Select programming language for code examples


Requests are authenticated using a bearer token in an Authorization header. Within the header, you will utilize a Token resource's token attribute, like so,

Authorization: Bearer {TOKEN}

If you want to interact with Keygen's API client-side, then you should do so using our user resources, which we created for this purpose. You can create users with email and password credentials, which can be used during token generation to authenticate a user.

After a user is authenticated, they can interact with our API in a way that is limited to only their user profile.

There are a couple other token types in addition to admin/user authentication tokens:

  • Activation tokens: authenticating as a license is useful when you're not utilizing our user resources for authentication, but you still want to perform client-side machine activation. Activation tokens allow a limited number of machine activations and deactivations. To create a new activation token, please see the License token relationship.
  • Product tokens: authenticating as a product is useful in server-side environments. These tokens allow full management of resources associated with the given product. To create a new product token, please see the Product token relationship.

All user tokens have a 2 week expiry and can be regenerated as needed during that timeframe. Admin and product tokens do not expire, and should only be used server-side. By default, activation tokens do not expire, but you may set an expiry during creation if desired.

Admin and product tokens should only be used server-side, this is because they allow full near management of your Keygen account. This means that if an attacker were to obtain a product token from within your code, no matter how obfuscated, they will be able to create and manage licenses at-will—including those of your other customers.

Most API endpoints will require authentication, and access to resources depends on the token bearer's authorization and role.

You can manage tokens using the Tokens resource.

Security Warning

Tokens should be treated as passwords. Different tokens carry different privileges depending on the bearer of the token, so be sure to keep them secret! Do not share your admin or product API tokens in publicly accessible areas such as GitHub, client-facing code, and so forth. If in doubt, please regenerate or revoke the offending token(s).