API Reference

Production endpoint contracts for authentication, licensing, user operations, security controls, and event observability.

Health

GET /health

Returns overall service health only.

{
  "ok": true,
  "service": "license_auth",
  "version": "0.1.0",
  "time_utc": 1700000000,
  "uptime_seconds": 300
}
GET /api/health

Alias for the same overall health response.

Authentication

GET /api/auth/login/challenge

Returns a challenge for encrypted login payload handshakes.

Query: ?username=admin
Response:
{
  "nonce": "f2d2f...",
  "key_id": "rsa-key-01",
  "expires_at": 1700000000
}
POST /api/auth/login

Supports encrypted login payloads and policy-based fallback.

{
  "username": "admin",
  "encrypted_password": "<base64>",
  "login_nonce": "f2d2f...",
  "key_id": "rsa-key-01",
  "challenge_ts": 1700000000
}

License Manager

POST /api/admin/keys

Issues a license with plan, owner, activation and device constraints.

{
  "plan": "pro",
  "level": "user",
  "owner": "customer_01",
  "days_valid": 30,
  "max_activations": 5,
  "max_devices": 3
}
POST /api/admin/keys/bulk-action

Runs renew/suspend/revoke/delete/hwid-reset actions over filtered key sets.

{
  "action": "renew",
  "days": 30,
  "status": "active",
  "plan": "pro"
}
DELETE /api/admin/keys/:id

Permanently deletes a key (guarded for safety and audit).

User & Subscription

POST /api/admin/users/:id/subscription

Applies bundle preset and cycle to enforce capability boundaries.

{
  "preset": "gold",
  "cycle": "monthly",
  "admin_note": "manual approved payment"
}
POST /api/admin/users/:id/warn

Records warning; threshold policy may auto-enforce bans.

{
  "note": "license sharing violation"
}

Security Policies

POST /api/admin/security/settings

Sets global security controls for lockout, replay, reputation, and encryption.

{
  "enforce_login_payload_encryption": true,
  "max_login_attempts": 6,
  "replay_window_secs": 120,
  "ip_reputation_mode": "standard"
}
POST /api/super/controls

Executes emergency platform controls for super admins.

{
  "action": "force_reauth_non_admin"
}
GET /api/public/runtime-config

Publishes current frontend-visible security toggles and enabled feature flags.

{
  "security": { "enforce_login_payload_encryption": true, "network_protection_mode": "strict" },
  "features": { "guest_login_enabled": false, "demo_mode_enabled": true },
  "enabled_feature_flags": ["priority_tickets", "advanced_export"]
}

Events & Audits

GET /api/admin/events/view

Returns event stream records (risk, actor, IP, summary, timestamp).

GET /api/admin/audit/view

Returns immutable operator audit records for compliance workflows.

Webhook Formats

Webhook routes can emit standard JSON or Discord embed-compatible payloads.

{
  "event_type": "license.used",
  "severity": "info",
  "summary": "License activation accepted",
  "actor": "sdk:c++",
  "app_id": "app_123",
  "created_at": 1700000000
}