PSPDFKit SDK Security

PSPDFKit for Web is developed with a security-conscious approach and is used in security-conscious applications. This means:

  • Encrypted PDFs are supported and cannot be accessed without the matching password.

  • PDF passwords are never persisted.

  • Code commits are always peer reviewed and have to pass our large test case set before being merged.

Accessing an Underlying PDF File

PSPDFKit for Web might keep parts of extracted text or annotations in memory to perform the requested operations.

In the case of a Standalone mode, all the processing and rendering of PDF documents occurs in the client. There’s no transmission of a user’s files or data to any external server, and we don’t have access to your deployment. Keep in mind that since the document fetching is done on the client side, a malicious user could potentially access underlying PDF documents.

If you want to learn more about access to protected files, please see our Accessing Protected Files guide.

In the case of a [Server-Backed mode][], the processing and rendering of the PDF documents is done by the Docker container that you can install on your premises. Using JSON Web Tokens (JWTs), you can manage the document permissions and authorization. This provides you with granular control over how information is transmitted over the wire, and it enables you to prevent users from accessing underlying PDF documents.

Delivery of the content to the client will be optimized and chunked, so depending on the use case, only a fraction of the document data needs to be sent to the client side.

PSPDFKit for Web Server-Backed does perform regular license checks. If you have specific requirements that don’t offer internet access, ask our sales team about alternative license verification methods.

To learn more about the security aspects of Document Engine, the backend for PSPDFKit for Web Server-Backed, please see this relevant article.

Document Permissions

Permissions set on a PDF document are honored by PSPDFKit for Web. Please refer to our Document Permissions guide to learn more.


Taking a screenshot on the web cannot be prevented.

Digital Signing Keys

PSPDFKit for Web offers complete flexibility over how public and private encryption keys are handled for both Standalone and Server-Backed modes.

On Standalone, you’re responsible for generating a valid digital signature by registering a callback that receives a file’s byte range and allows you to implement your own logic to generate a DER PKCS#7 container that PSPDFKit will apply as a signature. PSPDFKit doesn’t need access to any private key.

Server-Backed mode relies on a network service that you’re responsible for maintaining and operating. This network service needs to expose a single HTTP endpoint that — after receiving the information required to generate the signature — returns a DER PKCS#7 container to be set as a value of the digital signature field.

Please check our Digital Signatures on Web guide to learn more.