security features to protect your sensitive data and documents. Please review the list below and use these features to protect your data.
Use Encryption and Decryption of Input and Output Files
While input files and uploaded files are transmitted over HTTPS with SSL and stored in the enrypted at rest cloud storage, PDF.co API also provides a set of additional encryption and decryption options to protect your data even further.
PDF.co API supports AES128, AES192, and AES256 encryption algorithms. You can use these algorithms to encrypt your files before sending them to PDF.co API for processing. Or you can use these algorithms to decrypt files after PDF.co API processing.
See User-Controlled Encryption and Decryption Options for more details.
Enable Auto-Redaction of Sensitive Data in API Logs
Passwords and other sensitive params are automatically redacted from your input parameters and replaced with [FILTERED]
before saving into logs. In addition, you can enable so called API Logs Strict Mode
to additionally redact all input urls, output urls, output body (like objects), input template data and inline extracted data.
To enable this mode, please enable it from Account Security page.
This is how request and response will look like with Strict Mode enabled:
pdf/edit/add
Request POST body
{
"url": "[FILTERED]",
"async": true,
"annotations": "[FILTERED]",
"templatedata": "[FILTERED]"
}
Response body
200
{
"url": "[FILTERED]",
"name": "[FILTERED]",
"error": false,
"jobid": "6HYYKGB2OXP69WWBYJKBYZZ9RBS5Q5T0--31-200",
"status": 200,
"credits": 21,
"duration": 3,
"remainingcredits": 139595183
}
Use PDF Security Features
PDF.co API provides a set of pdf files security features to add passwords, disable content copying or extraction. See pdf/security/add
and pdf/security/remove
API methods for more details.
IMPORTANT: while pdf documents can be protected with password, for sensitive data we recommend to also leverage user-controlled encryption and decryption features described above.
Adjust Output File Storage Expiration
Output files generated by PDF.co API and files uploaded into PDF.co are stored in the encrypted at rest cloud storage. Links to these files are returned in the API response and generated using highly randominzed UUIDs with additional digital signature to prevent tampering.
Output files are stored for 60
minutes (1 hour) by default. You can decrease or extend this period from 1 minute to 24 hours by setting expiration
parameter on the API call.
You can also remove output files from the cloud storage by calling file/delete
API method.
When Using Input Urls from Protected Locations
PDF.co API accepts urls to publicly accessible links but it can also access files protected with HTTP Basic Auth or HTTP Digest Auth. Use httpUsername
and httpPassword
parameters to set username and password required to access files. You can also upload files directly into PDF.co API using file/upload
API method.
Privatly accessible Google Drive/Dropbox/Box links are not currently supported. You need to generate a public Anyone with a link can view
link to use these files as input urls for PDF.co API.
Use Built-in Secure PDF.co File Storage Instead of Publicly Accessible URLs
PDF.co includes built-in file storage to store your templates and files that you plan to re-use as input files for API. You can upload your files at https://app.pdf.co/files and then use them as input urls for API calls via a special file tokens: filetoken://
These file tokens are accessible and available for use within PDF.co API only.
Do not use cache:
prefix for input urls
PDF.co API supports cache:
prefix for input urls to cache files in the cloud storage. This is useful for files that you plan to re-use as input files for API calls especially when these files are stored on Google Drive or similar cloud services that are limiting number of requests. However, this feature is not intended to be used for sensitive data. Please do not use cache:
prefix for input urls that contain sensitive data.
Restrict access to your account from specific IP addresses
To restrict access to your account from specific IP addresses, please add them to the Allowed IP Addresses
list on the Account Security page.