Skip to main content

What are API Tokens?

API tokens are authentication credentials that allow you to access Documenso programmatically through the API. They enable automation, integrations, and building custom workflows.

Benefits of API Tokens

Automation

  • Automatically create and send documents
  • Integrate with your existing systems
  • Build custom workflows
  • Automate repetitive tasks

Integration

  • Connect Documenso to other tools
  • Sync data between systems
  • Build custom applications
  • Extend Documenso functionality

Security

  • No need to share passwords
  • Scoped to specific teams
  • Can be revoked independently
  • Expiration dates for added security

API Token Basics

Token Scope

API tokens are scoped to teams:
  • Each token belongs to a specific team
  • Token has access to that team’s resources
  • Can create documents, access templates, etc.
  • Cannot access other teams’ data

Token Permissions

Tokens can perform most API operations:
  • Create documents: Upload and create new documents
  • Send documents: Send documents to recipients
  • Retrieve documents: Get document details and status
  • Download documents: Download completed PDFs
  • Manage recipients: Add and configure recipients
  • Place fields: Add signature and form fields
  • Access templates: Use team templates
  • Webhooks: Configure webhooks (if admin)
API tokens cannot perform administrative actions like creating teams, managing members, or modifying organization settings. Only team admins can create API tokens.

Creating an API Token

1

Navigate to Settings

Go to your team settings page and click on API Tokens or Tokens.
2

Click Create Token

Click the Create Token or New Token button.
3

Enter Token Details

Provide:
  • Token Name: Descriptive name for the token
  • Expiration Date (optional): When the token should expire
4

Create Token

Click Create to generate the token.
5

Copy Token

Copy the token immediately and store it securely.
The token is only shown once when created. Copy it immediately and store it securely. If you lose the token, you’ll need to create a new one.

Token Name

Choose a descriptive name:
  • Good: “Production Integration”, “GitHub Actions CI/CD”, “Analytics Dashboard”
  • Bad: “Token 1”, “Test”, “API”
Naming Tips:
  • Indicate the purpose or use case
  • Include the integration or system name
  • Mention environment (production, staging, dev)
  • Date of creation if rotating regularly

Token Expiration

Set an expiration date for security: Recommended Expiration Periods:
  • 30 days: For testing and development
  • 90 days: For production with regular rotation
  • 1 year: For long-term integrations (rotate annually)
  • No expiration: Only for trusted, long-term integrations (not recommended)
Setting expiration dates is a security best practice. You’ll receive notifications before tokens expire, giving you time to create replacements.

Storing Your Token

Secure Storage Methods:
  • Environment variables on your server
  • Secure secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
  • Password managers for small-scale use
  • CI/CD platform secret stores (GitHub Secrets, GitLab CI Variables)
Never:
  • ❌ Commit tokens to Git repositories
  • ❌ Share tokens in chat or email
  • ❌ Store in plain text files
  • ❌ Include in frontend code

Using API Tokens

Authentication

Include your token in API requests: Authorization Header: 
Authorization: Bearer YOUR_TOKEN_HERE
Example cURL Request: 
curl -X GET \
  https://api.documenso.com/v1/documents \
  -H 'Authorization: Bearer YOUR_TOKEN_HERE'
Example JavaScript: 
fetch('https://api.documenso.com/v1/documents', {
  headers: {
    'Authorization': 'Bearer YOUR_TOKEN_HERE',
    'Content-Type': 'application/json'
  }
})

API Documentation

For full API documentation:

Managing API Tokens

Viewing Tokens

See all your team’s API tokens:
  1. Go to team settings
  2. Navigate to API Tokens
  3. View list of all tokens
For each token, you can see:
  • Token name
  • Creation date
  • Expiration date (if set)
  • Last used date (coming soon)
  • Created by (which team member)

Revoking Tokens

Delete tokens that are no longer needed:
1

Go to API Tokens

Navigate to team settings > API Tokens.
2

Find Token

Locate the token you want to revoke.
3

Click Delete

Click the Delete or Revoke button.
4

Confirm Deletion

Confirm that you want to delete the token.
Revoking a token immediately stops all API requests using that token. Ensure no active integrations are using the token before deleting.
When to Revoke Tokens:
  • Token was exposed or compromised
  • Integration is no longer used
  • Team member who created it left
  • Replacing with a new token
  • Regular security rotation

Token Rotation

Regularly rotate tokens for security:
1

Create New Token

Create a replacement token with the same or similar name.
2

Update Integrations

Update all systems using the old token to use the new one.
3

Test

Verify all integrations work with the new token.
4

Revoke Old Token

Delete the old token after confirming the new one works.
Recommended Rotation Schedule:
  • High-security environments: Every 30-90 days
  • Standard environments: Every 6-12 months
  • After security incidents: Immediately
  • When team members leave: As soon as possible

Token Security Best Practices

Creation and Storage

Do:
  • ✅ Create separate tokens for each integration
  • ✅ Use descriptive names to track usage
  • ✅ Set expiration dates when possible
  • ✅ Store tokens in secure secret management systems
  • ✅ Use environment variables, not hard-coded values
Don’t:
  • ❌ Share tokens between multiple integrations
  • ❌ Commit tokens to version control
  • ❌ Store tokens in plain text
  • ❌ Send tokens via email or chat
  • ❌ Include tokens in client-side code

Usage

Do:
  • ✅ Use HTTPS for all API requests
  • ✅ Implement token refresh/rotation
  • ✅ Monitor token usage and activity
  • ✅ Limit token access to necessary systems
  • ✅ Log API errors and failures
Don’t:
  • ❌ Log tokens in application logs
  • ❌ Include tokens in error messages
  • ❌ Use tokens in URLs or query parameters
  • ❌ Share tokens across environments (prod/dev/staging)

Management

Do:
  • ✅ Regularly audit active tokens
  • ✅ Revoke unused or old tokens
  • ✅ Rotate tokens on a schedule
  • ✅ Document what each token is used for
  • ✅ Revoke immediately if compromised
Don’t:
  • ❌ Keep unnecessary tokens active
  • ❌ Use expired but not-yet-deleted tokens
  • ❌ Grant token access to untrusted systems
  • ❌ Ignore expiration notifications

Common Use Cases

Automated Document Generation

Create and send documents automatically: 
// Example: Create document from template
const response = await fetch('https://api.documenso.com/v1/templates/123/create', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${API_TOKEN}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    recipients: [
      { email: '[email protected]', name: 'John Doe', role: 'SIGNER' }
    ]
  })
});

Integration with CRM

Sync document status to your CRM: 
// Example: Get document status
const response = await fetch(`https://api.documenso.com/v1/documents/${documentId}`, {
  headers: {
    'Authorization': `Bearer ${API_TOKEN}`
  }
});

const document = await response.json();
// Update CRM with document.status

Bulk Document Sending

Send the same document to multiple recipients: 
// Example: Bulk send from template
for (const recipient of recipients) {
  await fetch('https://api.documenso.com/v1/templates/123/create', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${API_TOKEN}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      recipients: [{ email: recipient.email, name: recipient.name, role: 'SIGNER' }]
    })
  });
}

Webhook Integration

Receive real-time updates:
  1. Create API token
  2. Set up webhook endpoint in team settings
  3. Use webhook events to trigger actions
  4. Use API token to fetch additional details when needed

Team Role Requirements

Creating Tokens

Only certain roles can create API tokens:
  • Team Admin: Can create and manage all team tokens
  • Team Manager: Cannot create tokens
  • Team Member: Cannot create tokens
If you’re a Team Manager or Member and need API access, contact your Team Admin to create a token for your use case.

Viewing Tokens

  • Team Admin: Can view and manage all tokens
  • Team Manager: Can view tokens (may vary by implementation)
  • Team Member: Cannot access token settings

Troubleshooting

Token Not Working

Possible Causes:
  • Token expired
  • Token was revoked
  • Token not included in request
  • Incorrect token format
  • Insufficient permissions
Solutions:
  • Check if token has expired
  • Verify token hasn’t been deleted
  • Ensure Authorization: Bearer TOKEN header is set
  • Verify token string is complete (no extra spaces/characters)
  • Confirm token belongs to the correct team

401 Unauthorized Error

Possible Causes:
  • Invalid token
  • Token doesn’t have access to requested resource
  • Token belongs to different team
Solutions:
  • Verify token is correct and active
  • Check that you’re accessing resources from the token’s team
  • Ensure token hasn’t been revoked
  • Try creating a new token

403 Forbidden Error

Possible Causes:
  • Token lacks necessary permissions
  • Attempting admin-only operations
  • Team doesn’t have access to feature
Solutions:
  • Verify the operation is supported by API tokens
  • Check team subscription and feature access
  • Use admin credentials for admin operations

Token Creation Failed

Possible Causes:
  • Not a team admin
  • Team limit reached
  • Invalid token parameters
Solutions:
  • Verify you have Team Admin role
  • Check if team has hit token limit
  • Ensure token name is valid
  • Try again or contact support

API Rate Limits

API tokens are subject to rate limits:
  • Limits apply per token
  • Vary by subscription plan
  • Exceeded limits return 429 status
  • Rate limit headers indicate remaining quota
Best Practices:
  • Implement rate limit handling
  • Use exponential backoff for retries
  • Cache responses when appropriate
  • Monitor usage to stay within limits

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us