Download a publicly shared report PDF (no auth)
GET/api/v1/public/reports/share/:token/pdf
Stream the shared report PDF inline (login-less).
Resolves by share token, enforces optional password protection (timing-safe
bcrypt verify), then streams the PDF with Content-Disposition: inline.
Wrong token, revoked, expired, or wrong password all surface as the
respective HTTP status without leaking which check failed beyond the status
code itself. Honours ETag/Range like the authenticated PDF routes.
The password rides the X-Report-Password request header, not a query
parameter (CWE-598): query strings land in access logs, proxy logs, browser
history, and Referer headers, so a share password must never travel
there.
Request
Responses
- 200
- 400
- 401
- 403
- 404
- 409
- 422
- 429
- 500
PDF report
Bad request — malformed input or failed validation.
Missing, expired, or invalid credentials.
Authenticated but not authorized for this resource. Note: cross-organization reads return 404, not 403.
Resource not found, or hidden for tenant-enumeration safety (the caller lacks permission to know whether the resource exists).
Conflict — the current resource state does not allow this operation (e.g. assessment already started, email already in use).
Semantic validation failure — request shape was valid but contents were not.
Too many requests — rate limited. Retry after the window resets.
Internal server error — unexpected failure.