Authentication & Access

Enable the API, get your API key, set up authentication, and manage security.

Create an account to get your API key
You'll enable the API and manage your key from your account dashboard. Enable API access to get 50 free credits.

Getting started

Enable API access
Get your key and your first 50 credits.

Go to your Account → API access. Click "Enable API" to mint a long-lived key.

Your key starts with upc_live_ and is unique to your account. You'll receive 50 free credits to get started.

Keep your key safe.

Never commit keys to repos or expose them in client-side code. Rotate keys immediately if they're compromised. Old keys are revoked when you rotate.

Authentication

Authorization header
Use a Bearer token on every request.

Include this header with every API call:

Authorization: Bearer upc_live_xxx

Replace upc_live_xxx with your actual API key.

Base URL
All endpoints use the same base URL.
https://extraction-api.upcaret.com

Every response includes a requestId for tracing requests through logs.

Supported formats

Images and PDFs
Send one document per request.

Images: JPEG, PNG

Documents: PDF

You can send files via URL (fileUrl) or as base64-encoded content (fileBase64).

The Parse endpoint is optimized for receipts and invoices and supports images and PDFs. The Deskew endpoint works on image files only (JPEG, PNG). Parse automatically deskews images before processing, or you can call Deskew separately for preprocessing.

Key management

Rotating keys
Generate a new key and revoke the old one.

Visit Account → API access and click "Rotate" to generate a new key. The old key is revoked immediately and stops working.

If you think your key is exposed, rotate it right away. All compromised requests will be denied.

Best practices
  • ✓ Store keys in environment variables or secure vaults
  • ✓ Rotate keys regularly or after any suspected exposure
  • ✓ Use one key per environment (dev, staging, production)
  • ✓ Never share keys via chat, email, or public channels
  • ✗ Don't hardcode keys in source code
  • ✗ Don't expose keys in client-side applications

Errors & debugging

Error responses
Use requestId to trace issues.

API errors return consistent JSON responses:

{
  "error": "Unauthorized",
  "requestId": "7b4b44b0-34c2-4e65-8b65-6fe7c7d8e1a2"
}

Include the requestId when contacting support. It helps us track down issues quickly.

Need help?

Questions about access, keys, or authentication? Reach out anytime.