Authentication
Use this page when you need to create a BF export API key, send the correct auth header, or diagnose request failures before job processing starts.
How Access Works
The public Bulk Fill export-job API uses BF export API keys sent as Bearer tokens:
Authorization: Bearer doqlo_bfexp_<public_id>.<secret>
Current base URL:
https://api.doqlo.com
POST /v1/bulkfill/export-jobs requires the Idempotency-Key header.
X-Request-Id is optional and used only for request tracing and support
correlation, not idempotency. Read-only GET requests do
not require either header.
Create A BF Export API Key
Create and manage BF export API keys from your authenticated Doqlo account page.
Current key rules:
- API keys are available on
Free,Business, andScale - Free, Business, and Scale use the same Public API surface
- plan limits still apply to monthly quota and source PDF size
- the full secret is shown only once at creation time
- current TTL options are
30,90,180, or365days - an account can hold up to
5non-expired, non-revoked keys - the account page keeps all active keys visible and shows only the
5most recent non-active keys in its history section
Account-side API key management routes have their own mutation limits and abuse safeguards. These are separate from the public export-job API rate limits. Repeated key create or revoke requests may be throttled.
Send The Auth Header
Example request headers:
Authorization: Bearer doqlo_bfexp_<public_id>.<secret>
Idempotency-Key: 2f6403c7-4e52-4c7b-b435-96542ccbf4bc
X-Request-Id: support-create-001
If you omit X-Request-Id, Doqlo generates one and returns it in the response
header.
Minimal authenticated request example:
curl https://api.doqlo.com/v1/bulkfill/export-jobs/$JOB_ID \
-H "Authorization: Bearer $DOQLO_BF_EXPORT_API_KEY"
Common Authentication Failures
| Code | HTTP status | Meaning |
|---|---|---|
BF_EXPORT_API_KEY_REQUIRED | 401 | Missing header or malformed Bearer format |
BF_EXPORT_API_KEY_INVALID | 401 | Token was parsed but did not verify |
BF_EXPORT_API_KEY_REVOKED | 403 | Key was revoked |
BF_EXPORT_API_KEY_EXPIRED | 403 | Key expired |
BF_EXPORT_API_KEY_INACTIVE | 403 | Key exists but the account is not currently eligible for API use; this is a fallback state, not the normal behavior for current standard Free, Business, or Scale plans |
RATE_LIMITED | 429 | Request hit a configured public API rate limit |
Security Guidance
- Keep BF export API keys on the server side.
- Do not hardcode keys into browser code or mobile apps.
- Do not commit keys to Git or store them in shared chat logs.
- Rotate keys if a secret is exposed.
- Revoke keys you no longer use.
Read Next
- API Quickstart for the first working create request
- Idempotency for the create retry and tracing contract
- Error Handling for request failure diagnosis
- API Reference for auth requirements by endpoint
- Security & Data Handling for account, key, and shared-responsibility guidance
- Plans & Limits for current API limits