Skip to main content
All protected DocInject API endpoints require a Bearer token in the Authorization request header. DocInject supports two token types: API keys for server-to-server integrations, and session tokens issued by the DocInject web app. For most integrations, you’ll use an API key.

Base URL

All API v1 endpoints are served from:

Token types

API keys are long-lived credentials you create in the DocInject dashboard. They’re designed for server-to-server integrations, CI pipelines, internal tooling, webhooks, and scripts that act on your organization’s behalf.
  • Created in Settings → API Keys
  • Never expire until you delete them
  • Scoped to your organization
  • The raw key value is shown only once at creation. Copy it immediately.
Session tokens are short-lived JWTs issued by the DocInject web application after a user logs in. The web app uses these automatically on every request.You don’t need session tokens to build integrations. Use an API key instead.

How to authenticate

Include your token as a Bearer value in the Authorization header on every request:
If the Authorization header is missing or malformed, the API returns:

Get your API key

1

Open Settings

In the DocInject dashboard, navigate to Settings → API Keys.
2

Create a new key

Click Create API key, give it a descriptive name (for example, ci-pipeline or zapier-integration), and confirm.
3

Copy immediately

The full key value is displayed only once. Copy it now and store it in a secrets manager or environment variable. DocInject does not store the raw key.
Keep your API keys secret. Never commit them to source control or expose them in client-side code. If a key is compromised, delete it immediately in Settings → API Keys and create a replacement.
Your organization’s org_slug appears in Settings → Organization. You’ll need it for org-scoped endpoints throughout the API.