Verify a license over HTTP
This is the commercial platform's API. Licenses verify offline in the CLI without it — this endpoint is for services that want a hosted check and revocation status.
Endpoints
| Endpoint | Auth | Purpose |
|---|---|---|
| POST /api/validate | public | Verify a license document; reports its state and revocation. |
| POST /api/requests | public | Capture an access / contact-sales request. |
| POST /api/auth/login | public | Staff sign-in; sets the session cookie. |
| GET /api/auth/me | session | The signed-in account, or 401. |
| POST /api/auth/logout | session | Sign out; the session is revoked server-side. |
| POST /api/auth/password | session | Change your own password (current one required). |
| GET /api/admin/licenses | session | List issued licenses. |
| POST /api/admin/licenses | session | Issue and sign a license, attributed to you. |
| POST /api/admin/licenses/:id/revoke | session | Revoke a license by id, attributed to you. |
| GET /api/admin/requests | session | List access requests. |
| POST /api/admin/users | session | Create another staff account. |
| GET /api/health | public | Liveness and configuration presence. |
| GET /api/ready | public | Readiness — confirms the datastore is reachable. |
Validate a license
POST the signed license document. The endpoint verifies the signature against the embedded production key and reports revocation. It is rate-limited and stores nothing about the request.
curl -sX POST https://axyvera.com/api/validate \
-H 'content-type: application/json' \
--data '{ "license": { … }, "signature": "…" }'{
"state": "valid",
"valid": true,
"revoked": false,
"tier": "team",
"customer": "Acme",
"license_id": "…",
"expires_at": "2027-01-01"
}Authentication
Staff endpoints use a session cookie, not an API key. Sign in with email and password to receive axy_session — httpOnly, SameSite=Strict, 8-hour rolling expiry, revocable server-side. Passwords are scrypt-hashed; sign-in is rate-limited per IP and per account. Every license you issue or revoke is recorded under your account.
curl -c jar -sX POST https://axyvera.com/api/auth/login \
-H 'content-type: application/json' \
--data '{ "email": "you@axyvera.com", "password": "…" }'
curl -b jar -sX POST https://axyvera.com/api/admin/licenses \
-H 'content-type: application/json' \
--data '{ "customer": "Acme", "tier": "team", "seats": 5,
"expiresAt": "2027-01-01", "features": ["core"] }'Rate limits & errors
Public endpoints are rate-limited per client; exceeding the limit returns 429 with a Retry-After header. Errors share one envelope, and every response carries an x-request-id for correlation.
{ "error": "Please check the form fields.", "details": { … } }