Authentication & Identification

DevPayr validates every request using a combination of authentication and request identification. Depending on the endpoint, you may be required to authenticate using an API key, a license key, or both.

Some requests also require explicit domain identification to ensure licenses are used only in authorized environments.

Authentication Models

DevPayr supports two authentication models, each serving a different purpose:

Model	Purpose
API Key	Project, license, and resource management
License Key	Runtime validation and SDK-level access

Each endpoint clearly states which authentication method it requires.

API Key Authentication

API keys are used for management and control operations, typically performed from secure backend services or dashboards.

When to use an API Key

API key authentication is required for:

• Creating, updating, and deleting projects

• Managing project domains

• Creating and managing licenses

• Managing injectables

• Backend payment status checks

API Key Header

Send your API key using the following request header:

X-API-KEY: your_api_key

Only active and non-expired API keys are accepted.

---

API Key Scoping

An API key may optionally be scoped to:

• a specific project, or

• a user account (global access)

If a project-scoped API key is used to access a different project, the request will be rejected.

API Key Failure Responses

Scenario	Status	Response
Missing API key	401	{ "message": "Missing required X-API-KEY header." }
Invalid or expired API key	403	{ "message": "Invalid or expired API key." }
Project mismatch	403	{ "message": "API key does not match project owner." }

License Key Authentication

License keys are used for runtime access, typically from SDKs or deployed applications.

Unlike API keys, license keys are subject to domain, environment, geo, and usage policies.

Sending a License Key

A license key can be provided using any one of the following methods:

Header (recommended)

X-LICENSE-KEY: your_license_key

Request Body

{
  "license": "your_license_key"
}

Query String

?license=your_license_key

License Validation Rules

A license key must:

• exist

• be active

• not be expired

• belong to the project being accessed (if project context exists)

If any of these checks fail, the request is rejected.

License Key Failure Responses

Scenario	Status	Response
Missing license key	401	{ "message": "Missing license key." }
Invalid or expired license key	403	{ "message": "Invalid or expired license key." }
Project mismatch	403	{ "message": "License does not belong to the current project." }

Domain Identification

For license-protected (runtime) requests, DevPayr must be able to identify where the request is coming from.

This prevents licenses from being reused across unauthorized domains or environments.

Domain Identifier Header

X-Devpayr-Domain: example.com

This header is required for all license-protected endpoints.

Accepted Domain Formats

The domain identifier may be provided as:

• A full domain name example.com

• A subdomain app.example.com

• A local development host localhost, 127.0.0.1

• A full URL (host is extracted) https://example.com/app

• An opaque identifier (for non-web runtimes)

If the value includes a URL scheme, DevPayr extracts and normalizes the host.

Browser-Based Fallbacks

If X-Devpayr-Domain is not provided, DevPayr attempts to infer the domain from:

• Origin

• Referer

If no domain can be resolved, the request fails.

Domain Identification Failure

{
  "message": "Unable to determine request domain. Please send X-Devpayr-Domain header."
}

Authentication Summary

Use Case	API Key	License Key	Domain Header
Project management	✅	❌	❌
Domain management	✅	❌	❌
License management	✅	❌	❌
Runtime SDK access	❌	✅	✅
Payment status (backend)	✅	❌	❌
Payment status (runtime)	❌	✅	✅

What’s Next?

Authentication alone does not guarantee access.

DevPayr also enforces:

• domain validation rules

• environment restrictions

• IP and country policies

• usage limits and rate limits