KeyAux API Reference

Welcome to the KeyAux API documentation. KeyAux provides a powerful authentication and licensing platform with three API layers:

Dashboard API

Manage applications, licenses, users, and settings from the web dashboard. Authenticated via JWT.

Client API

KeyAuth-compatible API for your desktop/mobile apps. Session-based authentication with HWID locking.

Seller API

Programmatic license and user management via API keys. Perfect for integrating with your store or bot.

Authentication

KeyAux uses three authentication methods depending on the API:

API	Method	Header
Dashboard	JWT Bearer Token	`Authorization: Bearer <token>`
Client	Session ID	Passed in request body as `sessionid`
Seller	API Key	`X-API-Key: <key>` or `?sellerkey=<key>`

Getting a JWT: Call POST /api/auth/login or POST /api/auth/register to receive a JWT token. Include it in the Authorization header for all Dashboard API requests.

Getting a Seller Key: Create seller keys from the Dashboard under Seller Keys. Keys start with ka_.

Base URL

All API requests should be made to:

Base URL

https://keyaux.caelen.workers.dev

All responses are JSON with the following structure:

JSON Response

{
  "success": true,
  "message": "Operation result",
  // ... additional data
}

Error Handling

KeyAux uses standard HTTP status codes alongside a success boolean in every response.

Code	Meaning
`200`	Success
`201`	Created successfully
`400`	Bad request — missing or invalid parameters
`401`	Unauthorized — invalid or expired token/key
`404`	Not found — resource doesn't exist or you don't own it
`409`	Conflict — resource already exists
`500`	Internal server error

Error Response Example

{
  "success": false,
  "message": "Username or email already exists"
}

POST /api/auth/register

Create a new KeyAux account. Returns a JWT token and user info. A default seller API key is automatically created.

Request Body

Field	Type	Required	Description
`username`	string	Yes	Unique username
`email`	string	Yes	Unique email address
`password`	string	Yes	Min 6 characters

Request

curl -X POST https://keyaux.caelen.workers.dev/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "myuser",
    "email": "me@example.com",
    "password": "securepass123"
  }'

Response 201

{
  "success": true,
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": "abc123...",
    "username": "myuser",
    "email": "me@example.com",
    "plan": "free"
  }
}

POST /api/auth/login

Log in with username (or email) and password. Returns a JWT token valid for 7 days.

Request Body

Field	Type	Required	Description
`username`	string	Yes	Username or email
`password`	string	Yes	Account password

Request

curl -X POST https://keyaux.caelen.workers.dev/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "myuser",
    "password": "securepass123"
  }'

Response 200

{
  "success": true,
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": "abc123...",
    "username": "myuser",
    "email": "me@example.com",
    "plan": "free",
    "role": "user"
  }
}

GET /api/dashboard/auth/me JWT Required

Get the currently authenticated user's profile.

Request

curl https://keyaux.caelen.workers.dev/api/dashboard/auth/me \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Response 200

{
  "success": true,
  "user": {
    "id": "abc123...",
    "username": "myuser",
    "email": "me@example.com",
    "plan": "free",
    "role": "user",
    "created_at": "2026-02-09T12:00:00.000Z"
  }
}

PUT /api/dashboard/auth/password JWT Required

Change the authenticated user's password.

Request Body

Field	Type	Required	Description
`current_password`	string	Yes	Current password
`new_password`	string	Yes	New password

Request

curl -X PUT https://keyaux.caelen.workers.dev/api/dashboard/auth/password \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "current_password": "oldpass",
    "new_password": "newpass123"
  }'

GET /api/dashboard/stats JWT Required

Get aggregate stats across all your applications.

Response 200

{
  "success": true,
  "stats": {
    "applications": 3,
    "users": 142,
    "licenses": 500,
    "logs": 1280
  }
}

Applications

Manage your applications. Each application has its own set of users, licenses, variables, and settings.

GET /api/dashboard/apps JWT Required

List all your applications.

Response 200

{
  "success": true,
  "applications": [
    {
      "id": "abc123",
      "name": "My App",
      "secret": "as_xxxx...",
      "version": "1.0",
      "hwid_lock": 1,
      "anti_vpn": 0,
      "paused": 0,
      "created_at": "2026-02-09T12:00:00.000Z"
    }
  ]
}

POST /api/dashboard/apps JWT Required

Create a new application. A default subscription is automatically created.

Request Body

Field	Type	Required	Description
`name`	string	Yes	Application name
`version`	string	No	Version string (default: "1.0")

GET /api/dashboard/apps/:appId JWT Required

Get a single application with stats (users, licenses, active sessions, logs).

PUT /api/dashboard/apps/:appId JWT Required

Update application settings.

Request Body

Field	Type	Required	Description
`name`	string	No	App name
`version`	string	No	App version
`hwid_lock`	boolean	No	Enable HWID locking
`anti_vpn`	boolean	No	Enable VPN detection
`hash_check`	boolean	No	Enable hash checking
`paused`	boolean	No	Pause application

POST /api/dashboard/apps/:appId/reset-secret JWT Required

Regenerate the application secret key.

DELETE /api/dashboard/apps/:appId JWT Required

Delete an application and all associated data.

Licenses

Generate and manage license keys for your applications.

GET /api/dashboard/licenses/:appId JWT Required

List licenses with pagination, search, and status filtering.

Query Parameters

Param	Type	Default	Description
`page`	int	1	Page number
`limit`	int	50	Items per page
`search`	string		Search key, note, or used_by
`status`	string		Filter: active, used, banned

POST /api/dashboard/licenses/:appId JWT Required

Generate license key(s).

Request Body

Field	Type	Default	Description
`count`	int	1	Number of keys (max 500)
`mask`	string	XXXXX-XXXXX-XXXXX-XXXXX-XXXXX	Key format (X = random char)
`duration_days`	int	30	License validity in days
`level`	int	1	Subscription level
`max_uses`	int	1	Max activations
`note`	string		Internal note

Request

curl -X POST https://keyaux.caelen.workers.dev/api/dashboard/licenses/APP_ID \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "count": 5,
    "duration_days": 30,
    "mask": "XXXX-XXXX-XXXX-XXXX",
    "note": "Batch #1"
  }'

Response 201

{
  "success": true,
  "licenses": [
    { "id": "abc...", "license_key": "A1B2-C3D4-E5F6-G7H8" },
    { "id": "def...", "license_key": "I9J0-K1L2-M3N4-O5P6" }
  ],
  "count": 5
}

POST /api/dashboard/licenses/:appId/:licenseId/ban JWT Required

Ban a license key.

DELETE /api/dashboard/licenses/:appId/:licenseId JWT Required

Delete a single license.

DELETE /api/dashboard/licenses/:appId/unused/all JWT Required

Delete all unused licenses for an application.

DELETE /api/dashboard/licenses/:appId/used/all JWT Required

Delete all used licenses for an application.

Users

Manage end users (app users) who authenticate via the Client API.

GET /api/dashboard/users/:appId JWT Required

List users with pagination and search.

Query Parameters

Param	Type	Default	Description
`page`	int	1	Page number
`limit`	int	50	Items per page
`search`	string		Search username, email, HWID, or IP

GET /api/dashboard/users/:appId/:userId JWT Required

Get a single user with their variables.

POST /api/dashboard/users/:appId JWT Required

Manually create an app user.

Request Body

Field	Type	Required	Description
`username`	string	Yes	Username
`password`	string	Yes	Password
`email`	string	No	Email address
`level`	int	No	Subscription level (default: 1)
`subscription_name`	string	No	Subscription tier name
`subscription_days`	int	No	Days until expiry

POST /api/dashboard/users/:appId/:userId/ban JWT Required

Ban a user. Optionally include { "reason": "..." } in the body.

POST /api/dashboard/users/:appId/:userId/unban JWT Required

Unban a user.

POST /api/dashboard/users/:appId/:userId/reset-hwid JWT Required

Reset a user's hardware ID lock.

POST /api/dashboard/users/:appId/:userId/extend JWT Required

Extend a user's subscription.

Request Body

Field	Type	Default	Description
`days`	int	30	Days to add
`subscription_name`	string		Optionally change sub name

DELETE /api/dashboard/users/:appId/:userId JWT Required

Delete a user.

DELETE /api/dashboard/users/:appId/all/users JWT Required

Delete all users for an application.

Subscriptions

Manage subscription tiers for your applications.

GET /api/dashboard/subscriptions/:appId JWT Required

List subscription tiers.

POST /api/dashboard/subscriptions/:appId JWT Required

Create a subscription tier.

Request Body

Field	Type	Default	Description
`name`	string		Tier name (e.g., "Premium")
`level`	int	1	Access level
`duration_days`	int	30	Default duration in days

DELETE /api/dashboard/subscriptions/:appId/:subId JWT Required

Delete a subscription tier.

Variables

Key-value store for your application. Supports global (app-wide) and per-user variables.

Global Variables

GET /api/dashboard/variables/:appId/global JWT Required

List all global variables for an app.

POST /api/dashboard/variables/:appId/global JWT Required

Create or update a global variable.

Request Body

Field	Type	Required	Description
`key`	string	Yes	Variable key
`value`	string	No	Variable value

DELETE /api/dashboard/variables/:appId/global/:varId JWT Required

Delete a global variable.

User Variables

GET /api/dashboard/variables/:appId/user JWT Required

List user variables. Optionally filter by ?user_id=....

POST /api/dashboard/variables/:appId/user JWT Required

Set a user variable.

Request Body

Field	Type	Required	Description
`user_id`	string	Yes	Target user ID
`key`	string	Yes	Variable key
`value`	string	No	Variable value

DELETE /api/dashboard/variables/:appId/user/:varId JWT Required

Delete a user variable.

Webhooks

Create webhooks that can be triggered from client applications.

GET /api/dashboard/webhooks/:appId JWT Required

List all webhooks for an app.

POST /api/dashboard/webhooks/:appId JWT Required

Create a webhook.

Request Body

Field	Type	Required	Description
`name`	string	Yes	Webhook name
`url`	string	Yes	Target URL
`user_agent`	string	No	Custom User-Agent
`body`	string	No	Default request body
`auth_header`	string	No	Authorization header value

DELETE /api/dashboard/webhooks/:appId/:webhookId JWT Required

Delete a webhook.

Blacklist

Block IPs or hardware IDs from accessing your application.

GET /api/dashboard/blacklist/:appId JWT Required

List all blacklist entries.

POST /api/dashboard/blacklist/:appId JWT Required

Add an entry to the blacklist.

Request Body

Field	Type	Required	Description
`type`	string	Yes	`ip` or `hwid`
`value`	string	Yes	The IP or HWID to block
`note`	string	No	Reason/note

DELETE /api/dashboard/blacklist/:appId/:entryId JWT Required

Remove an entry from the blacklist.

Logs

View and manage activity logs for your applications.

GET /api/dashboard/logs/:appId JWT Required

List logs with pagination and filtering.

Query Parameters

Param	Type	Default	Description
`page`	int	1	Page number
`limit`	int	100	Items per page
`action`	string		Filter by action type
`search`	string		Search username, IP, or data

DELETE /api/dashboard/logs/:appId JWT Required

Clear all logs for an application.

Seller Keys

Manage API keys for the Seller API. Keys start with ka_.

GET /api/dashboard/seller-keys JWT Required

List all your seller API keys.

POST /api/dashboard/seller-keys JWT Required

Create a new seller API key.

Request Body

Field	Type	Required	Description
`name`	string	No	Key label (default: "New Key")

DELETE /api/dashboard/seller-keys/:keyId JWT Required

Delete a seller API key.

Client API Overview

The Client API is designed for use in your desktop, mobile, or game applications. It is KeyAuth-compatible — existing KeyAuth SDKs and libraries will work with KeyAux.

Single Endpoint: All client API requests go to POST /api/1.2/ with a type parameter that determines the operation. Supports both JSON and form-encoded bodies.

Session Flow: Always call init first to get a sessionid, then use that session ID for all subsequent requests.

Supported Request Types

Type	Description
`init`	Initialize session
`login`	User login
`register`	User registration
`license`	License-only authentication
`upgrade`	Upgrade subscription with key
`check`	Validate session
`var`	Get user variable
`setvar`	Set user variable
`getvar`	Get global variable
`log`	Add log entry
`webhook`	Execute webhook
`fetchOnline`	Get online users
`checkblack`	Check blacklist
`ban`	Self-ban

POST /api/1.2/ type: init

Initialize a session. Must be called before any other client API request.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"init"`
`name`	string	Yes	Application name
`ownerid`	string	Yes	Owner account ID
`ver`	string	No	Expected app version

Request

curl -X POST https://keyaux.caelen.workers.dev/api/1.2/ \
  -H "Content-Type: application/json" \
  -d '{
    "type": "init",
    "name": "My App",
    "ownerid": "YOUR_ACCOUNT_ID",
    "ver": "1.0"
  }'

Response 200

{
  "success": true,
  "message": "Initialized",
  "sessionid": "session_abc123...",
  "appinfo": {
    "numUsers": "142",
    "numOnlineUsers": "23",
    "numKeys": "500",
    "version": "1.0",
    "customerPanelLink": ""
  }
}

POST /api/1.2/ type: login

Login an end user. Validates credentials, HWID, subscription, and blacklist status.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"login"`
`sessionid`	string	Yes	Session from init
`username`	string	Yes	Username
`pass`	string	Yes	Password
`hwid`	string	No	Hardware ID

Response 200

{
  "success": true,
  "message": "Logged in",
  "info": {
    "username": "player1",
    "subscriptions": [{
      "subscription": "default",
      "key": "",
      "expiry": "2026-03-09T12:00:00.000Z",
      "timeleft": 28,
      "level": "1"
    }],
    "ip": "1.2.3.4",
    "hwid": "ABC123DEF456",
    "createdate": "2026-01-09T12:00:00.000Z",
    "lastlogin": "2026-02-09T12:00:00.000Z"
  }
}

POST /api/1.2/ type: register

Register a new end user. Optionally requires a license key.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"register"`
`sessionid`	string	Yes	Session from init
`username`	string	Yes	Username
`pass`	string	Yes	Password
`key`	string	No	License key
`email`	string	No	Email
`hwid`	string	No	Hardware ID

POST /api/1.2/ type: license

Authenticate using only a license key (no user account required).

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"license"`
`sessionid`	string	Yes	Session from init
`key`	string	Yes	License key
`hwid`	string	No	Hardware ID

POST /api/1.2/ type: upgrade

Upgrade/extend a user's subscription using a license key.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"upgrade"`
`sessionid`	string	Yes	Session from init
`username`	string	Yes	Username
`key`	string	Yes	License key

POST /api/1.2/ type: check

Check if a session is still valid.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"check"`
`sessionid`	string	Yes	Session from init

POST /api/1.2/ type: var

Get a user-specific variable. Requires an active logged-in session.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"var"`
`sessionid`	string	Yes	Session (must be logged in)
`var`	string	Yes	Variable key

POST /api/1.2/ type: setvar

Set a user-specific variable. Creates or updates.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"setvar"`
`sessionid`	string	Yes	Session (must be logged in)
`var`	string	Yes	Variable key
`data`	string	No	Variable value

POST /api/1.2/ type: getvar

Get a global (app-wide) variable.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"getvar"`
`sessionid`	string	Yes	Session from init
`var`	string	Yes	Variable key (or use `varid`)

POST /api/1.2/ type: log

Add a log entry from the client application.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"log"`
`sessionid`	string	Yes	Session from init
`pcuser`	string	No	PC username / identifier
`message`	string	No	Log message

POST /api/1.2/ type: webhook

Execute a pre-configured webhook from the client.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"webhook"`
`sessionid`	string	Yes	Session from init
`webid`	string	Yes	Webhook ID
`params`	string	No	URL query params to append
`body`	string	No	Custom request body
`conttype`	string	No	Content-Type (default: application/json)

POST /api/1.2/ type: fetchOnline

Fetch a list of currently online users.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"fetchOnline"`
`sessionid`	string	Yes	Session from init

Response 200

{
  "success": true,
  "users": [
    { "credential": "player1" },
    { "credential": "player2" }
  ]
}

POST /api/1.2/ type: checkblack

Check if the current user's IP or HWID is blacklisted.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"checkblack"`
`sessionid`	string	Yes	Session from init
`hwid`	string	No	Hardware ID to check

POST /api/1.2/ type: ban

Self-ban the currently logged-in user. Used as an anti-tamper mechanism.

Parameters

Field	Type	Required	Description
`type`	string	Yes	`"ban"`
`sessionid`	string	Yes	Session (must be logged in)

Seller API Overview

The Seller API allows programmatic management of licenses and users via API keys. Perfect for integrating with payment processors, Discord bots, or custom store fronts.

Authentication: Include your seller key as an X-API-Key header or as a sellerkey query parameter.

Endpoint: All requests use GET /api/seller/ with the type query parameter.

Example Request

curl "https://keyaux.caelen.workers.dev/api/seller/?sellerkey=ka_xxx&type=add&appname=MyApp&expiry=30&amount=5"

Seller License Operations

GET /api/seller/?type=add Seller Key

Generate license key(s).

Query Parameters

Param	Type	Required	Description
`sellerkey`	string	Yes	Seller API key
`type`	string	Yes	`add`
`appname`	string	Yes	Application name
`expiry`	int	No	Duration in days (default: 30)
`mask`	string	No	Key format mask
`level`	int	No	Subscription level
`amount`	int	No	Number of keys (max 500)
`note`	string	No	Internal note

Response 200

{
  "success": true,
  "message": "License(s) created",
  "key": "A1B2C-D3E4F-G5H6I-J7K8L-M9N0P",
  "keys": ["A1B2C-...", "Q1R2S-..."]
}

GET /api/seller/?type=verify Seller Key

Verify a license key exists and get its details.

Query Parameters

Param	Required	Description
`appname`	Yes	Application name
`key`	Yes	License key to verify

GET /api/seller/?type=del Seller Key

Delete a license key. Params: appname, key.

GET /api/seller/?type=ban Seller Key

Ban a license key. Params: appname, key.

GET /api/seller/?type=unban Seller Key

Unban a license key. Params: appname, key.

GET /api/seller/?type=fetchallkeys Seller Key

Fetch all license keys for an app. Params: appname.

GET /api/seller/?type=delalllicenses Seller Key

Delete all licenses. Params: appname.

GET /api/seller/?type=delunused Seller Key

Delete all unused licenses. Params: appname.

GET /api/seller/?type=delused Seller Key

Delete all used licenses. Params: appname.

Seller User Operations

GET /api/seller/?type=adduser Seller Key

Create a user.

Query Parameters

Param	Required	Description
`appname`	Yes	Application name
`user`	Yes	Username
`pass`	No	Password (default: "default")
`sub`	No	Subscription name
`expiry`	No	Expiry in days

GET /api/seller/?type=deleteuser Seller Key

Delete a user. Params: appname, user.

GET /api/seller/?type=userdata Seller Key

Get user details. Params: appname, user.

GET /api/seller/?type=banuser Seller Key

Ban a user. Params: appname, user, reason (optional).

GET /api/seller/?type=unbanuser Seller Key

Unban a user. Params: appname, user.

GET /api/seller/?type=resetuser Seller Key

Reset a user's HWID. Params: appname, user.

GET /api/seller/?type=extend Seller Key

Extend a user's subscription.

Query Parameters

Param	Required	Description
`appname`	Yes	Application name
`user`	Yes	Username
`sub`	No	Subscription name
`expiry`	No	Days to add (default: 30)

GET /api/seller/?type=subtract Seller Key

Subtract time from a user's subscription. Params: appname, user, seconds.

GET /api/seller/?type=setvar Seller Key

Set a user variable. Params: appname, user, var, data.

GET /api/seller/?type=getvar Seller Key

Get a user variable. Params: appname, user, var.

GET /api/seller/?type=fetchallusers Seller Key

Fetch all users for an app. Params: appname.

GET /api/seller/?type=delexpusers Seller Key

Delete all expired users. Params: appname.

Seller App Operations

GET /api/seller/?type=resetapp Seller Key

Reset all application data (users, licenses, sessions, logs, variables, blacklist). The application itself is preserved.

Query Parameters

Param	Required	Description
`appname`	Yes	Application name

Warning: This action is irreversible. All users, licenses, sessions, logs, variables, and blacklist entries will be permanently deleted.