--- title: "Work with password-protected PDFs server-side | Nutrient" canonical_url: "https://www.nutrient.io/guides/document-engine/file-management/password-pdfs/" md_url: "https://www.nutrient.io/guides/document-engine/file-management/password-pdfs.md" last_updated: "2026-06-11T00:00:00.000Z" description: "Document Engine enables you to work with password-protected PDFs. You can provide password-protected PDFs as inputs for Document Engine’s operations." --- # Working with password-protected PDFs Document Engine enables you to work with password-protected PDFs. You can provide password-protected PDFs as inputs for Document Engine’s operations and password protect the output of these operations. ## PDF passwords PDF files can be protected with passwords to control who can access, modify, and print the contents of a document. PDFs are protected with two types of passwords: the owner password and the user password. - Owner password — This password allows the owner of the PDF file to modify the file and change its permissions. The owner can change the user password, as well as set or modify the user permissions that control what users can do with the file. - User password — This password allows a user to open the PDF file with a set of permissions defined by the owner of the file. These permissions control what the user can do with the file, such as view, print, copy, or modify the contents. The user password can be used to protect the PDF file from unauthorized access by preventing users from viewing or modifying the file without the password. ## Performing Document Engine operations on password-protected PDFs If a document is password protected, any operations performed on it require supplying a password. Document Engine’s Server API allows you to specify passwords via the `pspdfkit-pdf-password` HTTP header. The value of this header can be either a plain-text password or a Base64-encoded password in the form `base64:`. Use the Base64 encoding if your password contains characters that aren’t allowed in HTTP headers or that would be otherwise mangled (e.g. trailing or leading spaces). For example, to upload a password-protected PDF, use the following request: ```sh curl -X POST http://localhost:5000/api/documents \ -H "Authorization: Token token=" \ -H "pspdfkit-pdf-password: document-password" \ -F file=@/path/to/example-document.pdf ``` ## Performing build operations on password-protected PDFs To use a password-protected part in [Build API](https://www.nutrient.io/api/reference/document-engine/upstream/#tag/Build-API), provide the appropriate password in the `password` field of the `FilePart`. For example, to merge a password-protected PDF with an unprotected PDF document, use the following request: ### SHELL ```shell curl -X POST http://localhost:5000/api/build \ -H "Authorization: Token token=" \ -F document=@/path/to/example-document.pdf \ -F password-document=@/path/to/example-password-document.pdf \ -F instructions='{ "parts": [ { "file": "document" }, { "file": "password-document", "password": "123456" } ] }' \ -o result.pdf ``` ### HTTP ```http POST /api/build HTTP/1.1 Content-Type: multipart/form-data; boundary=customboundary Authorization: Token token= --customboundary Content-Disposition: form-data; name="document"; filename="example-document.pdf" Content-Type: application/pdf --customboundary Content-Disposition: form-data; name="password-document"; filename="example-password-document.pdf" Content-Type: application/pdf --customboundary Content-Disposition: form-data; name="instructions" Content-Type: application/json { "parts": [ { "file": "document" }, { "file": "password-document", "password": "123456" } ] } --customboundary-- ``` The PDF documents you create with `/api/build` are unprotected by default. For more information on setting a password for a document, see the guide on [`Output`](https://www.nutrient.io/api/reference/document-engine/upstream/#model/BuildInstructions). ## Removing password protection from PDF exports Document Engine can also strip password protection and PDF security restrictions when you download a document as a PDF. Use the `/api/documents/{documentId}/pdf` endpoint and pass `remove_password_protection` either as a query parameter on `GET` requests or as a JSON body field on `POST` requests. If the PDF is owner-password protected, include the owner password in the `PSPDFKit-Pdf-Password` header to remove password protection. If you try to remove password protection without the owner password, Document Engine returns `403`. This option can’t be combined with `source`, `owner_password`, `user_password`, or `user_permissions`. The same `/api/documents/{documentId}/pdf` endpoint supports setting `owner_password`, `user_password`, and `user_permissions` for PDF exports, but `remove_password_protection` can’t be used together with those options. ### Examples Query parameter (`GET`): ```http GET /api/documents/{documentId}/pdf?remove_password_protection=true ``` JSON body (`POST`), with owner password: ```http POST /api/documents/{documentId}/pdf Content-Type: application/json PSPDFKit-Pdf-Password: ownerpassword123 { "remove_password_protection": true } ``` --- ## Related pages - [Convert email files to PDF](/guides/document-engine/file-management/convert-email-files.md) - [Create a document from an upload](/guides/document-engine/file-management/create-a-document-from-upload.md) - [File management overview](/guides/document-engine/file-management.md) - [List documents with pagination](/guides/document-engine/file-management/list-documents.md) - [Create a document from a URL](/guides/document-engine/file-management/create-a-document-from-url.md) - [Remove files](/guides/document-engine/file-management/remove.md) - [Store user-uploaded files](/guides/document-engine/file-management/store-user-uploaded-files.md)