validation api

Verify a license over HTTP

This is the commercial platform's API. Licenses verify offline in the CLI without it — this endpoint is for services that want a hosted check and revocation status.

Endpoints

EndpointAuthPurpose
POST /api/validatepublicVerify a license document; reports its state and revocation.
POST /api/requestspublicCapture an access / contact-sales request.
POST /api/auth/loginpublicStaff sign-in; sets the session cookie.
GET /api/auth/mesessionThe signed-in account, or 401.
POST /api/auth/logoutsessionSign out; the session is revoked server-side.
POST /api/auth/passwordsessionChange your own password (current one required).
GET /api/admin/licensessessionList issued licenses.
POST /api/admin/licensessessionIssue and sign a license, attributed to you.
POST /api/admin/licenses/:id/revokesessionRevoke a license by id, attributed to you.
GET /api/admin/requestssessionList access requests.
POST /api/admin/userssessionCreate another staff account.
GET /api/healthpublicLiveness and configuration presence.
GET /api/readypublicReadiness — confirms the datastore is reachable.

Validate a license

POST the signed license document. The endpoint verifies the signature against the embedded production key and reports revocation. It is rate-limited and stores nothing about the request.

request
curl -sX POST https://axyvera.com/api/validate \
  -H 'content-type: application/json' \
  --data '{ "license": { … }, "signature": "…" }'
200 response
{
  "state": "valid",
  "valid": true,
  "revoked": false,
  "tier": "team",
  "customer": "Acme",
  "license_id": "…",
  "expires_at": "2027-01-01"
}

Authentication

Staff endpoints use a session cookie, not an API key. Sign in with email and password to receive axy_session — httpOnly, SameSite=Strict, 8-hour rolling expiry, revocable server-side. Passwords are scrypt-hashed; sign-in is rate-limited per IP and per account. Every license you issue or revoke is recorded under your account.

sign in, then issue
curl -c jar -sX POST https://axyvera.com/api/auth/login \
  -H 'content-type: application/json' \
  --data '{ "email": "you@axyvera.com", "password": "…" }'

curl -b jar -sX POST https://axyvera.com/api/admin/licenses \
  -H 'content-type: application/json' \
  --data '{ "customer": "Acme", "tier": "team", "seats": 5,
           "expiresAt": "2027-01-01", "features": ["core"] }'

Rate limits & errors

Public endpoints are rate-limited per client; exceeding the limit returns 429 with a Retry-After header. Errors share one envelope, and every response carries an x-request-id for correlation.

error envelope
{ "error": "Please check the form fields.", "details": { … } }
how this API is built
Storage, rate limiting, caching, and monitoring for these endpoints are described honestly on the platform page. None of it applies to the offline product.