Authentication

HTML to Image uses API keys to authenticate requests. Get your key from the dashboard and include it in the X-API-Key header on every request.

curl -X POST 'https://app.html2img.com/api/html' \
  -H 'X-API-Key: YOUR_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"html": "<h1>Hello</h1>"}'

Worked examples in your language live in the language guides. One-line summary per language:

• PHP and Laravel - set the X-API-Key header on cURL or Guzzle. See the PHP guide and Laravel guide.
• Node.js - pass the key in the headers option of fetch or axios. See the JavaScript guide.
• Python - pass headers={'X-API-Key': ...} to requests.post. See the Python guide.

Storing your key

Keep the key on the server, not in client-side code. Use an environment variable so it never lands in source control.

# .env
HTML2IMG_API_KEY=hk_live_yourkey

// Read from process.env at request time
const apiKey = process.env.HTML2IMG_API_KEY;

Key rotation

Rotate keys safely with a brief overlap window. Generate a new key in the dashboard and deploy with both keys configured for an hour. Revoke the old key from the dashboard once every running instance has the new one.

Common mistakes

• Storing the key client-side. Anyone viewing the page source can steal it. Always proxy through your server.
• Logging the key in error messages or build logs. Strip X-API-Key from logged requests, and avoid printing process.env dumps in CI.
• Sharing one key across all services. One key per service makes rotation safer and lets you trace usage in the dashboard.