API Keys are the simplest way to authenticate requests to the Lumin API. They are long-lived credentials that you include on each request. API Keys are best suited for server-to-server integrations and backend automation where individual user authorization is not required.Documentation Index
Fetch the complete documentation index at: https://developers.luminpdf.com/llms.txt
Use this file to discover all available pages before exploring further.
Generate an API key
You must be a Workspace Owner to create API Keys.Use your API key
You can pass your API key to the Lumin API in two ways:- X-API-KEY header
- HTTP Basic Auth
Pass the key in the
X-API-KEY request header:Multiple API keys
Each Lumin account can have up to 4 active API Keys at a time. All active keys are valid and can be used in parallel — useful during key rotation or when multiple services need separate credentials. One key can be designated as the Primary Key. The Primary Key is used to generate HMAC signatures for verifying webhook event payloads. If you change which key is primary, update your webhook signature verification logic accordingly.Key rotation
Rotate your API Keys regularly to limit the impact of accidental exposure.Verify the new key works
Confirm your integration is authenticating successfully with the new key
before proceeding.
Rotate keys at least every 6 months as a routine practice. Rotate immediately
if you suspect a key has been exposed or compromised.
Security best practices
- Store API Keys in a secret manager such as AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager — not in environment files committed to source control.
- Never embed API Keys in mobile apps, browser-based JavaScript, or any client-side code.
- Use separate keys for separate services or environments so you can rotate or revoke them independently.
- Always verify a new key works before deleting the old one.
- For applications where individual users authorize access to their own data, use OAuth 2.0 instead of sharing a single API Key.