Password-Protecting and Decrypting PDFs via API
Manipulation
PDF Encryption Overview
PDF supports two protection mechanisms:
- User password (also called "open password") — required to open the document
- Owner password (also called "permissions password") — controls what the opener can do (print, copy, edit)
AES-256 is the current standard. Older RC4-based encryption is insecure and should not be used.
Encrypting a PDF
curl -X POST https://api.toolkitapi.io/v1/pdf/encrypt \
-H "X-API-Key: $API_KEY" \
-F "[email protected]" \
-F "user_password=open123" \
-F "owner_password=admin456" \
-F "allow_printing=true" \
-F "allow_copying=false" \
--output report_protected.pdf
Permission Flags
| Permission | Effect when disabled |
|---|---|
allow_printing |
Document cannot be printed |
allow_copying |
Text and images cannot be copied |
allow_editing |
Content cannot be modified |
allow_annotations |
Comments/forms cannot be added |
Decrypting a PDF
curl -X POST https://api.toolkitapi.io/v1/pdf/decrypt \
-H "X-API-Key: $API_KEY" \
-F "file=@report_protected.pdf" \
-F "password=open123" \
--output report_unlocked.pdf
Only supply this to remove protection from documents you own or have authorisation to decrypt.
Key Management
Don't hardcode PDF passwords in source code. Store them in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Kubernetes Secrets) and inject at runtime.
Checking Encryption Status
curl -X POST https://api.toolkitapi.io/v1/pdf/info \
-H "X-API-Key: $API_KEY" \
-F "[email protected]"
{
"encrypted": true,
"encryption_algorithm": "AES-256",
"has_user_password": true,
"has_owner_password": true,
"pages": 12
}