> ## Documentation Index
> Fetch the complete documentation index at: https://docs.craftkit.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Document engagement event documentviewed downloaded printed …

> Sent as recipients interact with a shared/emailed render. Subscribe to any of `document.share_created`, `document.share_revoked`, `document.email_sent`, `document.email_opened`, `document.viewed`, `document.downloaded`, `document.printed`.



## OpenAPI

````yaml /openapi.yaml webhook document.event
openapi: 3.1.0
info:
  title: Craftkit API
  version: 1.0.0
  description: |
    The Craftkit public REST API. Design templates with typed variables, render
    PDFs asynchronously, share and track them, and send them out for digital
    signature.

    ## Authentication

    Most endpoints authenticate with a **project API key** as a bearer token:

    ```
    Authorization: Bearer ck_live_xxxxxxxxxxxxxxxx
    ```

    Keys come in `ck_live_` (production) and `ck_test_` (test) flavours. The
    `/v1/projects*` endpoints are the one exception — they authenticate with a
    separate **account API key** (`ck_acct_…`) instead, scoped to every
    project the account owns rather than to a single project. The two
    credential types are strictly disjoint: a project key is rejected on
    `/v1/projects*` and an account key is rejected everywhere else. See
    [Authentication](/guides/authentication).

    Embed iframe surfaces use a short-lived **embed session JWT** instead, and
    the admin provisioning endpoint uses the deployment-wide
    `CRAFTKIT_ADMIN_KEY`. Inbound webhooks (`/v1/hooks/*`) are not
    bearer-authed — they are verified by an HMAC signature header.

    ## Idempotency

    `POST /v1/templates/{slug}/render` and `POST /v1/signatures` accept an
    `Idempotency-Key` request header. Retrying with the same key returns the
    original resource instead of creating (and, for signatures, billing) a
    duplicate.

    ## Errors

    Application errors use a shared envelope:

    ```json
    { "error": { "code": "invalid_request", "message": "...", "issues": { } } }
    ```

    A small number of admin/embed endpoints return a flatter shape
    (`{ "error": "invalid_credentials" }`); those are documented inline.
servers:
  - url: https://api.craftkit.dev
    description: Production
security:
  - bearerApiKey: []
tags:
  - name: Projects
    description: >-
      Account-scoped project management and per-project key minting. Every
      operation requires an account key (`ck_acct_…`) — a project key
      (`ck_live_…`) is rejected.
  - name: Templates
    description: Create, list, fetch, republish, delete templates and enqueue renders.
  - name: Renders
    description: Poll render status, download PDFs, manage shares, email, and engagement.
  - name: Signatures
    description: >-
      Send rendered PDFs out for digital signatures via the signature service
      and track status.
  - name: Webhooks
    description: >-
      Outgoing event webhooks Craftkit POSTs to your subscription URL (render.*,
      document.*, signature.*), and the inbound webhook receiver
      (HMAC-authenticated, not bearer-authed).
  - name: Embed
    description: Embed session minting, catalogs, builder templates, form submission.
  - name: Admin
    description: Org provisioning (deployment admin key only).
  - name: System
    description: Health and status.
paths: {}
components:
  securitySchemes:
    bearerApiKey:
      type: http
      scheme: bearer
      description: >
        Project API key (`ck_live_…` or `ck_test_…`) presented as a bearer
        token.

        For embed partner endpoints this is the partner secret key, which is the

        same credential type.

````