Enforcement, Limits & Errors

Authentication confirms who you are. Enforcement determines whether a request is allowed to proceed.

DevPayr applies multiple layers of enforcement to protect your software, licenses, and infrastructure. These rules apply primarily to license-protected (runtime) requests, but some also affect API-key requests.

Domain Validation Enforcement

Every license enforces a domain validation strategy, defined by its validate_against mode.

Project Domains Mode

validate_against = project_domains

In this mode:

• The request domain must exist under the project’s registered domains.

• If a license is pinned to a specific project domain, it must match exactly.

• If not pinned, any verified project domain is accepted.

Failure

{
  "message": "This license is not authorized for the current domain."
}

License Domains Mode

validate_against = license_domains

In this mode:

• Domains are automatically registered on first use.

• DevPayr enforces:

  • maximum domains per license

  • maximum subdomains per base domain (unless unlimited)

Possible failures

{
  "message": "Domain quota exceeded for this license."
}

{
  "message": "Subdomain quota exceeded for this base domain."
}

Environment Enforcement

DevPayr strictly enforces test vs production usage to prevent license misuse.

Test Licenses

Test licenses are restricted to:

• localhost

• 127.0.0.1

• domains ending in .test

They cannot be used on production domains.

Failure

{
  "message": "Test licenses are only allowed on test or local domains."
}

Production Licenses

Production licenses:

• cannot be used on development or staging domains

• must be used only on production environments

Failure

{
  "message": "Production license cannot be used on a test domain."
}

IP Address Restrictions

Licenses may restrict access to specific IP addresses.

• IP matching is exact.

• If the request IP is not allowed, access is denied.

Failure

{
  "message": "Access denied from this IP address."
}

Country Restrictions

Licenses may restrict access by country.

• Country is resolved from the request IP.

• If the country cannot be determined or is not allowed, access is denied.

Failures

{
  "message": "Unable to determine your country. Access denied."
}

{
  "message": "Access from this country is not allowed."
}

Usage Limits

Daily License Usage Limit

Some licenses enforce a daily usage cap.

• Each validated request is logged.

• Once the daily limit is reached, further requests are blocked.

Failure

{
  "message": "Daily usage limit for this license key has been reached."
}

Rate Limiting

DevPayr applies per-minute rate limiting based on your subscription plan.

How rate limiting works

• API key requests are limited by the API key owner’s plan.

• License key requests are limited by the license owner’s plan.

• Limits reset every minute.

Failure

{
  "message": "Rate limit exceeded (X requests/min). Please slow down."
}

Error Responses & Status Codes

DevPayr uses standard HTTP status codes and returns all errors in JSON format.

Common Status Codes

Status	Meaning
400	Bad request
401	Unauthenticated
403	Unauthorized
404	Resource not found
405	Method not allowed
406	Not acceptable
422	Validation error
429	Too many requests
500	Server error

Error Format

{
  "message": "Descriptive error message"
}

Validation errors (422) may also include an errors object with field-level details.

Enforcement Order (Conceptual)

For license-protected requests, enforcement typically occurs in this order:

1. License validation

2. Domain identification

3. Domain authorization

4. Environment validation

5. IP and country checks

6. Usage limits

7. Rate limiting

A failure at any step immediately blocks the request.

Summary

If a request fails even with valid credentials, it is usually due to:

• domain mismatch

• environment misuse

• geo or IP restrictions

• exceeded usage or rate limits

These safeguards are intentional and designed to protect your work.