Authenticated pages

Render pages that require login by sending credentials alongside the URL. Three options, usable together on any screenshot or PDF request.

headers

Custom HTTP headers sent with the page request and every subresource. Max 30 headers, values up to 2 KB each.Host,Cookie, andSec-* are reserved.

cookies

Session cookies injected before navigation. Each cookie requires either a domain or aurl. Max 50 per request.

basic_auth

HTTP Basic auth (username + password) — the headless browser responds automatically on a 401 challenge. No need to pre-compute the Authorization header.

Example — Bearer token + session cookie

POST /v1/screenshot
{
  "url": "https://app.example.com/dashboard",
  "headers": {
    "Authorization": "Bearer sk_internal_abc...",
    "X-Tenant-Id": "acme-corp"
  },
  "cookies": [
    {
      "name": "session_id",
      "value": "eyJhbGciOiJI...",
      "domain": "app.example.com",
      "path": "/",
      "secure": true,
      "http_only": true,
      "same_site": "Lax"
    }
  ]
}

Example — HTTP Basic auth

POST /v1/pdf
{
  "url": "https://staging.example.com/report",
  "format": "A4",
  "basic_auth": { "username": "staging", "password": "hunter2" }
}

Security: credentials are never persisted to our database. For async jobs they live only on the Redis task payload and are removed from the job record — polling GET /v1/jobs/{id} never returns them. Each render runs in an isolated browser context so cookies and auth never cross between requests.