Retrieve an injectable

This endpoint fetches one injectable under a project. Injectables always return encrypted payloads for sensitive fields, plus integrity fields you can use to verify that what you decrypted is exactly what you originally uploaded/sent.

Endpoint

GET /v1/project/{project}/injectables/{injectable}

Authentication

This endpoint uses your API Key.

Required header

X-API-KEY: <your_api_key>

Path Parameters

Parameter

Type

Required

Description

project

integer

✅

The project ID

injectable

integer

✅

The injectable ID

Headers

Header

Required

Description

X-API-KEY

✅

Your API key

Accept

recommended

Use application/json

Request Example (cURL)

curl -X GET "https://api.devpayr.com/v1/project/2/injectables/3" \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "Accept: application/json"

{
  "status": "success",
  "message": "Success",
  "data": {
    "id": 3,
    "project_id": 2,
    "slug": "client-bundle-1",
    "title": "Client Bundle",
    "type": "snippet",
    "mode": "inject",
    "target_path": "resources/js/checkout.js",
    "content": "ENCRYPTED_STRING",
    "file_path": null,
    "content_hash": "SHA256_HASH_HEX",
    "signature": "HMAC_SHA256_HEX",
    "validate_endpoint": "https://yourapp.com/sdk-check",
    "only_if_paid": true,
    "is_active": true,
    "meta": {},
    "last_delivered_at": null,
    "created_at": "2025-12-13T12:57:24.000000Z",
    "updated_at": "2025-12-13T12:57:24.000000Z"
  },
  "errors": null
}

Response Fields Explained

Top-level response keys

Key

Type

Description

status

string

"success" or "error" depending on outcome

message

string

Human-readable summary message

data

object | null

The returned resource (injectable) on success

errors

object | null

Error details (if any)

`data` (Injectable) keys

Key

Type

Always?

Description

id

integer

✅

Injectable ID

project_id

integer

✅

Project the injectable belongs to

slug

string

✅

Unique identifier (per project) used for referencing

title

string | null

✅

Friendly name

type

string

✅

Injectable type (e.g. file, snippet, html, script, etc.)

mode

string

✅

How the injectable should be applied (e.g. write, inject, etc.)

target_path

string

✅

Where it should be applied in the client project (path or destination)

content

string

✅

Encrypted content payload (decrypt using your secret)

file_path

string | null

✅

For type="file": Encrypted file reference/path. Otherwise null.

content_hash

string

✅

SHA-256 hash (hex) of the plain decrypted content for verification

signature

string

✅

HMAC-SHA256 signature (hex) of plain decrypted content, using your secret

validate_endpoint

string | null

✅

Optional URL you can call to validate before applying

only_if_paid

boolean

✅

If true, apply this injectable only when payment status is satisfied

is_active

boolean

✅

If false, injectable should be treated as disabled

meta

object

✅

Extra metadata (non-sensitive). Treat as optional/implementation detail.

last_delivered_at

string | null

✅

When it was last delivered/used (if tracked)

created_at

string

✅

ISO timestamp

updated_at

string

✅

ISO timestamp

Decryption + Verification

What is encrypted?

content is always encrypted
file_path is encrypted only when type = "file", otherwise it will be null

What you need to decrypt

Decrypt data.content using the same secret you used when creating the injectable
If data.file_path is not null, decrypt it using the same secret

Integrity verification (VERY IMPORTANT)

After decrypting content, verify both:

1) Content hash check

Compute:

hash('sha256', plaintext_content) → must equal data.content_hash

2) Signature check

Compute:

hash_hmac('sha256', plaintext_content, secret) → must equal data.signature

If either fails: treat the payload as invalid and don’t apply it.

Decryption Implementation

Below is the decryption algorithm your SDKs use, explained and then implemented for common languages.

Encrypted format

The encrypted payload is:

Base64 string (what you receive from API)
After base64 decode → a string shaped like:

iv::cipherText

Where:

iv = initialization vector (raw string)
cipherText = encrypted text

Cipher details

Cipher: AES-256-CBC
Key normalization: normalizedKey = SHA256(secret) as raw bytes
Decrypt: AES-256-CBC(cipherText, normalizedKey, iv)

function decrypt_secure(string $encrypted, string $key): string
{
    $decoded = base64_decode($encrypted, true);
    if ($decoded === false) {
        throw new RuntimeException('Failed to base64-decode the encrypted string.');
    }

    [$iv, $cipherText] = explode('::', $decoded, 2) + [null, null];
    if ($iv === null || $cipherText === null) {
        throw new RuntimeException('Invalid encrypted format — expected "iv::cipherText".');
    }

    // Normalize key to 32 bytes
    $normalizedKey = hash('sha256', $key, true);

    $decrypted = openssl_decrypt($cipherText, 'aes-256-cbc', $normalizedKey, 0, $iv);
    if ($decrypted === false) {
        throw new RuntimeException('Decryption failed. Possibly wrong key or corrupt input.');
    }

    return $decrypted;
}

import crypto from "crypto";

export function decryptSecure(encrypted, secret) {
  const decoded = Buffer.from(encrypted, "base64");
  const decodedStr = decoded.toString("utf8");

  const parts = decodedStr.split("::");
  if (parts.length < 2) {
    throw new Error('Invalid encrypted format — expected "iv::cipherText".');
  }

  const iv = Buffer.from(parts[0], "utf8");
  const cipherText = parts.slice(1).join("::"); 

  const normalizedKey = crypto.createHash("sha256").update(secret, "utf8").digest();

  const decipher = crypto.createDecipheriv("aes-256-cbc", normalizedKey, iv);
  let decrypted = decipher.update(cipherText, "utf8", "utf8");
  decrypted += decipher.final("utf8");

  return decrypted;
}

import base64
import hashlib
from Crypto.Cipher import AES  
from Crypto.Util.Padding import unpad

def decrypt_secure(encrypted: str, secret: str) -> str:
    decoded = base64.b64decode(encrypted)
    decoded_str = decoded.decode("utf-8")

    if "::" not in decoded_str:
        raise ValueError('Invalid encrypted format — expected "iv::cipherText".')

    iv_str, cipher_text = decoded_str.split("::", 1)

    normalized_key = hashlib.sha256(secret.encode("utf-8")).digest()  # 32 bytes
    iv = iv_str.encode("utf-8")

    cipher = AES.new(normalized_key, AES.MODE_CBC, iv)
    decrypted_padded = cipher.decrypt(cipher_text.encode("utf-8"))
    decrypted = unpad(decrypted_padded, AES.block_size)

    return decrypted.decode("utf-8")

import crypto from 'crypto';

/**
 * Normalize any key to 32 bytes using SHA-256
 */
function normalizeKey(key: string): Buffer {
  return crypto.createHash('sha256').update(key).digest();
}

/**
 * Encrypt a string using AES-256-CBC and base64 encoding.
 *
 * @param plaintext - Data to encrypt
 * @param key - Raw key (any string)
 * @returns base64(iv::cipherText)
 */
export function encryptSecure(plaintext: string, key: string): string {
  const iv = crypto.randomBytes(16);
  const hashedKey = normalizeKey(key);

  const cipher = crypto.createCipheriv('aes-256-cbc', hashedKey, iv);
  let encrypted = cipher.update(plaintext, 'utf8', 'base64');
  encrypted += cipher.final('base64');

  const payload = `${iv.toString('base64')}::${encrypted}`;
  return Buffer.from(payload).toString('base64');
}

/**
 * Decrypt a base64(iv::cipherText) string back to plaintext.
 *
 * @param encryptedBase64 - Encrypted payload
 * @param key - Original encryption key
 * @returns Plaintext
 */
export function decryptSecure(encryptedBase64: string, key: string): string {
  const decoded = Buffer.from(encryptedBase64, 'base64').toString();
  const [ivB64, cipherB64] = decoded.split('::');

  if (!ivB64 || !cipherB64) {
    throw new Error("Invalid encrypted format — expected 'iv::cipherText'");
  }

  const iv = Buffer.from(ivB64, 'base64');
  const hashedKey = normalizeKey(key);

  const decipher = crypto.createDecipheriv('aes-256-cbc', hashedKey, iv);
  let decrypted = decipher.update(cipherB64, 'base64', 'utf8');
  decrypted += decipher.final('utf8');

  return decrypted;
}

export async function decryptSecure(encryptedBase64: string, key: string): Promise<string> {
  const decoder = new TextDecoder();
  const encoder = new TextEncoder();

  const decoded = atob(encryptedBase64);
  const [ivB64, cipherB64] = decoded.split('::');

  const iv = Uint8Array.from(atob(ivB64), c => c.charCodeAt(0));
  const cipher = Uint8Array.from(atob(cipherB64), c => c.charCodeAt(0));

  const keyData = await crypto.subtle.digest('SHA-256', encoder.encode(key));
  const cryptoKey = await crypto.subtle.importKey('raw', keyData, 'AES-CBC', false, ['decrypt']);

  const decrypted = await crypto.subtle.decrypt({ name: 'AES-CBC', iv }, cryptoKey, cipher);
  return decoder.decode(decrypted);
}

The decryption and verification examples shown above are reference implementations provided to help you understand how DevPayr secures injectable payloads.

You are not required to use these exact snippets or the same libraries. You may freely adapt the logic to any programming language or framework of your choice, as long as the following rules are respected:

The encrypted fields (content and file_path, when present) are decrypted using the same secret you supplied when creating the injectable
The decrypted payload must produce the same content_hash (SHA-256) returned in the response
The computed HMAC-SHA256 signature using the decrypted content and your secret must match the returned signature

If all checks pass, the payload is guaranteed to be:

Untampered
Authentically generated by DevPayr
Exactly the same content you originally uploaded

This design ensures DevPayr remains SDK-agnostic, secure, and fully interoperable with any stack — whether you are using one of our SDKs or working directly with raw HTTP.

If you need help adapting this logic to another language, our SDKs and examples are a good reference point, but the cryptographic process itself remains universal.

PreviousList injectables NextCreate an injectable

Last updated 19 days ago

Endpoint

Authentication

Path Parameters

Headers

Request Example (cURL)

Response Fields Explained

Top-level response keys

data (Injectable) keys

Decryption + Verification

What is encrypted?

What you need to decrypt

Integrity verification (VERY IMPORTANT)

1) Content hash check

2) Signature check

Decryption Implementation

Encrypted format

Cipher details

`data` (Injectable) keys