What is the primary authentication method for Blitapp?

Blitapp primarily uses API key authentication. You include a unique API key in your requests to verify your identity and authorization.

How do I get my Blitapp API key?

You can obtain your API key from your Blitapp account dashboard after logging in. Look for a section related to 'API Settings' or 'Developer Settings'.

Where should I store my Blitapp API key securely?

Store your API key in environment variables on your server, in secure configuration files, or using a secret management service. Avoid hardcoding it directly into your application's source code or committing it to public repositories.

Can I use Blitapp API keys in client-side JavaScript?

No, it is not recommended to use Blitapp API keys directly in client-side JavaScript, as this can expose your key to end-users and lead to unauthorized usage. Always use API keys from server-side applications.

How often should I rotate my Blitapp API key?

It is a good security practice to rotate your API keys periodically, or immediately if you suspect a compromise. Check your Blitapp dashboard for key rotation options.

What happens if I send a request without an API key?

If you send a request to the Blitapp API without a valid API key, the API will typically reject it with an HTTP 401 Unauthorized or 403 Forbidden status code.

Does Blitapp support OAuth 2.0 or other advanced authentication methods?

No, Blitapp's API primarily relies on direct API key authentication for simplicity and direct integration, particularly for server-side use cases. It does not currently support OAuth 2.0 or similar token exchange protocols.

Blitapp Authentication: API Key Security & Access (2026)

Blitapp authentication: Access to the Blitapp API for automated website screenshots and PDF generation relies on API key-based authentication. This method ensures that only authorized applications can submit requests, protecting your account and managing usage. Proper handling of API keys is essential for maintaining the security and integrity of your integrations with Blitapp's services, facilitating secure execution of visual regression tests and web page archiving.

Authentication overview

Blitapp's API uses a straightforward authentication model centered on API keys. This approach is designed for simplicity and direct integration, primarily for server-side applications that automate website screenshots, PDF generation from URLs, visual regression testing, and web page archiving. Each request sent to the Blitapp API must include a valid API key, which serves as a unique identifier and authorization token for your account. The API key links the request to your subscription plan and allocated usage, as detailed on the Blitapp pricing page.

The system verifies the provided API key against its database to ensure the request originates from an authorized user. If the key is missing, invalid, or revoked, the API will reject the request, typically with an HTTP 401 Unauthorized or 403 Forbidden status code. This mechanism is a fundamental security layer, preventing unauthorized access to your account's resources and ensuring proper billing and service usage tracking.

Understanding the proper handling and secure storage of your API key is critical for maintaining the security of your applications and data when interacting with Blitapp. Unlike more complex protocols such as OAuth 2.0, which involves token exchange and refresh flows, API key authentication requires direct inclusion of the key in each request. This directness makes implementation simple but places a higher burden on developers to prevent key exposure.

Supported authentication methods

Blitapp primarily supports a single authentication method for its API: API Key authentication. This method involves including a unique, secret key in your API requests. The API key identifies your account and authorizes the request to perform actions like capturing screenshots or generating PDFs.

The API key is typically passed as a query parameter in the URL for HTTP GET requests. This approach is common for APIs that are designed for ease of use and direct integration, particularly where the API is consumed by server-side applications or scripts where the URL can be constructed securely. While simpler than token-based systems, it requires careful handling to prevent exposure.

Authentication methods summary

Method	When to Use	Security Level
API Key (URL Parameter)	Server-side applications, scheduled tasks, scripts where the API key can be secured.	Medium: Secure if stored and transmitted correctly (e.g., over HTTPS and not exposed in client-side code). Lower if exposed in logs or unsecured URLs.

Getting your credentials

To obtain your Blitapp API key, you will need an active Blitapp account. If you do not have one, you can sign up on the Blitapp homepage. Once registered and logged in, your API key can be found within your account dashboard. The process generally follows these steps:

Log In: Access your Blitapp account by logging in with your registered email and password.
Navigate to API Section: Look for a section in your dashboard labeled something like "API Settings", "API Keys", or "Developer Settings". The exact naming may vary, but it will be distinct from general account settings. Refer to the official Blitapp API documentation for precise navigation instructions.
Retrieve API Key: Your unique API key will be displayed in this section. It is typically a long, alphanumeric string. Some platforms may allow you to generate new keys or revoke existing ones for security rotation.

It is crucial to treat your API key as a sensitive secret, similar to a password. Do not hardcode it directly into client-side code that could be publicly accessible, and avoid exposing it in version control systems, public repositories, or client-side JavaScript. For secure storage, consider using environment variables, secret management services, or secure configuration files on your server.

Authenticated request example

Blitapp's API is primarily accessed via HTTP GET requests, with the API key included as a query parameter. The following example demonstrates how to make an authenticated request to capture a screenshot of a webpage. This example uses a placeholder for your actual API key and the target URL.

Example: Capturing a screenshot using curl

curl -G "https://blitapp.com/api/screenshot/" \
  --data-urlencode "api_key=YOUR_API_KEY" \
  --data-urlencode "url=https://www.example.com" \
  --data-urlencode "format=png" \
  --data-urlencode "viewport=1280x800" \
  -o "screenshot.png"

In this example:

https://blitapp.com/api/screenshot/ is the base endpoint for the screenshot API.
api_key=YOUR_API_KEY is the critical authentication parameter. You must replace YOUR_API_KEY with the actual key retrieved from your Blitapp dashboard.
url=https://www.example.com specifies the target webpage to screenshot.
format=png sets the output image format.
viewport=1280x800 defines the browser viewport dimensions for the screenshot.
-o "screenshot.png" instructs curl to save the response (the image data) to a file named screenshot.png.

For PDF generation, the endpoint and parameters would be similar, but tailored for PDF-specific options:

curl -G "https://blitapp.com/api/pdf/" \
  --data-urlencode "api_key=YOUR_API_KEY" \
  --data-urlencode "url=https://www.example.com/document" \
  --data-urlencode "format=pdf" \
  --data-urlencode "page_size=A4" \
  -o "document.pdf"

Always ensure that your API key is correctly URL-encoded if it contains special characters, although standard API keys are typically alphanumeric. Refer to the Blitapp API reference documentation for a complete list of available parameters and their usage for both screenshot and PDF generation endpoints.

Security best practices

Securing your Blitapp API key is paramount to protect your account from unauthorized usage and potential abuse. Adhering to these best practices will help maintain the integrity and confidentiality of your API interactions:

Keep API Keys Confidential: Treat your API key as a secret. Never embed it directly into client-side code (e.g., JavaScript in a web browser) where it could be exposed to end-users. Always use it from server-side applications or secure environments.
Use Environment Variables: Store your API key as an environment variable rather than hardcoding it into your application's source code. This practice prevents the key from being committed to version control systems like Git and makes it easier to manage keys across different deployment environments (development, staging, production). For example, in Node.js, you might access `process.env.BLITAPP_API_KEY`.
Avoid Public Repositories: Never commit API keys or configuration files containing API keys into public code repositories (e.g., GitHub, GitLab, Bitbucket). Use .gitignore files to exclude such files or directories.
Restrict IP Addresses (If Available): If Blitapp offers IP address whitelisting, configure it to allow requests only from the specific IP addresses of your servers or trusted networks. This adds an extra layer of security, ensuring that even if a key is compromised, it cannot be used from an unauthorized location. The Google Maps API key security guide offers similar advice for their services, highlighting the importance of IP restrictions.
Regularly Rotate Keys: Periodically rotate your API keys, especially if there's any suspicion of compromise or as part of a routine security policy. Blitapp's dashboard should provide functionality to generate a new key and invalidate the old one.
Monitor Usage: Regularly check your Blitapp account's usage statistics for any unusual activity. Spikes in API calls or usage from unexpected regions could indicate a compromised key.
Use HTTPS: Always ensure that all communications with the Blitapp API are conducted over HTTPS (HTTP Secure). This encrypts the data in transit, protecting your API key and other sensitive information from interception by malicious actors. Blitapp's API endpoints are designed for HTTPS, ensuring secure transmission.
Implement Least Privilege: While Blitapp's API key grants broad access, if the platform ever introduces granular permissions, configure your keys with the minimum necessary permissions required for the task.

By diligently following these security practices, you can significantly reduce the risk of unauthorized access and ensure the secure operation of your Blitapp integrations. The integrity of your automated screenshot and PDF processes depends on the careful management of these credentials.

Blitapp Authentication: API Key Security & Access (2026)

Authentication overview

Supported authentication methods

Authentication methods summary

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by

Authentication overview

Supported authentication methods

Authentication methods summary

Getting your credentials

Authenticated request example

Security best practices

Related

Frequently asked questions

Reviews

Discussion

Written by