Skip to main content

Download a publicly shared report PDF (no auth)

GET 

/api/v1/public/reports/share/:token/pdf

Stream the shared report PDF inline (login-less).

Resolves by share token, enforces optional password protection (timing-safe bcrypt verify), then streams the PDF with Content-Disposition: inline. Wrong token, revoked, expired, or wrong password all surface as the respective HTTP status without leaking which check failed beyond the status code itself. Honours ETag/Range like the authenticated PDF routes.

The password rides the X-Report-Password request header, not a query parameter (CWE-598): query strings land in access logs, proxy logs, browser history, and Referer headers, so a share password must never travel there.

Request

Responses

PDF report