> ## Documentation Index > Fetch the complete documentation index at: https://docs.craftkit.dev/llms.txt > Use this file to discover all available pages before exploring further. # Mint an embed session > Mint a short-lived embed session for the iframe builder/form, using the partner secret key. Returns the session token (JWT), the iframe URL, and a single-use renew token. Note the snake_case response keys. ## OpenAPI ````yaml /openapi.yaml post /v1/embed/sessions openapi: 3.1.0 info: title: Craftkit API version: 1.0.0 description: > The Craftkit public REST API. Design templates with typed variables, render PDFs asynchronously, share and track them, and send them out for digital signature. ## Authentication Most endpoints authenticate with a **project API key** as a bearer token: ``` Authorization: Bearer ck_live_xxxxxxxxxxxxxxxx ``` Keys come in `ck_live_` (production) and `ck_test_` (test) flavours. Embed iframe surfaces use a short-lived **embed session JWT** instead, and the admin provisioning endpoint uses the deployment-wide `CRAFTKIT_ADMIN_KEY`. Inbound webhooks (`/v1/hooks/*`) are not bearer-authed — they are verified by an HMAC signature header. ## Idempotency `POST /v1/templates/{slug}/render` and `POST /v1/signatures` accept an `Idempotency-Key` request header. Retrying with the same key returns the original resource instead of creating (and, for signatures, billing) a duplicate. ## Errors Application errors use a shared envelope: ```json { "error": { "code": "invalid_request", "message": "...", "issues": { } } } ``` A small number of admin/embed endpoints return a flatter shape (`{ "error": "invalid_credentials" }`); those are documented inline. servers: - url: https://api.craftkit.dev description: Production security: - bearerApiKey: [] tags: - name: Templates description: Create, list, fetch, republish, delete templates and enqueue renders. - name: Renders description: Poll render status, download PDFs, manage shares, email, and engagement. - name: Signatures description: >- Send rendered PDFs out for digital signatures via the signature service and track status. - name: Webhooks description: Inbound webhook receivers (HMAC-authenticated, not bearer-authed). - name: Embed description: Embed session minting, catalogs, builder templates, form submission. - name: Admin description: Org provisioning (deployment admin key only). - name: System description: Health and status. paths: /v1/embed/sessions: post: tags: - Embed summary: Mint an embed session description: | Mint a short-lived embed session for the iframe builder/form, using the partner secret key. Returns the session token (JWT), the iframe URL, and a single-use renew token. Note the snake_case response keys. operationId: createEmbedSession requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateEmbedSessionRequest' example: tenant: externalId: org_123 displayName: Acme Corp actor: externalId: user_456 displayName: Jane Doe email: jane@example.com scope: mode: edit templateExternalId: 7c9f0b2e-2b1a-4f3d-9c8e-1a2b3c4d5e6f responses: '200': description: Session minted. content: application/json: schema: $ref: '#/components/schemas/EmbedSessionResponse' example: session_id: 1d2c3b4a-5e6f-7081-92a3-b4c5d6e7f809 session_token: eyJhbGciOiJFZERTQSJ9... iframe_url: https://embed.craftkit.dev/builder?session=... expires_at: '2026-06-21T11:00:00.000Z' renew_token: rt_abc123 '400': description: Body was not valid JSON. content: application/json: schema: $ref: '#/components/schemas/SimpleError' example: error: invalid_json '401': $ref: '#/components/responses/SimpleUnauthorized' '404': description: Referenced named catalog not found. content: application/json: schema: $ref: '#/components/schemas/Error' example: error: code: catalog_not_found message: >- No current catalog named "my-catalog" found for this project. '422': $ref: '#/components/responses/UnprocessableEntity' '500': description: Catalog resolution or session minting failed. content: application/json: schema: $ref: '#/components/schemas/SimpleError' security: - bearerApiKey: [] components: schemas: CreateEmbedSessionRequest: type: object required: - tenant - actor properties: tenant: $ref: '#/components/schemas/EmbedTenantInput' actor: $ref: '#/components/schemas/EmbedActorInput' scope: $ref: '#/components/schemas/EmbedScopeInput' variableCatalog: $ref: '#/components/schemas/VariableCatalog' catalogRef: type: object required: - name properties: name: type: string minLength: 1 maxLength: 120 version: type: integer minimum: 1 permissions: type: object additionalProperties: type: boolean permissionsPreset: type: string maxLength: 60 branding: type: object additionalProperties: true appearance: type: object additionalProperties: true callbacks: type: object properties: onPublishedUrl: type: string format: uri onCloseUrl: type: string format: uri limits: type: object properties: maxPublishes: type: integer minimum: 1 maxSaveDrafts: type: integer minimum: 1 maxUploadsBytes: type: integer minimum: 1 form: type: object properties: prefill: type: object additionalProperties: true showPreview: type: boolean showDocumentAfterSubmit: type: boolean redirectUrl: type: string format: uri EmbedSessionResponse: type: object description: snake_case response from session mint/refresh. required: - session_id - session_token - iframe_url - expires_at - renew_token properties: session_id: type: string format: uuid session_token: type: string iframe_url: type: string format: uri expires_at: type: string format: date-time renew_token: type: string SimpleError: type: object description: | Flat error shape used by some admin/embed endpoints (the value is a machine-readable code string rather than the structured envelope). required: - error properties: error: oneOf: - type: string - type: object properties: code: type: string message: type: string message: type: string issues: {} detail: type: string Error: type: object description: Shared application error envelope. required: - error properties: error: type: object required: - code - message properties: code: type: string message: type: string issues: description: Optional Zod flatten() / issues detail. example: error: code: invalid_request message: Request body did not match expected shape. EmbedTenantInput: type: object required: - externalId - displayName properties: externalId: type: string minLength: 1 maxLength: 160 displayName: type: string minLength: 1 maxLength: 200 branding: type: object additionalProperties: true EmbedActorInput: type: object required: - externalId properties: externalId: type: string minLength: 1 maxLength: 160 displayName: type: string maxLength: 200 email: type: string format: email avatarUrl: type: string format: uri EmbedScopeInput: type: object properties: mode: type: string enum: - edit - create - view - fill default: edit templateExternalId: type: string maxLength: 200 initialName: type: string maxLength: 200 VariableCatalog: type: object properties: allowCustom: type: boolean default: false namespaces: type: array items: $ref: '#/components/schemas/CatalogNamespace' default: [] loops: type: array items: $ref: '#/components/schemas/CatalogLoop' default: [] CatalogNamespace: type: object required: - key - label - fields properties: key: type: string maxLength: 60 pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ label: type: string maxLength: 80 icon: type: string maxLength: 40 fields: type: array minItems: 1 items: $ref: '#/components/schemas/CatalogField' CatalogLoop: type: object required: - key - label - itemFields properties: key: type: string maxLength: 160 pattern: ^[a-zA-Z_][a-zA-Z0-9_.]*$ label: type: string maxLength: 160 itemFields: type: array minItems: 1 items: $ref: '#/components/schemas/CatalogField' previewData: type: array maxItems: 10 items: type: object additionalProperties: true description: type: string maxLength: 280 CatalogField: type: object required: - key - label - dataType properties: key: type: string maxLength: 160 pattern: ^[a-zA-Z_][a-zA-Z0-9_.]*$ label: type: string maxLength: 160 dataType: $ref: '#/components/schemas/VariableDataType' required: type: boolean default: false format: type: string maxLength: 60 description: type: string maxLength: 280 previewData: $ref: '#/components/schemas/ScalarPrimitive' sample: deprecated: true allOf: - $ref: '#/components/schemas/ScalarPrimitive' VariableDataType: type: string enum: - text - longtext - number - currency - date - datetime - boolean - image - url - email ScalarPrimitive: type: - string - number - boolean - 'null' responses: SimpleUnauthorized: description: Missing or invalid credentials (flat error shape). content: application/json: schema: $ref: '#/components/schemas/SimpleError' example: error: invalid_credentials UnprocessableEntity: description: Request failed schema validation. content: application/json: schema: $ref: '#/components/schemas/SimpleError' example: error: invalid_request issues: [] securitySchemes: bearerApiKey: type: http scheme: bearer description: > Project API key (`ck_live_…` or `ck_test_…`) presented as a bearer token. For embed partner endpoints this is the partner secret key, which is the same credential type. ````