Authentication

Keys for APIs, tokens for dashboards

BOL extraction uses API keys. Dashboard and admin actions use short-lived JWT access tokens.

API requests

Pass the API key in every extraction request.

curl -X POST https://api.bolscan.app/api/v1/extract \
  -H "X-API-Key: bs_your_key_here" \
  -F "[email protected]"

Key Lifecycle

PrefixKeys start with bs_

StorageOnly SHA-256 hashes are stored

VisibilityFull key is shown once

Limit5 active keys per user

RevocationKeys can be disabled instantly

Dashboard Tokens

Access tokenValid for 60 minutes

Refresh tokenValid for 30 days

HeaderAuthorization: Bearer <token>

Refresh pathPOST /auth/refresh

Admin scopeRole checked server-side

Production API

Integrate BolScan into your logistics system

Use sandbox keys for testing. For real production OCR, higher limits, storage behavior, webhooks, and rollout support, message us with your use case and expected monthly BOL volume.

Contact on WhatsApp

SurfaceCredentialHeader

Extraction APIAPI keyX-API-Key

DashboardJWT access tokenAuthorization: Bearer <token>

Admin routesJWT access token with admin roleAuthorization: Bearer <token>