How to use the Papermark REST API?
The Papermark REST API gives you programmatic access to every Papermark resource: data rooms, documents, folders, links, visitors, and analytics. The whole surface is HTTPS plus JSON plus a bearer token, with 43 operations across six resources and an OpenAPI spec that drives the docs.
The Papermark REST API is available on the Business plan and above. Self-hosted Papermark instances can use the API on any plan.
What you can do with the API
| Resource | Operations include |
|---|---|
| Data rooms | Create, list, update, delete, manage folders |
| Documents | Upload, list, search, fetch, attach to data rooms |
| Folders | Create, rename, move, delete |
| Links | Mint password-gated or expiring links for documents and data rooms |
| Visitors | List, fetch view history per visitor |
| Analytics | Page-by-page durations, completion, downloads, top pages |
Across the six resources you have 43 operations total. The full OpenAPI spec lives at /docs/openapi.json and powers the docs site.
Step 1: Generate an API token
- Log into Papermark.
- Go to Settings, then API Tokens.
- Click Create token.
- Pick scopes (read-only or read/write per resource).
- Copy the token. It starts with
pm_live_and acts as a long-lived bearer credential.
Treat the token like a password. Store it in your secrets manager or environment variable (PAPERMARK_TOKEN).
Scoped tokens
Tokens are scoped, so an LLM agent can have read-only access to documents while your CI job has full write access. Pick the minimum scopes your integration needs.
Step 2: Make your first call
You'll get a JSON response with your documents:
Common workflows
Create a password-gated link to a data room
The response includes the unique link URL ready to share.
Pull page-by-page analytics for one view
Returns a payload with pages_viewed, completed, duration_ms, top_page, and an array of page_durations_ms.
Upload a document (large files)
For files over 10 MB, use the S3 presigned upload flow:
- Request an upload URL:
POST /v1/documents/upload-url - Upload the file directly to S3 with the returned presigned URL
- Confirm the upload:
POST /v1/documents/confirm
No streaming gymnastics required in your code.
Authentication and rate limits
- Bearer token authentication:
Authorization: Bearer pm_live_...header on every request - HTTPS only: requests over HTTP are rejected
- Idempotency keys: pass
Idempotency-Key: <uuid>for safe retries on POST requests - Pagination: list endpoints use cursor pagination with
next_cursorfor paging through results - Rate limits: standard limits apply per plan; contact support if your integration needs higher limits
OpenAPI spec and SDKs
The full spec is available at /docs/openapi.json. You can generate clients in any language with tools like openapi-typescript, openapi-python-client, or openapi-generator.
For Node.js, an SDK is published on npm:
Webhooks for real-time events
The API gives you pull access. To get push events (link viewed, document uploaded, link created), use webhooks. They pair well with the API for event-driven integrations.
Use cases
- CRM sync: when a new viewer opens a link, push a record into HubSpot or Salesforce.
- Investor outreach: programmatically mint personalized links per investor and email them.
- Reporting dashboards: pull visitor and analytics data into your data warehouse or BI tool.
- Automated data room provisioning: spin up a data room with a folder structure from a CI job.
- AI agents: combine the API with the MCP server so agents like Claude can act on Papermark resources.
Frequently asked questions
Related guides
- How to use the Papermark CLI
- How to use the Papermark MCP server
- How to create webhooks in Papermark
- Open source security
Need help? Contact support@papermark.com or use the in-app chat.