Product

API Documentation

REST API reference for programmatic control over authentication, licensing, and user management.

Base URL

https://api.kyraxx.dev/v1

Authentication

All requests must include your application API key in the X-API-Key header.

curl -X POST https://api.kyraxx.dev/v1/client/login \
  -H "Content-Type: application/json" \
  -H "X-API-Key: krxx_live_your_api_key" \
  -d '{"username": "user@example.com", "password": "pass", "hwid": "ABC123"}'

Endpoints

POST /client/init

Initialize a client session. Returns application metadata, active session count, and server timestamp.

POST /client/login

Authenticate a user with username, password, and optional HWID. Returns a short-lived session_token, session expires_at, and account entitlement via account_expires_at / user_expires_at / user.expires_at (from app_users.expires_at — null means no account expiry).

POST /client/register

Register a new user. Requires username, password, and a valid license key. Optionally binds HWID on registration.

POST /client/validate

Validate a license key. Returns license status, expiry date, subscription tier, and HWID binding state.

POST /client/session-check

Verify an active session token is still valid. Returns rotated session credentials plus the same account expiry fields as login (account_expires_at, user_expires_at, user.expires_at). Do not treat session expires_at as the subscription end date.

GET /client/var

Retrieve server-side variables defined in the dashboard. Useful for feature flags, download URLs, or dynamic config.

Request & Response Format

All requests and responses use JSON. Successful responses return a success: true field. Error responses include a message field describing the issue.

// Login success — session TTL vs account entitlement
{
  "success": true,
  "session_token": "kxs_...",
  "expires_at": "2026-07-10T12:15:00.000Z",
  "account_expires_at": "2026-08-05T00:00:00.000Z",
  "user_expires_at": "2026-08-05T00:00:00.000Z",
  "user": {
    "id": "usr_...",
    "username": "player1",
    "email": "user@example.com",
    "expires_at": "2026-08-05T00:00:00.000Z"
  }
}

// Error response
{
  "error": "Invalid credentials"
}

Error Codes

400 Bad Request -- missing or invalid parameters
401 Unauthorized -- invalid or missing API key
403 Forbidden -- user banned or license expired
404 Not Found -- resource does not exist
409 Conflict -- HWID mismatch or duplicate registration
429 Too Many Requests -- rate limit exceeded