Hi Alex,
Thanks for bringing this up!
PDF.js Express license keys are tied to a single domain, and they only work on that domain. Granting a temporary license would allow users to easily bypass this restriction since the temporary key could just be shared across domains. Also, calling our auth APIs from your server would not let us check which domain the viewer is being used on.
We do this to prevent license keys from being stolen and used by third parties.
I would like to assure you that we do not track any locations, IPs, users, etc in the request to auth.pdfjs.express, it purely just validates that the domain and license key are valid.
We realize that this authentication flow means that the application needs to have access to internet. Since this is a SaaS service, this will probably always be the case.
If this is still a concern to you, you can check out our sister product, PDFTron WebViewer. It does not make any calls home and validates the license key client side (since it is not domain locked). It also has the exact same API as Express so moving your prototype over is a breeze.
I hope I explained this well enough! If you have any questions please let me know.
Thanks,
Logan