linkAPI Reference

The Keygen API is organized around REST principles. All requests must be made over TLS/SSL. In addition, all request and response bodies, including errors, are encoded in JSON format.

The API has predictable, resource-oriented URLs, and uses standard HTTP response codes to indicate API errors. We use built-in HTTP features, like authentication and HTTP verbs, which are understood by off-the-shelf HTTP clients. We support cross-origin resource sharing, allowing you to interact securely with our API from any client-facing software application.

linkArchitecture

How to model the communication layer between your app and Keygen. Although these are not the only way, they are some of the most common setups.

linkVersioning

When we introduce breaking changes to the API, we will release a new numbered version, e.g. we will go from v1 to v2. The current version is v1. All changes will be detailed within our changelog.

linkSecurity

1. Do not store your API tokens in version control. If you're using version control like Git or Subversion, do not store your API tokens in version control. It is recommended that you store tokens in a file that is never checked into the repository, or within the ENV.

   If one of your API tokens become compromised, quickly revoke it from your admin dashboard.

2. Do not embed your admin or product API tokens within your product's source code. If you're using Keygen client-side, do not embed your admin or product tokens within your product's source code. Doing so exposes your tokens and opens your account up to attackers.

   Instead, you can perform license and machine creation requests client-side while authenticated as one of your users and then you can listen for the corresponding webhook events to act accordingly e.g., charging them for new licenses, crediting them for deleted licenses or machines, etc. For an example of responding to user actions, see our Paddle integration example.

   If you're using Keygen server-side, see the above tip.

3. Embedding account, product and policy IDs directly into your product i.e. client-side code is perfectly safe. In fact, you won't be able to communicate with Keygen's API unless you do so, and managing e.g. feature licenses without being able to embed policy IDs wouldn't be feasible. With that in mind, it is recommended that you use your account ID over your account slug, as unlike your account slug, your ID is unchangable.

4. If you do not want your users to be able to create and manage their own licenses and machines (which necessitates listening for webhook events) then you should set your account to protected, which will require admin authentication to create and manage all resources, aside from token creation and license validation. Setting your account to protected can be done within your account settings.

   Alternatively, you can set individual license policies to protected (which by default is inherited from the account's current protected state), which will only disallow users from creating and managing licenses which implement that particular policy and their associated machines, rather than all resources e.g. public user creation, licenses that implement other unprotected policies, etc.

   By default, your account is unprotected, which allows user registration as well as the ability for users to manage their own resources.

5. To validate license keys offline, you will need to manually generate license keys server-side using a public/private keypair. For example, when creating a new license, you would specify the key attribute with a value generated from your private key. You would then validate the license key client-side by embedding a derived public key within your software. Here's an example of doing so using Node.

   Alternatively, you can set up "air-gapped" license activation using RSA cryptography, QR codes, and a mobile device. View our example implementation.

   Offline license validation cannot use metrics outside of simple expiry validation, as it would require an internet connection to e.g. validate against a license's machine requirements, etc. Keep that in mind.

6. If you only need to validate license keys, then you do not need to implement user authentication. The license validate-key action does not require authentication. If you're doing anything else e.g. validating multiple license resources per-user, tracking machines, etc., user authentication will be required in order to communicate with Keygen's API client-side.

   You can add required scopes to your policies to e.g. require a machine fingerprint, etc., which helps implement certain license models without the need for any additional server-side logic such as a webhook handler.

7. If you do not want the overhead of implementing webhooks, then you should only use Keygen server-side alongside your payment provider. Implementing Keygen client-side necessitates listening for webhook events, unless you're simply validating license keys directly, as mentioned above.

   When using Keygen client-side, you should utilize webhooks to e.g. keep your billing state up to date with recent user actions.

linkResponse Codes

Our API uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, a validation failed, etc.), and codes in the 5xx range indicate an error with our servers (these are rare).

linkErrors

Below you will find the various attributes for request errors.

linkAuthentication

Requests are authenticated using a bearer token in an Authorization header. Within the header, you will utilize a Token resource's token attribute, like so,

Authorization: Bearer {TOKEN}

If you want to interact with Keygen's API client-side, then you should do so using our user resources, which we created for this purpose. You can create users with email and password credentials, which can be used during token generation to authenticate a user. After a user is authenticated, they can interact with our API in a way that is limited to only their account.

Along with admins and users, a product can also authenticate using product tokens; to create a new product token, please see the Product token relationship. All user tokens have a 2 week expiry and can be regenerated as needed during that timeframe. Admin and product tokens do not expire, but should only be used server-side.

Most API endpoints will require authentication, and access to resources depends on the token bearer's authorization and role.

You can manage tokens using the Tokens resource.

Security Warning

Tokens should be treated as passwords. Different tokens carry different privileges depending on the bearer of the token, so be sure to keep them secret! Do not share your admin or product API tokens in publicly accessible areas such as GitHub, client-facing code, and so forth. If in doubt, please reset or revoke the offending authentication token(s).

linkAuthorization

Access to certain resources is dependent upon a token bearer's role. Most of the time you will be authenticating as one of your users, which will allow access to a small subset of resources available to your account. In other cases, as when you are using the middleman architecture, you may be authenticating as a product, or even an admin; in these cases, you will have access to a wider range of resources.

Resource attributes and relationships marked with a "protected" badge are only allowed to be specified if the authenticated bearer is an admin of the account, or a product that owns the specified resource. Attributes and relationships marked with a "read only" badge can not be modified.

Many resource endpoints are automatically scoped according to the token bearer's role. For example, listing all licenses while authenticated as a product will only list licenses associated with that particular product. Attempting to access resources that the bearer does not have access to will respond with a 403 forbidden error.

Here's a quick summary of the different authorization roles:

linkRate Limiting

A single IP address can make a maximum burst of 100 requests per 10 second window, regardless of authentication. If we see patterns of abuse, this may be lowered or the IP may be temporarily blacklisted or in rare cases of significant abuse, permanently blacklisted.

You can check the returned HTTP headers of any API request to see your current rate limit status:

linkRelationships

Throughout the API, many resources will have a relationships hash containing another resource which they are associated with. When creating or modifying a relationship, you will be introduced to what's called a "resource identifier object", or linkage for short.

A "resource identifier object" is a hash that identifies an individual resource. The linkage hash must contain a type and an id of the individual resource for the relationship.

linkMetadata

Many resources including products, users, licenses, machines and policies have a metadata attribute. You can use this attribute to attach key-value data to the given resource.

Metadata is useful for storing additional, structured information on an object. As an example, you could store your user's zipcode, their id within your own database (if applicable), or their Stripe customer_id for billing purposes.

Since the metadata attribute is simply a key-value store (hash), all write operations will overwrite the entire hash, so be sure to merge existing data on your end when performing updates.

You can specify up to 64 keys, with key names up to 256 characters long and values up to 512 characters long.

linkPagination

All top-level API resources have support for bulk fetches via "list" API methods. For instance you can list users, list licenses, and list machines. These list API methods share a common format, taking an optional page query parameter.

Our API utilizes a page-based strategy via the page[size] and page[number] parameters. All results are returned in reverse chronological order.

linkIdempotency

Some resources, such as webhook events may contain an idempotency token inside of a meta hash. In the case of webhook events, these tokens allow you to safely retry events without accidentally responding to the same event multiple times.

linkSignatures

Each Keygen account is equipped with it's own unique RSA 2048-bit public/private keypair, which is used in signing response payloads using rsa-sha256. You can find your account's public key within your dashboard settings page, which you can use to verify response payloads.

You may utilize your account's public key to verify that successful requests, and webhooks, originated from Keygen. This is useful in preventing man-in-the-middle (MITM) attacks, where an attacker will redirect requests to a local server under their control which defaults to sending "valid" license responses.

To see an example of signature verfication, check out our example on GitHub. It will show you how to utilize your account's public key to verify that the response was signed using your account's private key.

linkWebhooks

Webhook events are dispatched using POST requests to an account's webhook endpoints. Events usually get sent quickly, but sometimes there can be a small delay. If you experience a delay longer than 1 hour for the initial event, please contact us.

To verify that a webhook event originated from us, you can retrieve the event directly via the API, or use signature verification.