> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authforge.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Developer API Overview

> Authenticate, manage licenses, and automate your AuthForge integration with the server-to-server REST API.

The AuthForge Developer API lets you manage licenses programmatically from your own backend. Use it to create licenses after Stripe payments, revoke access, manage variables, configure webhooks, and more.

## Base URL

```
https://api.authforge.cc/v1/
```

All endpoints are prefixed with `/v1/`.

## Authentication

Every request must include your API key in the `Authorization` header as a Bearer token:

```bash theme={null}
Authorization: Bearer af_live_your_key_here
```

API keys are created in the [Dashboard](https://app.authforge.cc/dashboard) under **Settings → API Keys**. Keys are prefixed with `af_live_` for identification.

Each key is scoped to your account and can manage licenses across all of your applications; the target app is specified per-request via the `appId` field or URL parameter.

<Warning>
  API keys are shown only once when created. Store them securely. If compromised, delete the key in the dashboard and create a new one.
</Warning>

## Rate limits

| Limit     | Value               |
| --------- | ------------------- |
| Burst     | 100 requests/second |
| Sustained | 50 requests/second  |

If you exceed the rate limit, you'll receive `HTTP 429` with the Developer API error shape (`error` + `message`). Back off and retry with exponential backoff.

Public SDK endpoints on `auth.authforge.cc` (`/auth/validate`, `/auth/heartbeat`, `/auth/selfban`) use **different** limits and a different JSON body on failure: `{ "status": "failed", "error": "rate_limited" }`. `/auth/validate` has extra per-IP and per-license application limits; `/auth/heartbeat` is not IP rate-limited at the application layer. See [Error Codes Reference](/api/errors#public-auth-errors-sdk).

## Credits

The Developer API itself does not consume credits. Credits are only consumed by SDK authentication (validate and heartbeat calls). See [Managing Credits](/best-practices/credit-management) for details.

## Response format

All responses return JSON. Successful responses include the requested data directly:

```json theme={null}
{
  "licenses": [...],
  "cursor": null
}
```

Error responses include an `error` code and a human-readable `message`:

```json theme={null}
{
  "error": "not_found",
  "message": "Resource not found"
}
```

## Pagination

List endpoints use cursor-based pagination. If more results are available, the response includes a `cursor` value. Pass it as a query parameter in the next request:

```bash theme={null}
# First page
curl "https://api.authforge.cc/v1/licenses?appId=YOUR_APP_ID&limit=100" \
  -H "Authorization: Bearer af_live_your_key"

# Next page
curl "https://api.authforge.cc/v1/licenses?appId=YOUR_APP_ID&limit=100&cursor=eyJsaW..." \
  -H "Authorization: Bearer af_live_your_key"
```

When `cursor` is `null`, you've reached the last page.

## Endpoints

### Licenses

| Method | Path                                                         | Description                             |
| ------ | ------------------------------------------------------------ | --------------------------------------- |
| POST   | [`/v1/licenses`](/api/licenses#create-licenses)              | Create one or more licenses             |
| GET    | [`/v1/licenses`](/api/licenses#list-licenses)                | List licenses for an app                |
| GET    | [`/v1/licenses/:licenseKey`](/api/licenses#get-a-license)    | Get a single license                    |
| PUT    | [`/v1/licenses/:licenseKey`](/api/licenses#update-a-license) | Revoke, activate, extend, or reset HWID |
| DELETE | [`/v1/licenses/:licenseKey`](/api/licenses#delete-a-license) | Permanently delete a license            |

### Variables

| Method | Path                                                                         | Description           |
| ------ | ---------------------------------------------------------------------------- | --------------------- |
| GET    | [`/v1/apps/:appId/variables`](/api/variables#get-app-variables)              | Get app variables     |
| PUT    | [`/v1/apps/:appId/variables`](/api/variables#set-app-variables)              | Set app variables     |
| GET    | [`/v1/licenses/:licenseKey/variables`](/api/variables#get-license-variables) | Get license variables |
| PUT    | [`/v1/licenses/:licenseKey/variables`](/api/variables#set-license-variables) | Set license variables |

### Webhooks

| Method | Path                                                                       | Description       |
| ------ | -------------------------------------------------------------------------- | ----------------- |
| POST   | [`/v1/apps/:appId/webhooks`](/api/webhooks#create-a-webhook)               | Create a webhook  |
| GET    | [`/v1/apps/:appId/webhooks`](/api/webhooks#list-webhooks)                  | List webhooks     |
| PUT    | [`/v1/apps/:appId/webhooks/:webhookId`](/api/webhooks#update-a-webhook)    | Update a webhook  |
| DELETE | [`/v1/apps/:appId/webhooks/:webhookId`](/api/webhooks#delete-a-webhook)    | Delete a webhook  |
| POST   | [`/v1/apps/:appId/webhooks/:webhookId/test`](/api/webhooks#test-a-webhook) | Send a test event |

### Security

| Method | Path                                                                        | Description            |
| ------ | --------------------------------------------------------------------------- | ---------------------- |
| GET    | [`/v1/apps/:appId/security`](/api/security#get-security-config)             | Get security config    |
| PUT    | [`/v1/apps/:appId/security`](/api/security#update-security-config)          | Update security config |
| POST   | [`/v1/apps/:appId/security/blacklist`](/api/security#add-to-blacklist)      | Add to blacklist       |
| DELETE | [`/v1/apps/:appId/security/blacklist`](/api/security#remove-from-blacklist) | Remove from blacklist  |
| POST   | [`/v1/apps/:appId/security/whitelist`](/api/security#add-to-whitelist)      | Add to whitelist       |
| DELETE | [`/v1/apps/:appId/security/whitelist`](/api/security#remove-from-whitelist) | Remove from whitelist  |

## Error codes

See the [Error Codes Reference](/api/errors) for a complete list of error codes across all endpoints.
