Branded, LintPDF-Default, and Anonymous Outputs

Every rendered artifact in LintPDF — the interactive viewer, downloaded PDF reports, hosted HTML reports, and share-link landing pages — resolves its branding through a single three-way decision: branded (your tenant BrandProfile), LintPDF-default, or anonymous.

A tenant can maintain multiple BrandProfiles — typically one per client account or end-customer brand the tenant white-labels for. Exactly one BrandProfile is marked the tenant default at any time; jobs and share-links can override that on a per-submission basis. See Brand Profiles for the full CRUD model. Brand Profiles control rendering chrome (logo, colors, footer); for per-customer color swatches and rich-black targets see the separate Brand Specs primitive.

The three modes

Branded

Renders with one of your tenant’s BrandProfiles. Logo, brand name, primary/accent colors, footer text, and support email are pulled from the profile. This is the default for most SaaS customers and white-label resellers.

LintPDF-default

Renders with LintPDF’s own branding. Useful when you want the output to explicitly carry LintPDF’s logo — e.g., to reinforce that the preflight was run on an industry-standard engine.

Anonymous

Renders with no branding of any kind — neither your tenant’s brand nor LintPDF’s. In addition:

• No logo block — header and footer carry no mark.
• No “Generated by” / “Powered by” line.
• PDF metadata sanitized — Author="", Creator="Preflight", Producer="Preflight". The default Producer="LintPDF / WeasyPrint" is overwritten.
• Neutral filename — downloads are named preflight-<short-job-id>.pdf instead of {tenant-slug}-<filename>.pdf.
• Viewer chrome — tenant name, support email, and logo are all null in the viewer config.
• Share page — public HTML report hides the tenant header/footer and uses a neutral title (“Preflight Report”).

Anonymous mode is specifically built for brokers forwarding preflight reports to downstream distributors who shouldn’t be able to identify which broker ran the preflight. “Unbranded” in LintPDF therefore means truly untraceable, not white-labeled as LintPDF.

Resolution order

The three modes resolve through a deterministic waterfall. LintPDF walks this order until one rule matches:

1. Explicit brand= on the request — highest precedence. Form field on submit, query param on viewer config + report endpoints.
2. Job.unbranded_override=true → anonymous. Else Job.brand_profile_id_override if set → that specific BrandProfile.
3. Tenant.unbranded_by_default=true → anonymous. Else Tenant.default_brand_profile_id → that profile.
4. Tenant’s sole active BrandProfile if exactly one exists.
5. LintPDF default — fallback.

The per-request override always wins. That means a tenant with unbranded_by_default=true can still render a specific job with LintPDF branding by passing ?brand=lintpdf; similarly, a branded-by-default tenant can ship a single broker report anonymously with brand=anonymous.

Per-request override on submit

# Anonymous
curl -X POST https://api.lintpdf.com/api/v1/jobs \
  -H "Authorization: Bearer lpdf_live_..." \
  -F file=@brochure.pdf \
  -F brand=anonymous

# Convenience alias (equivalent)
curl -X POST https://api.lintpdf.com/api/v1/jobs \
  -H "Authorization: Bearer lpdf_live_..." \
  -F file=@brochure.pdf \
  -F unbranded=true

# LintPDF default
curl -X POST https://api.lintpdf.com/api/v1/jobs \
  -H "Authorization: Bearer lpdf_live_..." \
  -F file=@brochure.pdf \
  -F brand=lintpdf

# Specific BrandProfile
curl -X POST https://api.lintpdf.com/api/v1/jobs \
  -H "Authorization: Bearer lpdf_live_..." \
  -F file=@brochure.pdf \
  -F brand=7c9a4b0e-5d3a-4f2b-92e1-1a3c0b9d8e4f

Accepted brand values:

• anonymous — strip everything, sanitize metadata.
• lintpdf — LintPDF default branding.
• A BrandProfile UUID owned by your tenant. Foreign profiles return 403.
• unbranded=true — alias for brand=anonymous. Do not mix — passing both is accepted but brand=anonymous wins.

Malformed values (not anonymous/lintpdf/UUID) return 422.

Per-request override on viewer and reports

Same three values work as a query param on every rendering endpoint:

# Viewer config
curl "https://api.lintpdf.com/api/v1/viewer/jobs/{job_id}/config?brand=anonymous" \
  -H "Authorization: Bearer lpdf_live_..."

# PDF report
curl "https://api.lintpdf.com/api/v1/jobs/{job_id}/report/pdf?brand=anonymous" \
  -H "Authorization: Bearer lpdf_live_..." \
  --output report.pdf

# HTML report
curl "https://api.lintpdf.com/api/v1/jobs/{job_id}/report/html?brand=anonymous" \
  -H "Authorization: Bearer lpdf_live_..."

Tenant default

Set the tenant-wide default from the dashboard at https://app.lintpdf.com/dashboard/account/branding or directly via the API. The “Default output branding” card offers a three-way choice:

• Branded (tenant profile) — pick which BrandProfile is default; writes Tenant.default_brand_profile_id.
• Anonymous — writes Tenant.unbranded_by_default=true.
• LintPDF default — clears both fields.

API:

# Read current default
curl https://api.lintpdf.com/api/v1/tenant/branding-defaults \
  -H "Authorization: Bearer lpdf_live_..."

# Set to anonymous
curl -X PATCH https://api.lintpdf.com/api/v1/tenant/branding-defaults \
  -H "Authorization: Bearer lpdf_live_..." \
  -H "Content-Type: application/json" \
  -d '{"mode": "anonymous"}'

# Set to a specific BrandProfile
curl -X PATCH https://api.lintpdf.com/api/v1/tenant/branding-defaults \
  -H "Authorization: Bearer lpdf_live_..." \
  -H "Content-Type: application/json" \
  -d '{"mode": "profile", "brand_profile_id": "7c9a4b0e-..."}'

# Fall back to LintPDF default
curl -X PATCH https://api.lintpdf.com/api/v1/tenant/branding-defaults \
  -H "Authorization: Bearer lpdf_live_..." \
  -H "Content-Type: application/json" \
  -d '{"mode": "lintpdf"}'

Both endpoints require branding:manage.

What “anonymous” actually changes

Surface	Branded / LintPDF-default	Anonymous
Viewer header logo	Tenant or LintPDF mark	None
Viewer footer “Generated by…”	Rendered	Removed
Viewer config brand_name, support_email, tenant_name	Populated	null
Report PDF logo	Rendered	None
Report PDF header/footer	Rendered	Neutral or removed
Report PDF Author metadata	Tenant name	"" (empty string)
Report PDF Producer metadata	"LintPDF / WeasyPrint"	"Preflight"
Report PDF Creator metadata	"LintPDF"	"Preflight"
Report PDF filename	{tenant-slug}-{safe-filename}.pdf	preflight-{short-job-id}.pdf
Public share HTML title	{Tenant Name} — Preflight Report	Preflight Report
Public share HTML header/footer	Rendered	Removed
Share-link email envelope	Tenant sender	no-reply@reports.lintpdf.com, display name "Preflight Report"

The sanitization is done with pikepdf after WeasyPrint renders the PDF, guaranteeing that downstream PDF inspection tools (including LintPDF’s own) see the neutral metadata.

Share-link immutability

Brand choice is captured at share-link mint time and frozen for the life of the token. If a broker mints an anonymous share link today and tomorrow the tenant flips the default to branded, yesterday’s link remains anonymous. This is the expected behavior — brokers need to guarantee distributors keep seeing the branding they promised.

The ReportToken row records:

• brand_mode — anonymous / lintpdf / profile
• brand_profile_id — non-null only when brand_mode=profile

See Share Links for the mint and consume flow.

Broker-to-distributor use case

This is the anchor use case that motivated anonymous mode:

Scenario: A print broker runs preflight on customer artwork and forwards the PDF report to a distributor who’ll actually print it. The distributor shouldn’t be able to identify which broker ran the preflight — competitive reasons.

Setup:

1. As the broker, set tenant default to Anonymous (one-time).
2. For every job submitted on behalf of a customer, the default anonymizes the report PDF, viewer, and share link automatically.
3. Forward the preflight-<short-job-id>.pdf to the distributor, or mint a share link that the distributor can open without any broker or LintPDF branding.
4. The distributor sees findings, verdict, and viewer tooling without any provenance breadcrumbs.

Override exceptions per-request with brand=... when a specific job should carry branding (e.g., customer-facing re-reports).

Related

• Share Links
• Custom Domains
• Preflight Modes