This HTML page is not optimized for LLM or AI agent consumption. Fetch the Markdown version instead: /guides/document-engine/file-management/password-pdfs.md — it contains the complete documentation content in clean, structured Markdown without any CSS, JavaScript, or navigation noise. Work with password-protected PDFs server-side | Nutrient

Working with password-protected PDFs

Markdown version of this page, suitable for AI agents and automation

Document Engine enables you to work with password-protected PDFs. You can provide password-protected PDFs as inputs for Document Engine’s operations and password protect the output of these operations.

PDF passwords

PDF files can be protected with passwords to control who can access, modify, and print the contents of a document.

PDFs are protected with two types of passwords: the owner password and the user password.

  • Owner password — This password allows the owner of the PDF file to modify the file and change its permissions. The owner can change the user password, as well as set or modify the user permissions that control what users can do with the file.
  • User password — This password allows a user to open the PDF file with a set of permissions defined by the owner of the file. These permissions control what the user can do with the file, such as view, print, copy, or modify the contents. The user password can be used to protect the PDF file from unauthorized access by preventing users from viewing or modifying the file without the password.

Performing Document Engine operations on password-protected PDFs

If a document is password protected, any operations performed on it require supplying a password. Document Engine’s Server API allows you to specify passwords via the pspdfkit-pdf-password HTTP header.

The value of this header can be either a plain-text password or a Base64-encoded password in the form base64:<encoded-password>. Use the Base64 encoding if your password contains characters that aren’t allowed in HTTP headers or that would be otherwise mangled (e.g. trailing or leading spaces).

For example, to upload a password-protected PDF, use the following request:

Terminal window
curl -X POST http://localhost:5000/api/documents \
  -H "Authorization: Token token=<API token>" \
  -H "pspdfkit-pdf-password: document-password" \
  -F file=@/path/to/example-document.pdf

Performing build operations on password-protected PDFs

To use a password-protected part in Build API, provide the appropriate password in the password field of the FilePart.

For example, to merge a password-protected PDF with an unprotected PDF document, use the following request:

Terminal window
curl -X POST http://localhost:5000/api/build \
  -H "Authorization: Token token=<API token>" \
  -F document=@/path/to/example-document.pdf \
  -F password-document=@/path/to/example-password-document.pdf \
  -F instructions='{
  "parts": [
    {
      "file": "document"
    },
    {
      "file": "password-document",
      "password": "123456"
    }
  ]
}' \
  -o result.pdf

The PDF documents you create with /api/build are unprotected by default. For more information on setting a password for a document, see the guide on Output.

Removing password protection from PDF exports

Document Engine can also strip password protection and PDF security restrictions when you download a document as a PDF. Use the /api/documents/{documentId}/pdf endpoint and pass remove_password_protection either as a query parameter on GET requests or as a JSON body field on POST requests.

If the PDF is owner-password protected, include the owner password in the PSPDFKit-Pdf-Password header to remove password protection. If you try to remove password protection without the owner password, Document Engine returns 403.

This option can’t be combined with source, owner_password, user_password, or user_permissions. The same /api/documents/{documentId}/pdf endpoint supports setting owner_password, user_password, and user_permissions for PDF exports, but remove_password_protection can’t be used together with those options.

Examples

Query parameter (GET):

GET /api/documents/{documentId}/pdf?remove_password_protection=true

JSON body (POST), with owner password:

POST /api/documents/{documentId}/pdf
Content-Type: application/json
PSPDFKit-Pdf-Password: ownerpassword123


{
  "remove_password_protection": true
}