Enforcement, Limits & Errors

Authentication confirms who you are. Enforcement determines whether a request is allowed to proceed.

DevPayr applies multiple layers of enforcement to protect your software, licenses, and infrastructure. These rules apply primarily to license-protected (runtime) requests, but some also affect API-key requests.

Domain Validation Enforcement

Every license enforces a domain validation strategy, defined by its validate_against mode.

Project Domains Mode

validate_against = project_domains

In this mode:

The request domain must exist under the project’s registered domains.
If a license is pinned to a specific project domain, it must match exactly.
If not pinned, any verified project domain is accepted.

Failure

{
  "message": "This license is not authorized for the current domain."
}

License Domains Mode

validate_against = license_domains

In this mode:

Domains are automatically registered on first use.
DevPayr enforces:
- maximum domains per license
- maximum subdomains per base domain (unless unlimited)

Possible failures

{
  "message": "Domain quota exceeded for this license."
}

{
  "message": "Subdomain quota exceeded for this base domain."
}

Environment Enforcement

DevPayr strictly enforces test vs production usage to prevent license misuse.

Test Licenses

Test licenses are restricted to:

localhost
127.0.0.1
domains ending in .test

They cannot be used on production domains.

Failure

{
  "message": "Test licenses are only allowed on test or local domains."
}

Production Licenses

Production licenses:

cannot be used on development or staging domains
must be used only on production environments

Failure

{
  "message": "Production license cannot be used on a test domain."
}

IP Address Restrictions

Licenses may restrict access to specific IP addresses.

IP matching is exact.
If the request IP is not allowed, access is denied.

Failure

{
  "message": "Access denied from this IP address."
}

Country Restrictions

Licenses may restrict access by country.

Country is resolved from the request IP.
If the country cannot be determined or is not allowed, access is denied.

Failures

{
  "message": "Unable to determine your country. Access denied."
}

{
  "message": "Access from this country is not allowed."
}

Usage Limits

Daily License Usage Limit

Some licenses enforce a daily usage cap.

Each validated request is logged.
Once the daily limit is reached, further requests are blocked.

Failure

{
  "message": "Daily usage limit for this license key has been reached."
}

Rate Limiting

DevPayr applies per-minute rate limiting based on your subscription plan.

How rate limiting works

API key requests are limited by the API key owner’s plan.
License key requests are limited by the license owner’s plan.
Limits reset every minute.

Failure

{
  "message": "Rate limit exceeded (X requests/min). Please slow down."
}

Error Responses & Status Codes

DevPayr uses standard HTTP status codes and returns all errors in JSON format.

Common Status Codes

Status

Meaning

400

Bad request

401

Unauthenticated

403

Unauthorized

404

Resource not found

405

Method not allowed

406

Not acceptable

422

Validation error

429

Too many requests

500

Server error

Error Format

{
  "message": "Descriptive error message"
}

Validation errors (422) may also include an errors object with field-level details.

Enforcement Order (Conceptual)

For license-protected requests, enforcement typically occurs in this order:

License validation
Domain identification
Domain authorization
Environment validation
IP and country checks
Usage limits
Rate limiting

A failure at any step immediately blocks the request.

Summary

If a request fails even with valid credentials, it is usually due to:

domain mismatch
environment misuse
geo or IP restrictions
exceeded usage or rate limits

These safeguards are intentional and designed to protect your work.

PreviousAuthentication & Identification NextList projects

Last updated 21 days ago