PaperFetch.jl is a bibliography checking and PDF-fetching tool. It deliberately avoids direct handling of library usernames and passwords.
Recommended credential-assisted workflow:
- Log into your library or proxy in your own browser.
- Run PaperFetch.jl on your own computer.
- Pass either an institutional proxy URL template or a local exported cookie file when you explicitly choose fetch mode.
- Delete temporary cookie files when you are finished.
The optional cookie-file mode treats cookies as bearer tokens. Anyone with that file may temporarily inherit your web session.
Do not commit, upload, email, or paste:
- browser cookies or exported
cookies.txtfiles; - passwords, session tokens, API keys, or proxy URLs containing secrets;
- private bibliographies;
- downloaded PDFs that you are not entitled to redistribute;
- API caches if they contain private URLs, request metadata, or unpublished bibliography information;
- reports that include proxied URLs or other sensitive local paths.
Generated outputs such as .paperfetch_cache/, paperfetch_out/, downloads/,
and docs/build/ are ignored by git and should usually stay local.
check --use-apis normally only queries metadata APIs; it does not download
files. The one exception is full-text PDF verification: when no metadata
provider can confirm an entry, but a PDF candidate URL is known, check
downloads that one PDF (anonymously, with no cookies or proxy credentials)
and runs it through pdftotext, and optionally pdftoppm/tesseract for a
scanned PDF, entirely on your own machine. No content is sent anywhere except
the download itself.
This means check can, by default when --use-apis is set, fetch and locally
parse a file from a URL taken from the bibliography, using third-party
open-source tools (poppler, tesseract) that PaperFetch.jl does not audit.
Parsing any untrusted file with any tool carries some inherent risk. Pass
--no-verify-pdf-text (or verify_pdf_text=false in the Julia API) to
disable this if you are checking a bibliography from an untrusted source, or
prefer not to download files during check at all.
Use a real contact email for public scholarly APIs. Keep batches small, respect rate limits, and check library, publisher, and repository terms before downloading PDFs.
PaperFetch.jl can help identify open-access PDFs and validate references, but it does not grant access rights. Retrieve only material you are entitled to access.
If you find a security issue, please contact the maintainer privately rather than opening a public issue with exploit details. A public issue is fine for ordinary bugs that do not expose credentials, private URLs, or private documents.