🔐API Keys

API Keys are the “power tools” of DevPayr. While License Keys validate your software at runtime, API Keys allow your backend to communicate with DevPayr and perform advanced operations.

If a License Key is your product’s entry pass, an API Key is the VIP badge your backend uses to manage DevPayr itself.

🧠 What Are API Keys?

API Keys let your server:

• Create, update, revoke, or reactivate licenses

• Manage domains for a project

• Upload and retrieve injectables

• Run server-side payment checks

• Automate client provisioning

• Integrate DevPayr into your CI/CD or billing pipelines

• Build custom dashboards and internal tools

• Access DevPayr SDK service classes (projects(), licenses(), domains(), payments(), etc.)

API Keys turn DevPayr from “a licensing engine” into a fully programmable backend service.

🔑 API Keys vs License Keys

Key Type	Purpose	Used In
License Key	Validates whether the running copy of your app is allowed to run	Inside your app (frontend or backend)
API Key	Authenticates your backend to manage DevPayr resources	Server-side only

Quick rule:

License Key → “Is this copy licensed?” API Key → “Let my backend control DevPayr.”

If you only validate licenses → no API Key needed. If you want automation → API Key required.

🎯 When Do You Need an API Key?

Use an API Key when you want to:

• Auto-create licenses after payment

• Suspend or reactivate licenses inside your billing system

• Assign domains to clients dynamically

• Build a custom admin dashboard

• Work with injectables programmatically

• Check license/payment status from backend

• Access richer details via SDK service classes

• Build deeper integrations with your software pipeline

You don’t need an API Key if you’re only checking if a license is valid at runtime.

🛠️ Creating an API Key

1. Go to “API Keys” in the sidebar

This page lists all existing keys.

2. Click “Create New Key”

A form will appear.

3. Choose where the key should belong

Project-Scoped Key

Only works for one project.

Global Key (if your plan supports it)

Works across all your projects. Use carefully — global keys are extremely powerful.

4. Select the Scopes

Scopes define what the key can do.

Examples include:

• Reading/creating licenses

• Managing project domains

• Managing injectables

• Accessing payment checks

• Updating project meta

Each API Key should have only the permissions it needs.

5. (Optional) Set an Expiration Date

Useful for:

• Contractors

• Temporary integrations

• CI bots or staging pipelines

Leave empty for permanent keys.

6. Click “Create”

You’ll see the key once. Copy and store it securely.

🔒 Security Best Practices

Treat API Keys like real credentials.

• NEVER use API Keys in frontend code

• Keep API Keys in environment variables

• Prefer project-level keys over global keys

• Delete keys you’re no longer using

• Rotate keys regularly

• Limit scopes aggressively

If an API Key leaks, assume full backend access is compromised.

---

⚙️ Using API Keys in SDKs

SDKs automatically send all required headers — including the domain from which the app is running.

You can override the domain manually if your setup requires it.

Example (Node.js SDK)

import { DevPayr } from '@xultech/devpayr';

DevPayr.bootstrap({
  api_key: "YOUR_API_KEY",
  license: "LICENSE_KEY",   // optional if using only API operations
  secret: "SECRET_FOR_INJECTABLES",
  injectables: true,
  
  // Optional override — SDK auto-detects domain if omitted
  domain: "client-domain.com"
});

After bootstrapping:

const projectService = DevPayr.projects();
const licenseService = DevPayr.licenses();
const domainService = DevPayr.domains();
const injectableService = DevPayr.injectables();
const paymentService = DevPayr.payments();

PHP and Python SDKs follow the same principle.

🌐 Raw HTTP Calls (cURL)

When making direct API requests (cURL, Postman, fetch, axios, etc.):

The following headers are mandatory:

• X-API-KEY — authenticates your API Key

• X-Devpayr-Domain — tells DevPayr which domain is using the license

Example (Checking if a project is paid)

curl -X GET "https://api.devpayr.dev/api/v1/project/42/has-paid?action=check_project" \
  -H "Accept: application/json" \
  -H "X-API-KEY: YOUR_API_KEY_HERE" \
  -H "X-Devpayr-Domain: clientdomain.com"

Example (License-based validation)

curl -X POST "https://api.devpayr.dev/api/v1/project/has-paid" \
  -H "Content-Type: application/json" \
  -H "X-Devpayr-Domain: clientdomain.com" \
  -d '{"license":"DP-XXXX-XXXX-XXXX"}'

📌 Best Practices for API Key Usage

• Use project-scoped keys unless you truly need global access

• Store keys safely in environment variables

• Use the SDK whenever possible — it handles all required headers

• Always include X-Devpayr-Domain in raw HTTP requests

• Delete old or unused keys

• Combine API Key + License Key when you need deep control

🎉 Summary

• API Keys grant your backend controlled access to DevPayr

• Scopes define exactly what each API Key can do

• SDKs manage all required headers automatically

• Raw HTTP calls must always include X-API-KEY and X-Devpayr-Domain

• API Keys complement License Keys — they don’t replace them

This is the full, accurate, clean version of the “API Keys” page.