Product

The Captures API

Authenticated screenshots and PDFs for SaaS apps. Inject a logged-in session, run browser actions, and get back a privately stored, signed capture from one API call.

Why authenticated pages are hard

Generic screenshot tools work on public pages. The pages your team actually needs — dashboards, reports, admin panels — live behind a login. Getting a real browser into a real session, safely, is the hard part: session state has to be injected without storing credentials, the page has to be fully rendered before capture, and the output has to stay private.

Capture lifecycle

Every capture moves through the same five steps.

  1. Create a capture request

    POST /api/captures with an API key, an HTTPS target URL, optional auth state (cookies and localStorage), optional browser actions, and an output format.

  2. The request is queued

    The API validates the key, checks the target hostname against your allowed domains, and returns a capture ID immediately.

  3. A worker processes it

    A dedicated Playwright worker — separate from the API — claims the job, loads the page with your auth state, runs your actions, and renders the output.

  4. The asset is stored privately

    The screenshot or PDF is written to private storage. Nothing is ever public by default.

  5. A signed URL is returned

    The status endpoint returns a short-lived signed URL for the result. Links expire and can be re-issued from the dashboard.

Built-in security model

Four layers work together so a single leaked credential never becomes full access.

Scoped API keys

Every request authenticates with a workspace API key. SessionShot stores only a hash of the secret — the full key is shown exactly once at creation.

Allowed domains

Captures only run against hostnames you have explicitly allowed. A leaked key cannot be pointed at arbitrary sites.

Private storage and signed URLs

Results live in private storage and are served only through short-lived signed links generated server-side.

Encrypted capture payloads

Auth state and request payloads are handed to the worker over an encrypted channel and are never displayed in the dashboard.

What teams use it for

Customer-facing reports

Render a logged-in analytics view as a PNG or PDF and attach it to scheduled emails or customer portals.

Support snapshots

Capture exactly what a customer sees in their account when investigating an issue — without asking them for screenshots.

Internal dashboards

Archive internal admin panels and metrics pages on a schedule for reviews and hand-offs.

Audit and compliance captures

Keep a visual record of authenticated states at a point in time, stored privately with controlled access.

Formats

Screenshots and PDFs from the same request shape

One request schema covers PNG and JPEG screenshots (viewport or full page) and paginated PDFs — switch by changing output.format.