A modern, developer-friendly authentication and software licensing platform. Clean RESTful endpoints, consistent JSON responses, and no legacy cruft.
Integrate license validation, user auth, and more with clean RESTful endpoints.
Manage licenses, users, and app data programmatically for reseller integrations.
Full CRUD for apps, licenses, users, variables, webhooks, blacklists, and more.
KeyAux uses three authentication methods depending on the API:
| API | Auth Method | Header |
|---|---|---|
| Client API | App Secret + Session Token | X-App-Secret + X-Session-Token |
| Seller API | Seller API Key | X-Seller-Key |
| Dashboard API | JWT Bearer Token | Authorization: Bearer <token> |
Every Client API request requires the X-App-Secret header. For user-level operations, you also need a session token:
X-App-Secret with every request to identify your app/users/login, /users/register, or /licenses/activate to get a session_tokenX-Session-Token on subsequent requests requiring an authenticated userPOST /licenses/validate or GET /blacklist/check only need the app secret — no session required.https://api.keyaux.comClient API: /api/v1/ • Seller API: /api/v1/seller/ • Dashboard API: /api/dashboard/
All responses follow a consistent JSON structure:
{ "success": true, "message": "...", "data": { ... } }{ "success": false, "error": "error_code", "message": "Human-readable description" }| Code | HTTP | Description |
|---|---|---|
missing_app_secret | 401 | X-App-Secret header not provided |
invalid_app_secret | 401 | App secret is wrong |
app_paused | 403 | Application is paused |
missing_session | 401 | X-Session-Token required |
invalid_session | 401 | Session expired or invalid |
not_authenticated | 401 | Need logged-in user session |
blacklisted | 403 | IP or HWID is blacklisted |
invalid_credentials | 401 | Wrong username or password |
banned | 403 | Account is banned |
hwid_mismatch | 403 | Hardware ID mismatch |
version_mismatch | 400 | App version outdated |
missing_signature | 401 | HMAC enabled but signature headers missing |
signature_expired | 401 | Signature timestamp outside 5-min window |
invalid_signature | 401 | HMAC signature verification failed |
For additional security, you can enable HMAC-SHA256 request signing on any application. When enabled, every Client API request must include a valid signature — preventing request tampering and replay attacks.
POST /api/dashboard/apps/:appId/hmac-secrethmac_secret (prefixed hk_) in your client applicationConstruct the signature message as:
{timestamp}.{METHOD}.{path}.{body}Where:
| Component | Description | Example |
|---|---|---|
timestamp | Current Unix epoch in seconds | 1740700800 |
METHOD | HTTP method, uppercased | POST |
path | Request pathname (no query string) | /api/v1/init |
body | Raw request body (empty string for GET) | {"version":"1.0"} |
Compute HMAC-SHA256(hmac_secret, message) and send as a hex string.
| Header | Description |
|---|---|
X-Signature | Hex-encoded HMAC-SHA256 signature |
X-Signature-Timestamp | Unix timestamp used in the signature (must be within 5 minutes of server time) |
import hmac, hashlib, time, json, requests
secret = "hk_your_hmac_secret"
timestamp = str(int(time.time()))
method = "POST"
path = "/api/v1/init"
body = json.dumps({"version": "1.0"})
message = f"{timestamp}.{method}.{path}.{body}"
signature = hmac.new(secret.encode(), message.encode(), hashlib.sha256).hexdigest()
resp = requests.post("https://api.keyaux.com" + path,
headers={
"X-App-Secret": "as_your_app_secret",
"X-Signature": signature,
"X-Signature-Timestamp": timestamp,
"Content-Type": "application/json"
},
data=body
)const crypto = require('crypto');
const secret = 'hk_your_hmac_secret';
const timestamp = Math.floor(Date.now() / 1000).toString();
const method = 'POST';
const path = '/api/v1/init';
const body = JSON.stringify({ version: '1.0' });
const message = `${timestamp}.${method}.${path}.${body}`;
const signature = crypto.createHmac('sha256', secret).update(message).digest('hex');
fetch('https://api.keyaux.com' + path, {
method,
headers: {
'X-App-Secret': 'as_your_app_secret',
'X-Signature': signature,
'X-Signature-Timestamp': timestamp,
'Content-Type': 'application/json'
},
body
});| Code | HTTP | Description |
|---|---|---|
missing_signature | 401 | HMAC is enabled but X-Signature or X-Signature-Timestamp header is missing |
signature_expired | 401 | Timestamp is more than 5 minutes from server time |
invalid_signature | 401 | Signature does not match the expected value |
/api/dashboard/apps/:appId/hmac-secretJWTGenerate (or rotate) an HMAC secret and enable signing. Returns the new secret — store it securely, it cannot be retrieved again.
{
"success": true,
"hmac_secret": "hk_a1b2c3d4e5f6...",
"message": "HMAC secret generated and signing enabled"
}/api/dashboard/apps/:appId/hmac-secretJWTDisable HMAC signing and remove the secret. Client API requests will no longer require signatures.
hmac_enabled via PUT /api/dashboard/apps/:appId without rotating the secret.Create and manage your KeyAux dashboard account. These are for app owners, not end users.
/api/auth/registerRegister a new dashboard account.
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | 3-32 characters |
email | string | Yes | Valid email |
password | string | Yes | Min 6 characters |
curl -X POST https://api.keyaux.com/api/auth/register \
-H "Content-Type: application/json" \
-d '{"username":"myaccount","email":"me@example.com","password":"secret123"}'/api/auth/loginLogin. Returns a JWT for Dashboard API access.
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Username |
password | string | Yes | Password |
{ "success": true, "token": "eyJhbG...", "user": { "id": "abc", "username": "myaccount" } }/api/dashboard/auth/meJWTGet the current dashboard user's profile.
curl https://api.keyaux.com/api/dashboard/auth/me \
-H "Authorization: Bearer YOUR_JWT"The Client API is what you integrate into your software. Clean, individual REST endpoints — no single-endpoint multiplexer.
/api/v1 and require X-App-Secret. Some additionally require X-Session-Token.| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /init | Secret | Init session, version check |
| GET | /app/info | Secret | Get app statistics |
| POST | /users/login | Secret | Login end user |
| POST | /users/register | Secret | Register end user |
| POST | /licenses/activate | Secret | Login with license key |
| POST | /licenses/validate | Secret | Check if key is valid |
| POST | /licenses/upgrade | Session+User | Upgrade subscription |
| GET | /session | Session | Check session |
| DELETE | /session | Session | Logout |
| GET | /user | Session+User | Get current user |
| GET | /variables/:key | Session | Get global variable |
| GET | /user/variables | Session+User | List user variables |
| GET | /user/variables/:key | Session+User | Get user variable |
| PUT | /user/variables/:key | Session+User | Set user variable |
| DELETE | /user/variables/:key | Session+User | Delete user variable |
| GET | /online | Session | Online users |
| POST | /logs | Session | Submit log |
| POST | /webhooks/:id | Session | Trigger webhook |
| GET | /blacklist/check | Secret | Check blacklist |
| POST | /user/change-password | Session+User | Change password |
| POST | /user/ban | Session+User | Self-ban |
/api/v1/initApp SecretInitialize a session and get app info. Optionally check client version.
| Field | Type | Required | Description |
|---|---|---|---|
version | string | No | Client version to verify |
curl -X POST https://api.keyaux.com/api/v1/init \
-H "X-App-Secret: your_app_secret" \
-H "Content-Type: application/json" \
-d '{"version":"1.0"}'{
"success": true,
"message": "Session initialized",
"data": {
"session_token": "abc123def456...",
"app": {
"name": "My App",
"version": "1.0",
"total_users": 150,
"online_users": 12,
"total_keys": 500
}
}
}/api/v1/users/loginApp SecretAuthenticate an end user. Validates credentials, HWID, subscription, and blacklist. Returns session token + user info.
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Username |
password | string | Yes | Password |
hwid | string | No | Hardware ID for device locking |
curl -X POST https://api.keyaux.com/api/v1/users/login \
-H "X-App-Secret: your_app_secret" \
-H "Content-Type: application/json" \
-d '{"username":"player1","password":"pass123","hwid":"ABC-DEF-123"}'{
"success": true,
"message": "Login successful",
"data": {
"session_token": "xyz789...",
"user": {
"username": "player1",
"level": 1,
"hwid": "ABC-DEF-123",
"subscription": {
"name": "default",
"expiry": "2026-03-09T00:00:00.000Z",
"days_left": 28
},
"created_at": "2026-02-01T...",
"last_login": "2026-02-09T..."
}
}
}/api/v1/users/registerApp SecretRegister a new end user. Optionally provide a license key to activate a subscription.
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | 3-32 characters |
password | string | Yes | Min 6 characters |
email | string | No | Email address |
key | string | No | License key to activate |
hwid | string | No | Hardware ID |
/api/v1/licenses/activateApp SecretAuthenticate with just a license key — no username/password needed. Returns a session.
| Field | Type | Required | Description |
|---|---|---|---|
key | string | Yes | License key |
hwid | string | No | Hardware ID |
{
"success": true,
"message": "License activated",
"data": {
"session_token": "sess_abc123...",
"license": {
"key": "ABCDE-12345-FGHIJ-67890-KLMNO",
"level": 1,
"expiry": "2026-03-11T00:00:00.000Z",
"days": 30,
"uses_remaining": 0,
"note": null
}
}
}/api/v1/licenses/validateApp SecretCheck if a license key is valid without consuming a use. Great for pre-flight checks.
| Field | Type | Required | Description |
|---|---|---|---|
key | string | Yes | License key to validate |
{
"success": true,
"data": {
"valid": true,
"status": "active",
"level": 1,
"duration_days": 30,
"uses": { "current": 0, "max": 1 },
"expires_at": null,
"created_at": "2026-02-09T..."
}
}/api/v1/licenses/upgradeSession + UserExtend a logged-in user's subscription using a license key.
| Field | Type | Required | Description |
|---|---|---|---|
key | string | Yes | License key to consume |
curl -X POST https://api.keyaux.com/api/v1/licenses/upgrade \
-H "X-App-Secret: your_app_secret" \
-H "X-Session-Token: your_session_token" \
-H "Content-Type: application/json" \
-d '{"key":"XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'/api/v1/sessionSessionCheck if the current session is valid. Returns user info if authenticated.
/api/v1/sessionSessionDestroy the current session (logout).
/api/v1/userSession + UserGet the authenticated user's full profile including subscription info.
curl https://api.keyaux.com/api/v1/user \
-H "X-App-Secret: your_app_secret" \
-H "X-Session-Token: your_session_token"Two types: global (app-level, read-only to clients) and user (per-user, read-write).
/api/v1/variables/:keySessionGet a global (app-level) variable.
/api/v1/user/variablesSession + UserList all user variables. Returns { "variables": { "key": "value", ... } }
/api/v1/user/variables/:keySession + UserGet a specific user variable.
/api/v1/user/variables/:keySession + UserCreate or update a user variable. Body: { "value": "..." }
curl -X PUT https://api.keyaux.com/api/v1/user/variables/highscore \
-H "X-App-Secret: your_app_secret" \
-H "X-Session-Token: your_session_token" \
-H "Content-Type: application/json" \
-d '{"value":"9001"}'/api/v1/user/variables/:keySession + UserDelete a user variable.
/api/v1/app/infoApp SecretGet app stats (users, online, keys) without creating a session.
/api/v1/onlineSessionGet online users. Returns { "count": 3, "users": ["p1","p2","p3"] }
/api/v1/logsSessionSubmit a log entry. Body: { "message": "...", "pcuser": "..." }
/api/v1/webhooks/:idSessionTrigger a pre-configured webhook. Body: { "params": "...", "body": "...", "content_type": "..." }
/api/v1/blacklist/checkApp SecretCheck if IP/HWID is blacklisted. Query: ?hwid=xxx
/api/v1/user/change-passwordSession + UserChange password. Body: { "current_password": "...", "new_password": "..." }
/api/v1/user/banSession + UserSelf-ban the authenticated user. Irreversible from client side.
Manage licenses, users, and app data programmatically. All endpoints require X-Seller-Key header.
/api/v1/seller/{APP_NAME}/licenses, /api/v1/seller/{APP_NAME}/users, etc.https://api.keyaux.com/api/v1/seller/MyApp/licenses
https://api.keyaux.com/api/v1/seller/MyApp/users/player1/ban
https://api.keyaux.com/api/v1/seller/MyApp/stats/api/v1/seller/:app/licensesCreate license keys.
| Field | Type | Default | Description |
|---|---|---|---|
count | int | 1 | Number of keys (max 500) |
duration_days | int | 30 | Days per key |
level | int | 1 | Subscription level |
max_uses | int | 1 | Max uses per key |
mask | string | XXXXX-XXXXX-... | Key format (X=random) |
note | string | Internal note |
curl -X POST https://api.keyaux.com/api/v1/seller/MyApp/licenses \
-H "X-Seller-Key: ka_your_seller_key" \
-H "Content-Type: application/json" \
-d '{"count":5,"duration_days":30,"mask":"KA-XXXXX-XXXXX"}'/api/v1/seller/:app/licensesList all licenses. Query: ?page=1&limit=100&status=active
/api/v1/seller/:app/licenses/:keyGet license details.
/api/v1/seller/:app/licenses/:keyDelete a license key.
/api/v1/seller/:app/licenses/:key/banBan a license key.
/api/v1/seller/:app/licenses/:key/unbanUnban a license key.
/api/v1/seller/:app/licenses/bulk-deleteBulk delete licenses. Body: { "filter": "unused" | "used" | "expired" | "all" }
/api/v1/seller/:app/usersCreate a user. Body: { "username", "password", "email", "subscription", "duration_days", "level" }
/api/v1/seller/:app/usersList users. Query: ?page=1&limit=100&search=player
/api/v1/seller/:app/users/:usernameGet user data including all variables.
/api/v1/seller/:app/users/:usernameDelete user and all their data.
/api/v1/seller/:app/users/:username/banBan a user. Body: { "reason": "..." }. Kills active sessions.
/api/v1/seller/:app/users/:username/unbanUnban a user.
/api/v1/seller/:app/users/:username/reset-hwidReset user's hardware ID lock.
/api/v1/seller/:app/users/:username/extendExtend subscription. Body: { "days": 30, "subscription": "premium" }
curl -X POST https://api.keyaux.com/api/v1/seller/MyApp/users/player1/extend \
-H "X-Seller-Key: ka_your_seller_key" \
-H "Content-Type: application/json" \
-d '{"days":30}'/api/v1/seller/:app/users/:username/subtractSubtract time. Body: { "seconds": 0, "days": 0 }
/api/v1/seller/:app/users/:username/editEdit user. Body: { "email", "level", "subscription", "password", "hwid" } (all optional)
/api/v1/seller/:app/users/:username/variables/:keyGet user variable.
/api/v1/seller/:app/users/:username/variables/:keySet user variable. Body: { "value": "..." }
/api/v1/seller/:app/users/:username/variables/:keyDelete user variable.
/api/v1/seller/:app/users/bulk-deleteBulk delete users. Body: { "filter": "expired" | "banned" | "all" }
/api/v1/seller/:app/statsGet app statistics.
{
"success": true,
"data": {
"app": { "name": "MyApp", "version": "1.0", "paused": false },
"users": { "total": 150, "online": 12 },
"licenses": { "total": 500, "active": 300, "used": 180, "banned": 20 },
"logs": 5420
}
}/api/v1/seller/:app/reset⚠️ Reset all app data. Body: { "confirm": true }
Full CRUD for managing apps from the web dashboard. Requires Authorization: Bearer <jwt>.
/api/dashboard/ — Used by dash.keyaux.com. For programmatic access, prefer the Seller API.| Resource | Path | Operations |
|---|---|---|
| Applications | /api/dashboard/apps | List, Create, Update, Delete |
| Licenses | /api/dashboard/licenses/:appId | List, Create, Delete, Ban |
| Users | /api/dashboard/users/:appId | List, Create, Update, Delete, Ban |
| Variables | /api/dashboard/variables/:appId | List, Create, Update, Delete |
| Logs | /api/dashboard/logs/:appId | List, Clear |
| Webhooks | /api/dashboard/webhooks/:appId | List, Create, Update, Delete |
| Blacklist | /api/dashboard/blacklist/:appId | List, Add, Remove |
| Subscriptions | /api/dashboard/subscriptions/:appId | List, Create, Delete |
| Seller Keys | /api/dashboard/seller-keys | List, Create, Delete |
| HMAC Signing | /api/dashboard/apps/:appId/hmac-secret | Generate, Disable |
| Stats | /api/dashboard/stats | Get overview |
Test endpoints directly from your browser. Credentials are saved locally.
Send a request to see the response here.