Authentication
Learn how to authenticate with the PaperStack API using Bearer tokens.
Authentication
All API requests to PaperStack require authentication via a Bearer token in the Authorization header.
API Keys
API keys are the primary authentication mechanism. Every request must include a valid, active key.
Key Format
- Live keys:
ps_<random_string> - Test/development keys:
ps_test_<random_string>
Rate Limits
| Plan | Requests/Second | Requests/Month |
|---|---|---|
| Sandbox | 1 | 500 |
| Creator Pack | 5 | 10,000 (one-time) |
| Institute Scale | 20 | 100,000 |
| Platform Edge | Custom | Unlimited |
Sending Your Key
Include your API key as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer ps_xxxxx" \
https://api.paperstack.qzz.io/neet/2024/s1/physics.jsonimport requests
headers = {"Authorization": "Bearer ps_xxxxx"}
response = requests.get(
"https://api.paperstack.qzz.io/neet/2024/s1/physics.json",
headers=headers
)
data = response.json()
print(data)const response = await fetch(
"https://api.paperstack.qzz.io/neet/2024/s1/physics.json",
{
headers: {
Authorization: "Bearer ps_xxxxx",
},
}
);
const data = await response.json();
console.log(data);package main
import (
"fmt"
"io"
"net/http"
)
func main() {
client := &http.Client{}
req, _ := http.NewRequest("GET",
"https://api.paperstack.qzz.io/neet/2024/s1/physics.json", nil)
req.Header.Set("Authorization", "Bearer ps_xxxxx")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}require "net/http"
require "uri"
uri = URI("https://api.paperstack.qzz.io/neet/2024/s1/physics.json")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Get.new(uri)
request["Authorization"] = "Bearer ps_xxxxx"
response = http.request(request)
puts response.bodyGetting an API Key
- Register for a PaperStack account
- Log in to your Dashboard
- Click Generate New Key
- Copy the key immediately — it will only be shown once
- Store it securely (e.g., environment variables, secrets manager)
Key Management
Viewing Your Keys
Your Dashboard shows all active keys with:
- Key prefix (first few characters)
- Creation date
- Last used date
Revoking a Key
If a key is compromised or no longer needed:
- Go to your Dashboard
- Click Revoke next to the key
- The key will be immediately invalidated
Note: Revocation is permanent. Generate a new key to replace a revoked one.
CORS & Browser Usage
PaperStack supports cross-origin requests from browser applications. All API endpoints include the following CORS headers:
| Header | Value |
|---|---|
Access-Control-Allow-Origin | * |
Access-Control-Allow-Headers | Authorization, Content-Type |
Access-Control-Allow-Methods | GET, HEAD, OPTIONS |
Access-Control-Max-Age | 86400 |
Using the API from the Browser
// Fetch question data from client-side JavaScript
async function fetchPaper(exam, year, shift, file, apiKey) {
const response = await fetch(
`https://api.paperstack.qzz.io/${exam}/${year}/${shift}/${file}`,
{
headers: {
Authorization: `Bearer ${apiKey}`,
},
}
);
if (!response.ok) {
throw new Error(`API error: ${response.status}`);
}
return response.json();
}
// Usage
const data = await fetchPaper("neet", "2024", "s1", "physics.json", "ps_xxxxx");Security Warning for Browser Apps
Never hardcode API keys in client-side code. Anyone viewing your page source or network requests can see the key. Instead:
- Proxy API requests through your own backend
- Use environment variables in server-rendered frameworks (Next.js, Nuxt)
- Restrict key permissions and set expiry dates for browser-used keys
Recommended Architecture for Browser Apps
Browser App
│
▼
Your Backend (proxies requests, stores key securely)
│
▼
PaperStack APISecurity Best Practices
- Never expose your API key in client-side code, public repos, or logs
- Use environment variables to store keys in production
- Rotate keys regularly — generate new keys and revoke old ones
- Use separate keys for development and production environments
- Monitor usage on your Dashboard for unusual activity
Was this page helpful?