Retrieve an injectable

This endpoint fetches one injectable under a project. Injectables always return encrypted payloads for sensitive fields, plus integrity fields you can use to verify that what you decrypted is exactly what you originally uploaded/sent.

Endpoint

GET /v1/project/{project}/injectables/{injectable}

Authentication

This endpoint uses your API Key.

Required header

• X-API-KEY: <your_api_key>

Path Parameters

Parameter	Type	Required	Description
project	integer	✅	The project ID
injectable	integer	✅	The injectable ID

Headers

Header	Required	Description
X-API-KEY	✅	Your API key
Accept	recommended	Use application/json

Request Example (cURL)

Request

curl -X GET "https://api.devpayr.com/v1/project/2/injectables/3" \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "Accept: application/json"

Response Sample

Response Fields Explained

Top-level response keys

Key	Type	Description
status	string	"success" or "error" depending on outcome
message	string	Human-readable summary message
data	object | null	The returned resource (injectable) on success
errors	object | null	Error details (if any)

data (Injectable) keys

Key	Type	Always?	Description
id	integer	✅	Injectable ID
project_id	integer	✅	Project the injectable belongs to
slug	string	✅	Unique identifier (per project) used for referencing
title	string | null	✅	Friendly name
type	string	✅	Injectable type (e.g. file, snippet, html, script, etc.)
mode	string	✅	How the injectable should be applied (e.g. write, inject, etc.)
target_path	string	✅	Where it should be applied in the client project (path or destination)
content	string	✅	Encrypted content payload (decrypt using your secret)
file_path	string | null	✅	For type="file": Encrypted file reference/path. Otherwise null.
content_hash	string	✅	SHA-256 hash (hex) of the plain decrypted content for verification
signature	string	✅	HMAC-SHA256 signature (hex) of plain decrypted content, using your secret
validate_endpoint	string | null	✅	Optional URL you can call to validate before applying
only_if_paid	boolean	✅	If true, apply this injectable only when payment status is satisfied
is_active	boolean	✅	If false, injectable should be treated as disabled
meta	object	✅	Extra metadata (non-sensitive). Treat as optional/implementation detail.
last_delivered_at	string | null	✅	When it was last delivered/used (if tracked)
created_at	string	✅	ISO timestamp
updated_at	string	✅	ISO timestamp

Decryption + Verification

What is encrypted?

• content is always encrypted

• file_path is encrypted only when type = "file", otherwise it will be null

What you need to decrypt

• Decrypt data.content using the same secret you used when creating the injectable

• If data.file_path is not null, decrypt it using the same secret

Integrity verification (VERY IMPORTANT)

After decrypting content, verify both:

1) Content hash check

Compute:

• hash('sha256', plaintext_content) → must equal data.content_hash

2) Signature check

Compute:

• hash_hmac('sha256', plaintext_content, secret) → must equal data.signature

If either fails: treat the payload as invalid and don’t apply it.

Decryption Implementation

Below is the decryption algorithm your SDKs use, explained and then implemented for common languages.

Encrypted format

The encrypted payload is:

1. Base64 string (what you receive from API)

2. After base64 decode → a string shaped like:

iv::cipherText

Where:

• iv = initialization vector (raw string)

• cipherText = encrypted text

Cipher details

• Cipher: AES-256-CBC

• Key normalization: normalizedKey = SHA256(secret) as raw bytes

• Decrypt: AES-256-CBC(cipherText, normalizedKey, iv)

PHP

function decrypt_secure(string $encrypted, string $key): string
{
    $decoded = base64_decode($encrypted, true);
    if ($decoded === false) {
        throw new RuntimeException('Failed to base64-decode the encrypted string.');
    }

    [$iv, $cipherText] = explode('::', $decoded, 2) + [null, null];
    if ($iv === null || $cipherText === null) {
        throw new RuntimeException('Invalid encrypted format — expected "iv::cipherText".');
    }

    // Normalize key to 32 bytes
    $normalizedKey = hash('sha256', $key, true);

    $decrypted = openssl_decrypt($cipherText, 'aes-256-cbc', $normalizedKey, 0, $iv);
    if ($decrypted === false) {
        throw new RuntimeException('Decryption failed. Possibly wrong key or corrupt input.');
    }

    return $decrypted;
}

NodeJs

Python

Typescript

Browser

The decryption and verification examples shown above are reference implementations provided to help you understand how DevPayr secures injectable payloads.

You are not required to use these exact snippets or the same libraries. You may freely adapt the logic to any programming language or framework of your choice, as long as the following rules are respected:

• The encrypted fields (content and file_path, when present) are decrypted using the same secret you supplied when creating the injectable

• The decrypted payload must produce the same content_hash (SHA-256) returned in the response

• The computed HMAC-SHA256 signature using the decrypted content and your secret must match the returned signature

If all checks pass, the payload is guaranteed to be:

• Untampered

• Authentically generated by DevPayr

• Exactly the same content you originally uploaded

This design ensures DevPayr remains SDK-agnostic, secure, and fully interoperable with any stack — whether you are using one of our SDKs or working directly with raw HTTP.

If you need help adapting this logic to another language, our SDKs and examples are a good reference point, but the cryptographic process itself remains universal.