API reference
Every HTTP endpoint on the SDKey Worker, top to bottom.
Conventions
- Base URL:
https://api.sdkey.dev - Base path:
/api/v1(plusGET /health) - Dashboard auth: cookie
sdkey_session(EdDSA JWT, 7 days) orAuthorization: Bearer sdk_live_… - Client license path: no developer auth — see License control
- Rate limits are per IP per 60s window unless noted
Health
Auth: Public
{ "ok": true, "service": "sdkey-api" }Auth
Auth: Public (rate: 20/min)
Body: email, password (12–128), name, turnstileToken (Cloudflare Turnstile). Sets session cookie. 201 { success, developer }.
Auth: Public (rate: 20/min)
Body: email, password, turnstileToken. Sets session cookie.
Auth: Public
Clears session cookie.
Auth: Cookie or Bearer
{ success, developer }
Apps
All routes require cookie or Bearer.
Auth: Required
Body: name, optional version (default 1.0.0). Returns application + sdkHint; embed publicKeyB64 in clients.
Auth: Required
{ success, applications }
Auth: Required
Single application owned by the developer.
Auth: Required
Query: limit, cursor. Paginated license list.
Auth: Required
Body: seconds (positive, max ~10 years). Extends active licenses for the app.
Auth: Required
Query: limit, cursor. Security / validation logs.
Licenses (developer)
Auth: Required (rate: 30/min)
Default account mode — server mints plaintext keys once.
{
"applicationId": "<uuid>",
"amount": 1,
"durationSeconds": 2592000,
"note": "optional",
"mask": "SDKY-XXXX-XXXX-XXXX-XXXX"
}201: { success, keys, warning }. Server stores SHA-256 + prefix.
Auth: Required (rate: 30/min)
Private mode — client mints; send hashes only (no plaintext licenseKey).
{
"applicationId": "<uuid>",
"keys": [
{
"licenseKeyHash": "<64 hex sha256>",
"licenseKeyPrefix": "SDKY-ABCD…",
"durationSeconds": 0,
"noteCiphertextB64": "optional"
}
],
"mask": "optional"
}Auth: Required
Ban a license; invalidates KV cache.
Auth: Required
Delete a license.
Session & validate (client)
Public SDK endpoints — detailed guide: License control.
Auth: Public (rate: 60/min)
Body: appId, clientNonceB64 (32 bytes). Returns signed hello + session material.
Auth: Public (rate: 120/min)
Sealed AES-GCM envelope required. HWID lock on first success. See License control.
Metrics
Auth: Required
App counts, license status tallies, validations last 24h.
Account
Auth: Required
Body: mask (string or null). Default license key mask.
Auth: Required (rate: 20/min)
Body: mode (default | private), password.
Auth: Required (rate: 20/min)
Body: vault check blob fields + password. Used for Private-mode note encryption in the browser.
Auth: Required
List key metadata (no plaintext).
Auth: Required
Soft-revoke a key.
Rate limits
auth 20 / min session 60 / min validate 120 / min licenseCreate 30 / min blindCreate 30 / min accountSensitive 20 / min apiKeyAuth 30 / min (failed Bearer attempts)