Authentication

Keys for APIs, tokens for dashboards

BOL extraction uses API keys. Dashboard and admin actions use short-lived JWT access tokens with server-side role checks.

API requests

Pass the API key in every extraction request.

curl -X POST https://api.bolscan.app/api/v1/extract \
  -H "X-API-Key: bs_your_key_here" \
  -F "file=@bol.pdf"

Key Lifecycle

PrefixKeys start with bs_
StorageOnly SHA-256 hashes are stored
VisibilityFull key is shown once
Limit5 active keys per user
RevocationKeys can be disabled instantly

Dashboard Tokens

Access tokenValid for 60 minutes
Refresh tokenValid for 30 days
HeaderAuthorization: Bearer <token>
Refresh pathPOST /auth/refresh
SecurityChecked server-side

Production API access

Start in sandbox, request production when your workflow is ready

Use sandbox keys for integration tests. Production upgrades are reviewed with your expected BOL volume, storage needs, and webhook rollout plan.

Create company accountRequest production
SurfaceCredentialHeader
Extraction APIAPI keyX-API-Key
DashboardJWT access tokenAuthorization: Bearer <token>
Admin routesJWT access tokenAuthorization: Bearer <token>