---
title: "DWS Viewer API backend authentication"
canonical_url: "https://www.nutrient.io/guides/dws-viewer/developer-guides/backend-authentication/"
md_url: "https://www.nutrient.io/guides/dws-viewer/developer-guides/backend-authentication.md"
last_updated: "2026-06-09T10:21:54.371Z"
description: "Learn how to authenticate your backend services with DWS Viewer API using API keys or JSON Web Tokens (JWTs)."
---

# DWS Viewer API backend authentication

Requests to the DWS Viewer API are protected by a secret API key.

<!-- or JWT based authentication. -->

## API key authentication

The API key for your DWS Viewer API application can be retrieved from the [dashboard](https://dashboard.nutrient.io/sign_in/).

Because the API allows full access to data stored in your DWS Viewer API application, it’s only meant to be used by your backend services, which we assume are fully trusted. To view documents from DWS Viewer API in the browser using Nutrient Web SDK, you’ll need to use [session tokens](https://www.nutrient.io/guides/dws-viewer/developer-guides/generate-a-session-token.md) that can be handed out to users.

### Using the API key

Each API request needs to be authenticated by providing the `Authorization: Bearer your_api_key_here` header:

### Shell

```shell

curl -X POST https://api.nutrient.io/viewer/documents \
  -H "Authorization: Bearer your_api_key_here" \
  -H "Content-Type: application/pdf" \
  --fail \
  -F file=@document.pdf

```

### Shell (Windows)

```powershell

curl -X POST https://api.nutrient.io/viewer/documents ^
  -H "Authorization: Bearer your_api_key_here" ^
  -H "Content-Type: application/pdf" ^
  --fail ^
  -F file=@document.pdf

```

### HTTP

```http

POST https://api.nutrient.io/viewer/documents HTTP/1.1
Content-Type: multipart/form-data; boundary=--customboundary
Authorization: Bearer your_api_key_hereContent-Type: application/pdf

--customboundary
Content-Disposition: form-data; name="file"; filename="document.pdf"
Content-Type: application/pdf

(file data)
--customboundary--

```

## JSON Web Token (JWT) authentication

API key authentication falls short when you require more granular control over the permissions of the client making the request. In such cases, you can use JWT-based authentication via API access tokens.

### Session tokens vs. API access tokens

Use the token type that matches your integration:

- **Browser viewer sessions** — Use [`POST /viewer/sessions`](https://www.nutrient.io/api/reference/viewer/public/#tag/Authorization/operation/generate-session-token). This is the preferred endpoint for opening documents in Nutrient Web SDK.

- **Programmatic DWS Viewer API requests from trusted backend services** — Use [`POST /viewer/tokens`](https://www.nutrient.io/api/reference/viewer/public/#tag/Authorization/operation/generate-api-access-token) to create an API access token.

Don’t use `POST /viewer/tokens` for browser viewer sessions.

### Creating an API access token

To authenticate trusted backend requests, generate an API access token using the API key via the [`POST /viewer/tokens`](https://www.nutrient.io/api/reference/viewer/public/#tag/Authorization/operation/generate-api-access-token) endpoint:

### Shell

```shell

curl -X POST https://api.nutrient.io/viewer/tokens \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your_api_key_here" \
  --fail \
  -d '{
      "allowed_documents": [
        {
          "document_id": "<document_id>",
          "permissions": [
            "read",
            "write",
            "download"
          ]
        }
      ],
      "exp": 1793769299
    }'

```

### Shell (Windows)

```powershell

curl -X POST https://api.nutrient.io/viewer/tokens ^
  -H "Content-Type: application/json" ^
  -H "Authorization: Bearer your_api_key_here" ^
  --fail ^
  -d "{\"allowed_documents\": [{\"document_id\": \"<document_id>\", \"permissions\": [\"read\", \"write\", \"download\"]}], \"exp\": 1793769299}"

```

### HTTP

```http

POST https://api.nutrient.io/viewer/tokens HTTP/1.1
Content-Type: application/json
Authorization: Bearer your_api_key_here

{
  "allowed_documents": [
    {
      "document_id": "<document_id>",
      "permissions": [
        "read",
        "write",
        "download"
      ]
    }
  ],
  "exp": 1793769299
}

```

You can then retrieve the JWT from the response. The token is returned in the top-level `jwt` field:

```json

{
  "jwt": "<created_access_token>"
}

```

API access tokens can be created with additional optional claims to further control their properties. Refer to our [API reference](https://www.nutrient.io/api/reference/viewer/public/) to learn more.

### Using an API access token

API requests need to be authenticated by providing the `Authorization: Bearer your_jwt_goes_here` header:

#### Upload a document

### Shell

```shell

curl -X POST https://api.nutrient.io/viewer/documents \
  -H "Accept: application/json" \
  -H "Authorization: Bearer your_jwt_goes_here" \
  -H "Content-Type: application/pdf" \
  --fail \
  -F file=@document.pdf

```

### Shell (Windows)

```powershell

curl -X POST https://api.nutrient.io/viewer/documents ^
  -H "Accept: application/json" ^
  -H "Authorization: Bearer your_jwt_goes_here" ^
  -H "Content-Type: application/pdf" ^
  --fail ^
  -F file=@document.pdf

```

### HTTP

```http

POST https://api.nutrient.io/viewer/documents HTTP/1.1
Content-Type: multipart/form-data; boundary=--customboundary
Accept: application/jsonAuthorization: Bearer your_jwt_goes_hereContent-Type: application/pdf

--customboundary
Content-Disposition: form-data; name="file"; filename="document.pdf"
Content-Type: application/pdf

(file data)
--customboundary--

```

#### Getting documents

### Shell

```shell

curl -X GET https://api.nutrient.io/viewer/documents \
  -H "Accept: application/json" \
  -H "Authorization: Bearer your_jwt_goes_here" \
  --fail

```

### Shell (Windows)

```powershell

curl -X GET https://api.nutrient.io/viewer/documents ^
  -H "Accept: application/json" ^
  -H "Authorization: Bearer your_jwt_goes_here" ^
  --fail

```

### HTTP

```http

GET https://api.nutrient.io/viewer/documents HTTP/1.1
Content-Type: multipart/form-data; boundary=--customboundary
Accept: application/jsonAuthorization: Bearer your_jwt_goes_here

--customboundary--

```
---

## Related pages

- [Dashboard](/guides/dws-viewer/developer-guides/dashboard.md)
- [DWS Viewer API client authentication flow](/guides/dws-viewer/developer-guides/client-authentication-flow.md)
- [Architecture of DWS Viewer API integration](/guides/dws-viewer/developer-guides/architecture.md)
- [DWS Viewer API developer guides](/guides/dws-viewer/developer-guides.md)
- [Open app-provided documents in Web SDK](/guides/dws-viewer/developer-guides/open-client-provided-documents.md)
- [Deployment options](/guides/dws-viewer/developer-guides/deployment-options.md)
- [Generate a session token](/guides/dws-viewer/developer-guides/generate-a-session-token.md)
- [Open DWS-managed documents in Web SDK](/guides/dws-viewer/developer-guides/open-a-document-in-web.md)
- [Integrate DWS Viewer API with your own backend](/guides/dws-viewer/developer-guides/use-with-your-backend.md)
- [Upload documents](/guides/dws-viewer/developer-guides/upload-documents.md)
- [Reviewer-isolated layers](/guides/dws-viewer/developer-guides/reviewer-isolated-layers.md)