linkAPI Reference

The Keygen API is organized around REST principles. All requests must be made over TLS/SSL. In addition, all request and response bodies, including errors, are encoded in JSON format.

The API has predictable, resource-oriented URLs, and uses standard HTTP response codes to indicate API errors. We use built-in HTTP features, like authentication and HTTP verbs, which are understood by off-the-shelf HTTP clients. We support cross-origin resource sharing, allowing you to interact securely with our API from any client-facing software application.

linkArchitecture

How to model the communication layer between your app and Keygen. Although these are not the only way, they are some of the most common setups.

linkVersioning

When we introduce breaking changes to the API, we will release a new numbered version, e.g. we will go from v1 to v2. The current version is v1. All changes will be detailed within our changelog.

linkSecurity

1. Do not store your API tokens in version control. If you're using version control like Git or Subversion, do not store your API tokens in version control. It is recommended that you store tokens in a file that is never checked into the repository, or within the ENV.

   If one of your API tokens become compromised, quickly revoke it from your admin dashboard.

2. Do not embed your admin or product API tokens within your product's source code. If you're using Keygen client-side, do not embed your admin or product tokens within your product's source code. Doing so exposes your tokens and opens your account up to attackers.

   Instead, you can perform license and machine creation requests client-side while authenticated as one of your users and then you can listen for the corresponding webhook events to act accordingly e.g., charging them for new licenses, crediting them for deleted licenses or machines, etc. For an example of responding to user actions, see our Paddle integration example.

   If you're using Keygen server-side, see the above tip.

3. Embedding account, product and policy IDs directly into your product i.e. client-side code is perfectly safe. In fact, you won't be able to communicate with Keygen's API unless you do so, and managing e.g. feature licenses without being able to embed policy IDs wouldn't be feasible. With that in mind, it is recommended that you use your account ID over your account slug, as unlike your account slug, your ID is unchangable.

4. If you do not want your users to be able to create and manage their own licenses and machines (which necessitates listening for webhook events) then you should set your account to protected, which will require admin authentication to create and manage all resources, aside from token creation and license validation. Setting your account to protected can be done within your account settings.

   Alternatively, you can set individual licenses policies to protected (which by default is inherited from the account's current protected state), which will only disallow users from creating and managing licenses which implement that particular policy and their associated machines, rather than all resources e.g. public user creation, licenses that implement other unprotected policies, etc. You can also set a license to protected, which will disallow machine activation/deactivation; similar to policies, the license's protected attribute is inherited from its policy.

   By default, your account is unprotected, which allows user registration as well as the ability for users to manage their own resources.

5. To validate license keys offline, you can cryptographically sign or encrypt license keys. To enable this feature, you choose an appropriate scheme when creating a new policy. Each scheme will behave differently, so be sure that you understand how to implement and verify the one you choose. Reach out to our support channels if you have any questions.

   Alternatively, you can set up "air-gapped" license activation using TOTP, QR codes, and a mobile device. View our example implementation.

   Please note that offline license validation is, of course, quite limited in what can be enforced. E.g. to validate against a license's machine requirements would require an internet connection. Keep that in mind.

6. If you only need to validate license keys, then you do not need to implement user authentication. The license validate-key action does not require authentication. If you're doing anything else e.g. validating multiple license resources per-user, tracking machines, etc., user authentication will be required in order to communicate with Keygen's API client-side.

   You can add required scopes to your policies to e.g. require a machine fingerprint, etc., which helps implement certain license models without the need for any additional server-side logic such as a webhook handler.

7. If you do not want the overhead of implementing webhooks, then you should only use Keygen server-side alongside your payment provider. Implementing Keygen client-side necessitates listening for webhook events, unless you're simply validating license keys directly, as mentioned above.

   When using Keygen client-side, you should utilize webhooks to e.g. keep your billing state up to date with recent user actions.

linkResponse Codes

Our API uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, a validation failed, etc.), and codes in the 5xx range indicate an error with our servers (these are rare).

linkErrors

Below you will find the various attributes for request errors.

linkAuthentication

Requests are authenticated using a bearer token in an Authorization header. Within the header, you will utilize a Token resource's token attribute, like so,

Authorization: Bearer {TOKEN}

If you want to interact with Keygen's API client-side, then you should do so using our user resources, which we created for this purpose. You can create users with email and password credentials, which can be used during token generation to authenticate a user.

After a user is authenticated, they can interact with our API in a way that is limited to only their user account.

There are a couple other token types in addition to admin/user authentication tokens:

• Activation tokens: authenticating as a license is useful when you're not utilizing our user resources for authentication, but you still want to perform client-side machine activation. Activation tokens allow a limited number of machine activations and deactivations. To create a new activation token, please see the License token relationship.
• Product tokens: authenticating as a product is useful in server-side environments. These tokens allow full management of resources associated with the given product. To create a new product token, please see the Product token relationship.

All user tokens have a 2 week expiry and can be regenerated as needed during that timeframe. Admin and product tokens do not expire, and should only be used server-side. By default, activation tokens do not expire, but you may set an expiry during creation if desired.

Most API endpoints will require authentication, and access to resources depends on the token bearer's authorization and role.

You can manage tokens using the Tokens resource.

Security Warning

Tokens should be treated as passwords. Different tokens carry different privileges depending on the bearer of the token, so be sure to keep them secret! Do not share your admin or product API tokens in publicly accessible areas such as GitHub, client-facing code, and so forth. If in doubt, please regenerate or revoke the offending token(s).

linkAuthorization

Access to certain resources is dependent upon a token bearer's role. Most of the time you will be authenticating as one of your users, which will allow access to a small subset of resources available to your account. In other cases, as when you are using the middleman architecture, you may be authenticating as a product, or even an admin; in these cases, you will have access to a wider range of resources.

Resource attributes and relationships marked with a "protected" badge are only allowed to be specified if the authenticated bearer is an admin of the account, or a product that owns the specified resource. Attributes and relationships marked with a "read only" badge can not be modified.

Many resource endpoints are automatically scoped according to the token bearer's role. For example, listing all licenses while authenticated as a product will only list licenses associated with that particular product. Attempting to access resources that the bearer does not have access to will respond with a 403 forbidden error.

Here's a quick summary of the different authorization roles:

linkRate Limiting

A single IP address can make a maximum burst of 50 requests per 10 second window and 300 requests per 5 minute window, which allows for 1 request/sec with short bursts of up to 3-5 requests/sec, regardless of authentication. If we see patterns of abuse, this limit may be lowered or the IP may be temporarily blacklisted. In rare cases of significant abuse, the IP may be permanently blacklisted from our API.

You can check the returned HTTP headers of any API request to see your current rate limit status for the burst window:

linkRelationships

Throughout the API, many resources will have a relationships hash containing another resource which they are associated with. When creating or modifying a relationship, you will be introduced to what's called a "resource identifier object", or linkage for short.

A "resource identifier object" is a hash that identifies an individual resource. The linkage hash must contain a type and an id of the individual resource for the relationship.

linkMetadata

Many resources including products, users, licenses, machines and policies have a metadata attribute. You can use this attribute to attach key-value data to the given resource.

Metadata is useful for storing additional, structured information on an object. As an example, you could store your user's zipcode, their id within your own database (if applicable), or their Stripe customer_id for billing purposes.

Since the metadata attribute is simply a key-value store (hash), all write operations will overwrite the entire hash, so be sure to merge existing data on your end when performing updates.

Please note: all keys will be transformed into camelcase (exampleKey), so we recommend using camelcase when possible. For example, example_key will be transformed into exampleKey, ExampleKey will also be transformed into exampleKey, etc.

You can specify up to 64 keys, with key names up to 256 characters long and values up to 512 characters long.

linkPagination

All top-level API resources have support for bulk fetches via "list" API methods. For instance you can list users, list licenses, and list machines. These list API methods share a common format, taking an optional page query parameter.

Our API utilizes a page-based strategy via the page[size] and page[number] parameters. All results are returned in reverse chronological order.

linkIdempotency

Some resources, such as webhook events may contain an idempotency token inside of a meta hash. In the case of webhook events, these tokens allow you to safely retry events without accidentally responding to the same event multiple times.

linkCryptography

Each Keygen account is equipped with its own unique RSA 2048-bit public/private keypair, which is used in signing response payloads using RSA-SHA256, and which can also be used to sign or encrypt license keys for offline license verification using schemes. The scheme used for license key signing and encryption will depend on the cryptographic scheme that the particular policy implements.

You can find your account's public key within your dashboard settings page, which you can use to verify response payloads and license keys. Private keys are kept securely encrypted on our servers.

linkSignatures

You may utilize your account's public key to verify that successful requests, and webhooks, originated from Keygen. This is useful for verifying requests came from Keygen, as well as for preventing man-in-the-middle (MITM) attacks, where an attacker will redirect requests to a local server under their control which defaults to sending "valid" license responses.

To see an example of signature verfication, check out our example on GitHub. It will show you how to utilize your account's public key to verify that the response was signed using your account's private key.

linkTesting

When implementing a testing strategy for your licensing integration, we recommend that you fully mock our APIs. This is especially important for CI/CD systems, to prevent unneeded load on our servers. Mocking our APIs will also allow you to more easily stay within your account's daily request limits.

Most popular programming languages will have at least 1 mocking library for HTTP APIs, but feel free to reach out to us for recommendations.

linkWebhooks

Webhook events are dispatched using POST requests to an account's webhook endpoints. Events usually get sent quickly, but sometimes there can be a small delay. If you experience a delay longer than 1 hour for the initial event, please contact us.

To verify that a webhook event originated from us, you can retrieve the event directly via the API, or use signature verification.