guideExport to PDF On-Premises authorization

To enable authorization, set the SECRET_KEY environment variable during the installation.

If the SECRET_KEY variable is set, then all requests must have a header with a JWT (JSON Web Token) signed with this key. The token should be passed as a value of the Authorization header for each request sent to the Export to PDF REST API.

If you do not set up any SECRET_KEY during the installation, then Export to PDF On-Premises will not require any headers with tokens when sending requests to the Export to PDF REST API. However, we do not recommend skipping authorization when running Export to PDF On-Premises in a public network.

# Generating the token

We highly recommend using the libraries listed on to generate the token. The token is considered valid, when:

  • it is signed with the same SECRET_KEY as passed to the Export to PDF On-Premises instance,
  • it was created within the last 24 hours,
  • it is not issued in the future (e.i. the iat timestamp cannot be newer than the current time),
  • it has not expired yet.

Tokens for the Export to PDF On-Premises do not require any additional claims such as the environment ID (which is specific for Collaboration Server On-Premises), so you can create the token with an empty payload.

If your use case involves sending requests from your backend server, then you can generate JWT tokens locally, as it is done in our request example.

In the case of editor plugins or other frontend usages, you should create a token endpoint, that returns a valid JWT token for authorized users. Here you can find an example of a endpoint implementation.

# Using editor plugins

Plugins for CKEditor 4 and CKEditor 5 will automatically request the token from the given tokenUrl variable and set the Authorization header when making an export request. Refer to the CKEditor 4 configuration guide or CKEditor 5 configuration guide for details on adding the Export to PDF feature to your WYSIWYG editor!

# Request example with an Authorization header

The following example presents a request that generates valid JWT token and sets it as Authorization header:

const fs = require( 'fs' );
const jwt = require( 'jsonwebtoken' );
const axios = require( 'axios' );

const SECRET_KEY = 'secret';

const token = jwt.sign( {}, SECRET_KEY, { algorithm: 'HS256' } );

const data = {
   html: "<p>I am a teapot</p>",
   css: "p { color: red; }",

const config = {
   headers: {
      'Authorization': token
   responseType: 'arraybuffer',
}; 'http://localhost:8080/v1/convert', data, config )
   .then( response => {
      fs.writeFileSync('./file.pdf',, 'binary');
   } ).catch( error => {
      console.log( error );
   } );

SECRET_KEY it’s the key which has been passed to the Export to PDF On-Premises instance

Please refer to the Export to PDF REST API documentation to start using the service.

Note: If you use API clients like Postman or Insomnia, then set the JWT token as an Authorization header in the Headers tab. Do not use the built-in token authorization as this will generate invalid header with a Bearer prefix added to the token.