Product
API Documentation
REST API reference for programmatic control over authentication, licensing, and user management.
Base URL
Authentication
All requests must include your application API key in the X-API-Key header.
curl -X POST https://api.kyraxx.dev/v1/client/login \
-H "Content-Type: application/json" \
-H "X-API-Key: krxx_live_your_api_key" \
-d '{"username": "user@example.com", "password": "pass", "hwid": "ABC123"}'
Endpoints
/client/init
Initialize a client session. Returns application metadata, active session count, and server timestamp.
/client/login
Authenticate a user with username, password, and optional HWID. Returns a short-lived session_token, session expires_at, and account entitlement via account_expires_at / user_expires_at / user.expires_at (from app_users.expires_at — null means no account expiry).
/client/register
Register a new user. Requires username, password, and a valid license key. Optionally binds HWID on registration.
/client/validate
Validate a license key. Returns license status, expiry date, subscription tier, and HWID binding state.
/client/session-check
Verify an active session token is still valid. Returns rotated session credentials plus the same account expiry fields as login (account_expires_at, user_expires_at, user.expires_at). Do not treat session expires_at as the subscription end date.
/client/var
Retrieve server-side variables defined in the dashboard. Useful for feature flags, download URLs, or dynamic config.
Request & Response Format
All requests and responses use JSON. Successful responses return a success: true field. Error responses include a message field describing the issue.
// Login success — session TTL vs account entitlement
{
"success": true,
"session_token": "kxs_...",
"expires_at": "2026-07-10T12:15:00.000Z",
"account_expires_at": "2026-08-05T00:00:00.000Z",
"user_expires_at": "2026-08-05T00:00:00.000Z",
"user": {
"id": "usr_...",
"username": "player1",
"email": "user@example.com",
"expires_at": "2026-08-05T00:00:00.000Z"
}
}
// Error response
{
"error": "Invalid credentials"
}
Error Codes
400
Bad Request -- missing or invalid parameters
401
Unauthorized -- invalid or missing API key
403
Forbidden -- user banned or license expired
404
Not Found -- resource does not exist
409
Conflict -- HWID mismatch or duplicate registration
429
Too Many Requests -- rate limit exceeded