🌐REST API

DevPayr provides a robust REST API that allows your backend systems to interact directly with projects, licenses, domains, payments, and injectables without relying on an SDK. This is ideal for teams that want full control, custom integrations, or need to connect DevPayr to existing infrastructure such as billing systems, CRMs, CI/CD pipelines, or internal admin tools.

The REST API is stateless, JSON-based, and secured using API Keys and/or License Keys, depending on the operation being performed.

Base URL

All REST API requests must be sent to the following base URL:

https://api.devpayr.dev/api/v1/

You should always define the base URL explicitly in your integration. DevPayr may introduce newer API versions or project-specific endpoints in the future, and setting the base URL ensures your integration remains stable and predictable.

Request & Response Format

All API requests and responses use JSON.

You must include the following header in all requests:

Accept: application/json

For requests that send data (POST, PUT, PATCH), also include:

Content-Type: application/json

All successful responses return structured JSON. Error responses follow the same format and include an appropriate HTTP status code.

Authentication Overview

DevPayr supports two authentication modes, depending on what you are trying to do.

1. API Key Authentication (Backend / Management)

API Keys are used to manage DevPayr resources such as projects, licenses, domains, injectables, and payment status.

Use this mode when you want to:

• Create or revoke licenses

• Manage domains

• Upload or retrieve injectables

• Toggle project payment status

• Automate workflows from your backend

2. License Key Authentication (Runtime Validation)

License Keys are used at runtime to validate whether a copy of your software is allowed to run.

Use this mode when you want to:

• Check if a license is valid

• Confirm payment status

• Retrieve injectables conditionally

Required Headers

API Key Authentication

X-API-KEY: YOUR_API_KEY
X-Devpayr-Domain: IDENTIFIER

License Key Authentication

X-LICENSE-KEY: YOUR_LICENSE_KEY
X-Devpayr-Domain: IDENTIFIER

---

About the X-Devpayr-Domain Header

The X-Devpayr-Domain header is mandatory for all raw HTTP (REST) requests.

It represents the runtime identifier of where the software is running. While it is commonly a domain name, it is not limited to domains.

It can be:

• A website domain (example.com)

• A subdomain (client.example.com)

• A device fingerprint

• A machine hash

• An installation ID

• Any stable identifier you use to represent a unique runtime instance

DevPayr uses this value to enforce domain limits, device limits, environment rules, and usage tracking.

Important: SDKs can automatically attach this header for you, but when using the REST API directly, you must always provide it explicitly.

Authentication Examples (cURL)

API Key Example

curl -X GET "https://api.devpayr.dev/api/v1/projects" \
  -H "Accept: application/json" \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "X-Devpayr-Domain: example.com"

License Key Example

curl -X POST "https://api.devpayr.dev/api/v1/project/has-paid" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "X-LICENSE-KEY: YOUR_LICENSE_KEY" \
  -H "X-Devpayr-Domain: device-fingerprint-abc123" \
  -d '{}'

Core Resource Categories

The REST API is organized around the following core resources:

• Projects

• Project Domains

• Licenses

• Injectables

• Payment Status

• Webhooks (read-only via logs)

Each resource follows predictable REST conventions.

Projects

Projects represent the software, application, product, or system you want to protect.

List Projects

GET /projects

Returns all projects accessible by the API Key.

Create a Project

POST /project

Creates a new project under the authenticated account.

Retrieve a Project

GET /project/{project_id}

Returns details for a specific project.

Update a Project

PATCH /project/{project_id}

Updates project metadata, redirect URLs, or webhook settings.

Delete a Project

DELETE /project/{project_id}

Deletes a project permanently.

Project Domains

Domains are added after a project is created and are used to control where licenses may run.

List Project Domains

GET /project/{project_id}/domains

Add a Domain

POST /project/{project_id}/domains

Domains can be assigned environments such as development, staging, or production.

Update a Domain

PUT /project/{project_id}/domain/{domain_id}

Delete a Domain

DELETE /project/{project_id}/domains/{domain_id}

Licenses

Licenses represent permission for a user, client, or system to run your software.

List Licenses for a Project

GET /project/{project_id}/licenses

Create a License

POST /project/{project_id}/licenses

View a License

GET /project/{project_id}/licenses/{license_id}

Revoke a License

POST /project/{project_id}/licenses/{license_id}/revoke

Reactivate a License

POST /project/{project_id}/licenses/{license_id}/reactivate

Delete a License

DELETE /project/{project_id}/licenses/{license_id}

Payment Status Checks

DevPayr allows you to check whether a project or domain has been marked as paid.

Check Payment Status via API Key

GET /project/{project_id}/has-paid

This is typically used by backend systems.

Check Payment Status via License Key

POST /project/has-paid

This is typically used at runtime by applications.

Both endpoints can optionally include injectables if the project or domain is paid.

Injectables (Advanced)

Injectables allow you to deliver dynamic scripts, files, or content only when a project or license is valid and paid.

List Injectables

GET /project/{project_id}/injectables

Create an Injectable

POST /project/{project_id}/injectables

Update an Injectable

PUT /project/{project_id}/injectables/{injectable_id}

Delete an Injectable

DELETE /project/{project_id}/injectables/{injectable_id}

Injectables can be streamed dynamically at runtime and should not be permanently written to disk in production systems.

Rate Limiting

All REST API endpoints are rate-limited to protect the platform.

If you exceed the limit, the API will return:

HTTP 429 Too Many Requests

You should implement retries with backoff in production integrations.

Error Handling

DevPayr uses standard HTTP status codes:

• 200 — Success

• 400 — Bad request or missing context

• 401 — Missing authentication

• 403 — Unauthorized or access denied

• 404 — Resource not found

• 422 — Validation error

• 429 — Rate limit exceeded

• 500 — Internal server error

Error responses always return JSON with a clear message field.

When to Use REST API vs SDK

Use the REST API when:

• You want full control over requests

• You are integrating from a non-supported language

• You are building custom automation or tooling

• You already have a mature backend system

Use an SDK when:

• You want faster integration

• You want automatic header handling

• You want built-in helpers for injectables and validation

Both options are fully supported.