Encrypt PDF Document API

What this endpoint does

PDF4me Protect Document encrypts a PDF with a password and sets permission flags in a single REST call. Send the PDF as Base64, choose the password and which actions are allowed (printing, copying, annotating, form filling), and receive a new AES-encrypted PDF in the response. The encryption applied is AES-128 or AES-256 per the PDF specification, suitable for GDPR, HIPAA, and other compliance-driven workflows.

Related Blog Posts

No blog post yet for this feature — coming soon.

In the meantime, browse the PDF4me blog for tutorials and workflows across every platform.

Visit the blog →

Authenticating Your API Request

Every PDF4me REST API call must include your API key in the Authorization header. Create or select a key from the developer dashboard and keep it server-side. Never expose it in browser code.

Get your API Key

Important Facts You Should Not Miss

Password and permissions are applied together

The single password field gates document opening. The pdfPermission enum controls what users can do once the document is open. Use both together to ship a PDF that requires a password AND disables printing or copying.

Permission flags are allow-list, not deny-list

Whatever you do not include in pdfPermission is blocked. Set it to None to block every action except opening, or to a specific flag such as Fill Forms to allow only form filling and nothing else.

The source PDF is never modified

The API returns the encrypted PDF as raw binary bytes in the response body (Content-Type application/pdf). Your original file stays untouched. Write the response bytes directly to a new .pdf file. Useful for compliance audit trails where the unprotected source must remain intact.

REST API endpoint

Method: POST
URL: https://api.pdf4me.com/api/v2/Protect

Send Content-Type: application/json and an Authorization header with your API key. Set async to false for a synchronous response (HTTP 200 with the encrypted PDF as raw binary bytes), or true to receive HTTP 202 plus a Location header that you poll until it returns 200 with the binary PDF.

Postman request setup

Setting	Value
Method	POST
URL	https://api.pdf4me.com/api/v2/Protect
Headers	Content-Type: application/json
Authorization	Basic Auth with your API key, or header Authorization: Basic YOUR_API_KEY
Body	raw JSON with docContent, docName, password, pdfPermission, and async fields
Response (sync)	When async is false: HTTP 200 with the encrypted PDF as raw binary bytes. Save the response body directly to a .pdf file.
Response (async)	When async is true: HTTP 202 with a Location header. GET that URL until you receive 200 plus the binary PDF. Useful for large files or slow networks.

Parameters

Always required: docContent, docName, password, pdfPermission. The async flag is optional (defaults to false) and controls whether the response is returned immediately or via a polling URL.

Parameter	Required	Type	What it does	Example
docContent	Yes	Base64 String	The source PDF file encoded as Base64 (no data: prefix). Read the file as bytes and run it through your language's Base64 encoder.	JVBERi0xLjQK...
docName	Yes	String	Filename of the source PDF including the .pdf extension. Used for tracking and the output filename.	invoice.pdf
password	Yes	String	The password applied to the encrypted PDF. Users must enter this to open the document.	Str0ng-P@ss!
pdfPermission	Yes	Enum	What the user can do once the PDF is unlocked. One of: All, None, Copy, Annotate, Fill Forms, Support Disabilities, Assemble, Digital Print. See the flag reference card grid below.	Fill Forms
async	No	Boolean	Optional, defaults to false. When false the API returns the encrypted PDF immediately as binary bytes (HTTP 200). When true the API returns HTTP 202 with a Location header; poll that URL with GET until you receive 200 with the binary PDF. Use true for large PDFs or batch processing.	false

pdfPermission flag reference

AllEverything is allowed

Open, print, copy, edit, annotate, fill forms. Use for password-only protection without further restrictions.

NoneOnly opening

Blocks printing, copying, editing, annotating, form filling. The most restrictive option.

CopyOpen and copy text or images

Blocks printing, editing, annotating.

AnnotateOpen and annotate

Sticky notes and highlights allowed. Blocks copying, printing, editing.

Fill FormsOpen and fill form fields

Blocks printing, copying, editing. Common for confidential intake forms.

Support DisabilitiesOpen with accessibility tools

Screen reader and assistive tool access. Required for accessible-by-default PDFs.

AssemblePage-level changes allowed

Insert, delete, or rotate pages. Used when downstream tooling must restructure the PDF.

Digital PrintLow-resolution print only

Blocks high-resolution printing and copying. Useful for proof copies.

Request examples

Example A: Encrypt with password only (All permissions)

{
  "docContent": "JVBERi0xLjQK...",
  "docName": "invoice.pdf",
  "password": "Str0ng-P@ss!",
  "pdfPermission": "All",
  "async": false
}

Example B: Encrypt with maximum restrictions (None)

Blocks printing, copying, editing, annotating, and form filling.

{
  "docContent": "JVBERi0xLjQK...",
  "docName": "confidential.pdf",
  "password": "Str0ng-P@ss!",
  "pdfPermission": "None",
  "async": false
}

Example C: Encrypt and allow form filling only

Useful for confidential intake forms where the recipient must fill but not redistribute.

{
  "docContent": "JVBERi0xLjQK...",
  "docName": "intake-form.pdf",
  "password": "Form-2026",
  "pdfPermission": "Fill Forms",
  "async": true
}

Successful response (sync, async: false)

HTTP 200 with the encrypted PDF as the raw response body (binary application/pdf). No JSON wrapping. Save the response bytes directly to a file.

HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Disposition: attachment; filename="protected.pdf"

<binary PDF bytes>

Successful response (async, async: true)

HTTP 202 with a Location header. Poll that URL with GET (same Authorization header) until you receive HTTP 200 with the binary PDF.

HTTP/1.1 202 Accepted
Location: https://api.pdf4me.com/api/v2/JobStatus/<job-id>

curl examples

Sync mode (save the response body straight to a file):

curl -X POST https://api.pdf4me.com/api/v2/Protect \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic YOUR_API_KEY" \
  -o protected.pdf \
  -d '{"docContent":"JVBERi0xLjQK...","docName":"invoice.pdf","password":"Str0ng-P@ss!","pdfPermission":"Fill Forms","async":false}'

Async mode (note -D headers.txt to capture the Location header for polling):

curl -X POST https://api.pdf4me.com/api/v2/Protect \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic YOUR_API_KEY" \
  -D headers.txt \
  -d '{"docContent":"...","docName":"invoice.pdf","password":"Str0ng-P@ss!","pdfPermission":"Fill Forms","async":true}'

Code samples

Python Sample

C# Sample

Java Sample

JavaScript Sample

Salesforce Sample

Google Apps Script

AWS Lambda Sample

n8n Sample

All API Samples

Integration examples

Common REST integration patternsTypical ways developers call Protect Document.

Bulk encrypt invoices for delivery

1. Read each invoice PDF from a folder, S3 bucket, or database queue.
2. Base64-encode the bytes and POST to Protect with pdfPermission set to Fill Forms.
3. Write the response bytes directly to a .pdf file (raw binary), then upload the encrypted file to email or object storage.
4. Loop over every file. The endpoint is stateless and safe for parallel calls within your rate limit.

Encrypt then sign for legal workflows

1. POST the source PDF to /api/v2/Protect with the recipient password and chosen permission.
2. Take the binary response bytes, re-encode to Base64, and feed them as docContent to the Digital Sign endpoint.
3. Receive a single PDF that is both AES-encrypted and cryptographically signed. Tamper-evident for legal and compliance use cases.

GDPR or HIPAA per-recipient encryption

1. Generate a unique password per recipient (UUID or shared-secret derived).
2. POST to Protect with that password and pdfPermission set to None to block all copy and print.
3. Email the encrypted PDF and the password through a separate channel for compliance audit trails.

Frequently Asked Questions

What encryption strength does the Protect endpoint apply?+

PDF4me applies AES encryption per the PDF specification (ISO 32000). Modern PDF readers use 128-bit or 256-bit AES depending on the PDF version of the source. Both meet GDPR and HIPAA encryption requirements for documents in transit and at rest.

Can I set an owner password and a user password separately?+

The password field is applied as the user password (required to open). The pdfPermission enum is the owner-level signal controlling what is allowed once the document is open. Together they behave like a combined owner-and-user setup. The endpoint does not currently accept two distinct passwords in one call.

How do I disable printing or copying on the encrypted PDF?+

Pick a pdfPermission value that does NOT include the action you want to block. Set it to None to block everything except opening. Set it to Copy to allow text or image copy only. Set it to Fill Forms to allow form filling only. The flag is allow-list: anything not explicitly listed is blocked.

Is the original PDF modified, or is a new copy returned?+

The original file is never touched. The API returns the encrypted PDF as raw binary bytes in the response body (Content-Type application/pdf). Write the response bytes directly to a new .pdf file. Useful when the unprotected source must remain intact for audit trails.

Can I encrypt PDFs in bulk?+

Each call protects one PDF and the endpoint is stateless. For bulk encryption, loop over files in your script (Python for loop, C# foreach, Node async map) or use a Make, Zapier, Power Automate, or n8n scenario that fires the Protect action per file picked up by a folder watcher.

Does this work as an alternative to SmallPDF, iLovePDF, or Adobe Acrobat password protection?+

Yes. The Protect endpoint provides the same outcome (password-encrypted PDF with permission control) through a REST API. No per-user license, no manual upload, and full automation. The same call from a script handles one document or one thousand.

Is the response binary or Base64?+

The response body is the raw binary PDF (Content-Type application/pdf), not JSON. Write the response bytes straight to a .pdf file: response.content in Python requests, response.body in fetch, await Content.ReadAsByteArrayAsync in C#. The Base64 envelope is only used for input (the docContent field you send in the request), not for the output.

How do I test the API without writing code?+

Open the Protect Document API Tester, paste your API key, upload a PDF, type a password, and pick a pdfPermission flag. The tester shows the request and lets you download the encrypted PDF directly.

Related actions

Unlock PDF

Remove a password from an encrypted PDF when you have the credentials. The inverse of this Protect endpoint.

Digital Sign

Apply a cryptographic signature in addition to (or instead of) password protection. Tamper-evident PDFs for legal workflows.

API Tester

Try the endpoint interactively with your API key and any sample PDF.

Same task on other platforms

Encrypt PDF in Make

Drag the Protect module into a Make scenario for visual no-code automation.

Encrypt PDF in Zapier

Add Protect as a Zapier action triggered by any of 6,000+ apps.

Encrypt PDF in Power Automate

Drop the Protect connector into a Microsoft 365 flow with SharePoint and Outlook.

Encrypt PDF in n8n

Use the PDF4me Protect node in a self-hosted or cloud n8n workflow.

Get Help

Get Your API KeyAPI SamplesAPI TesterGetting Started