API Reference

Complete REST API documentation for Authon. All endpoints, request/response formats, and error codes.

Base URL: https://api.authon.pro

Endpoints

Client API (POST /v1)Admin API (/v1/admin)Auth API (/v1/auth)Reseller API (/v1/reseller)Builder API (/v1/builder)Error Codes

Authentication

Client API uses appId + apiKey in the request body. Admin, Auth, and Builder APIs use Bearer token authentication.

CLIENTInclude appId + apiKey in JSON body

ADMINAuthorization: Bearer <access_token>

Client API

All client operations go through POST /v1 with a JSON body. The type field determines the operation.

POST/v1type: "init"

Initialize your application. Must be called before any other client request.

Request

{
  "type": "init",
  "appId": "your-app-id",
  "apiKey": "your-api-key"
}

Response

{
  "success": true,
  "message": "App initialized",
  "data": {
    "name": "My App",
    "version": "1.0.0",
    "updateUrl": null
  }
}

POST/v1type: "login"

Authenticate a user with username, password, and optional HWID. Returns a session token.

Request

{
  "type": "login",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "username": "testuser",
  "password": "securepass",
  "hwid": "HWID-A1B2C3D4"
}

Response

{
  "success": true,
  "message": "Login successful",
  "data": {
    "username": "testuser",
    "level": 1,
    "expiresAt": "2025-12-31T23:59:59.000Z",
    "sessionToken": "sess_abc123def456..."
  }
}

POST/v1type: "register"

Request

{
  "type": "register",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "username": "newuser",
  "password": "securepass",
  "licenseKey": "AUTH-XXXX-XXXX-XXXX",
  "hwid": "HWID-A1B2C3D4"
}

Response

{
  "success": true,
  "message": "Registration successful",
  "data": {
    "username": "newuser",
    "level": 1,
    "expiresAt": "2025-12-31T23:59:59.000Z"
  }
}

POST/v1type: "license"

Authenticate with license key only (no username/password needed). Activates unused keys automatically.

Request

{
  "type": "license",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "licenseKey": "AUTH-XXXX-XXXX-XXXX",
  "hwid": "HWID-A1B2C3D4"
}

Response

{
  "success": true,
  "message": "License activated",
  "data": {
    "level": 1,
    "expiresAt": "2025-12-31T23:59:59.000Z"
  }
}

POST/v1type: "check"

Verify if a session token is still valid. Updates the heartbeat timestamp.

Request

{
  "type": "check",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123..."
}

Response

{
  "success": true,
  "message": "Session valid",
  "data": {
    "username": "testuser",
    "level": 1,
    "expiresAt": "2025-12-31T23:59:59.000Z"
  }
}

POST/v1type: "var"

Get an application-level variable by key. Requires a valid session.

Request

{
  "type": "var",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123...",
  "key": "download_url"
}

Response

{
  "success": true,
  "data": {
    "key": "download_url",
    "value": "https://example.com/latest.zip"
  }
}

POST/v1type: "setvar"

Set a user-level variable. Each user can have their own set of key-value pairs.

Request

{
  "type": "setvar",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123...",
  "key": "settings",
  "value": "dark_mode=true"
}

Response

{
  "success": true,
  "message": "Variable set"
}

POST/v1type: "getvar"

Get a user-level variable by key. Returns the value set by the current user.

Request

{
  "type": "getvar",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123...",
  "key": "settings"
}

Response

{
  "success": true,
  "data": {
    "key": "settings",
    "value": "dark_mode=true"
  }
}

POST/v1type: "file"

Get file info and download URL for authenticated users. Checks user level against file minimum level.

Request

{
  "type": "file",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123...",
  "fileId": "abc123"
}

Response

{
  "success": true,
  "data": {
    "name": "module.exe",
    "size": 524288,
    "downloadUrl": "/v1/files/download/abc123?token=sess_abc123..."
  }
}

POST/v1type: "log"

Record a custom log message. Useful for tracking user actions in your application.

Request

{
  "type": "log",
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "sessionToken": "sess_abc123...",
  "message": "User opened settings panel"
}

Response

{
  "success": true,
  "message": "Log recorded"
}

Auth API

Seller/developer authentication endpoints. Used to get access tokens for the Admin API.

POST/v1/auth/register

Create a new seller/developer account.

Request

{
  "email": "dev@example.com",
  "password": "securepass123",
  "name": "John Developer"
}

Response

{
  "success": true,
  "message": "Account created successfully",
  "data": {
    "id": "seller_abc123",
    "email": "dev@example.com",
    "name": "John Developer",
    "plan": "FREE",
    "accessToken": "eyJhbG...",
    "refreshToken": "uuid-refresh-token"
  }
}

POST/v1/auth/login

Request

{
  "email": "dev@example.com",
  "password": "securepass123"
}

Response

{
  "success": true,
  "message": "Login successful",
  "data": {
    "id": "seller_abc123",
    "email": "dev@example.com",
    "name": "John Developer",
    "plan": "DEVELOPER",
    "accessToken": "eyJhbG...",
    "refreshToken": "uuid-refresh-token"
  }
}

POST/v1/auth/refresh

Refresh your access token using a valid refresh token.

Request

{
  "refreshToken": "uuid-refresh-token"
}

Response

{
  "success": true,
  "data": {
    "accessToken": "eyJhbG...(new)",
    "refreshToken": "uuid-new-refresh-token"
  }
}

GET/v1/auth/profile

Get your seller profile. Requires Bearer token.

Request

// Headers:
// Authorization: Bearer <accessToken>

Response

{
  "success": true,
  "data": {
    "id": "seller_abc123",
    "email": "dev@example.com",
    "name": "John Developer",
    "plan": "DEVELOPER",
    "createdAt": "2024-01-15T12:00:00.000Z"
  }
}

Admin API

Manage your applications, users, licenses, files, webhooks, and more. All admin endpoints require Bearer token authentication.

All Admin API endpoints require: Authorization: Bearer <access_token>

Applications

POST/v1/admin/apps

Create a new application. Returns the app with a generated API key.

Request

{
  "name": "My New App"
}

Response

{
  "success": true,
  "data": {
    "id": "app_abc123",
    "name": "My New App",
    "apiKey": "as_...",
    "version": "1.0.0",
    "status": "ACTIVE"
  }
}

GET/v1/admin/apps

List all your applications with user and license counts.

Response

{
  "success": true,
  "data": [{
    "id": "app_abc123",
    "name": "My App",
    "apiKey": "as_...",
    "version": "1.0.0",
    "status": "ACTIVE",
    "_count": { "appUsers": 150, "licenses": 200 }
  }]
}

PUT/v1/admin/apps/:appId

Update application settings.

Request

{
  "name": "Updated Name",
  "version": "2.0.0",
  "status": "ACTIVE"
}

Response

{
  "success": true,
  "data": { "id": "app_abc123", "name": "Updated Name", "version": "2.0.0" }
}

DELETE/v1/admin/apps/:appId

Delete an application and all its data.

Response

{
  "success": true,
  "message": "Application deleted"
}

POST/v1/admin/apps/:appId/regenerate-key

Regenerate the API key for an application. Old key becomes invalid immediately.

Response

{
  "success": true,
  "data": { "apiKey": "as_new_key_here..." }
}

Licenses

POST/v1/admin/apps/:appId/licenses

Generate license keys in bulk (up to 100 at a time).

Request

{
  "count": 10,
  "durationType": "30d",
  "level": 1,
  "maxDevices": 1,
  "prefix": "VIP",
  "note": "Giveaway batch"
}

Response

{
  "success": true,
  "data": [
    { "id": "lic_1", "key": "VIP-XXXX-XXXX-XXXX", "status": "UNUSED", "durationType": "30d" },
    ...
  ]
}

GET/v1/admin/apps/:appId/licenses

List licenses with pagination and status filter.

Request

// Query params: ?status=UNUSED&page=1&limit=20

Response

{
  "success": true,
  "data": [...],
  "pagination": { "page": 1, "limit": 20, "total": 150 }
}

POST/v1/admin/apps/:appId/licenses/:licenseId/ban

Ban a license key. Prevents any further use.

Response

{ "success": true, "message": "License banned" }

DELETE/v1/admin/apps/:appId/licenses/:licenseId

Permanently delete a license key.

Response

{ "success": true, "message": "License deleted" }

Users

GET/v1/admin/apps/:appId/users

List application users with search and filters.

Request

// Query params: ?search=john&status=ACTIVE&page=1&limit=20

Response

{
  "success": true,
  "data": [{
    "id": "usr_123",
    "username": "john",
    "hwid": "HWID-...",
    "ip": "192.168.1.1",
    "level": 1,
    "status": "ACTIVE",
    "lastLogin": "2025-06-15T12:00:00Z",
    "expiresAt": "2025-12-31T23:59:59Z"
  }],
  "pagination": { "page": 1, "limit": 20, "total": 50 }
}

POST/v1/admin/apps/:appId/users/:userId/ban

Ban a user and terminate all their active sessions.

Request

{ "reason": "Terms violation" }

Response

{ "success": true, "message": "User banned" }

POST/v1/admin/apps/:appId/users/:userId/unban

Unban a previously banned user.

Response

{ "success": true, "message": "User unbanned" }

POST/v1/admin/apps/:appId/users/:userId/reset-hwid

Reset a user's hardware ID lock so they can login from a new device.

Response

{ "success": true, "message": "HWID reset" }

POST/v1/admin/apps/:appId/users/:userId/extend

Extend a user's subscription by a number of days.

Request

{ "days": 30 }

Response

{
  "success": true,
  "message": "Subscription extended by 30 days",
  "data": { "expiresAt": "2026-01-30T23:59:59Z" }
}

DELETE/v1/admin/apps/:appId/users/:userId

Permanently delete a user.

Response

{ "success": true, "message": "User deleted" }

Files

POST/v1/admin/apps/:appId/files

Request

{
  "name": "module.exe",
  "size": 524288,
  "minLevel": 1
}

Response

{
  "success": true,
  "data": {
    "id": "abc123",
    "name": "module.exe",
    "path": "/uploads/app_id/abc123_module.exe",
    "minLevel": 1
  }
}

GET/v1/admin/apps/:appId/files

List all files for an application.

Response

{
  "success": true,
  "data": [{ "id": "abc123", "name": "module.exe", "size": 524288, "minLevel": 1 }]
}

Webhooks

POST/v1/admin/apps/:appId/webhooks

Create a webhook to receive event notifications.

Request

{
  "url": "https://discord.com/api/webhooks/...",
  "events": ["user.login", "user.register", "license.activate"]
}

Response

{
  "success": true,
  "data": {
    "id": "wh_123",
    "url": "https://discord.com/api/webhooks/...",
    "events": ["user.login", "user.register", "license.activate"],
    "secret": "whsec_..."
  }
}

POST/v1/admin/apps/:appId/webhooks/:webhookId/test

Send a test ping to verify your webhook endpoint is working.

Response

{
  "success": true,
  "message": "Test ping sent",
  "data": { "statusCode": 200, "ok": true }
}

Blacklist

POST/v1/admin/apps/:appId/blacklist

Add an IP, HWID, or username to the blacklist.

Request

{
  "type": "HWID",
  "value": "HWID-A1B2C3D4",
  "reason": "License sharing detected"
}

Response

{
  "success": true,
  "data": { "id": "bl_123", "type": "HWID", "value": "HWID-A1B2C3D4", "reason": "..." }
}

GET/v1/admin/apps/:appId/blacklist

Get all blacklist entries for an application.

Response

{
  "success": true,
  "data": [{ "id": "bl_123", "type": "HWID", "value": "HWID-A1B2C3D4", "reason": "..." }]
}

DELETE/v1/admin/apps/:appId/blacklist/:id

Remove a blacklist entry.

Response

{ "success": true, "message": "Blacklist entry removed" }

Variables

POST/v1/admin/apps/:appId/variables

Create an application-level variable accessible to all authenticated users.

Request

{
  "key": "latest_version",
  "value": "2.1.0",
  "readOnly": true
}

Response

{
  "success": true,
  "data": { "id": "var_123", "key": "latest_version", "value": "2.1.0", "readOnly": true }
}

GET/v1/admin/apps/:appId/variables

List all application variables.

Response

{
  "success": true,
  "data": [{ "key": "latest_version", "value": "2.1.0", "readOnly": true }]
}

Sessions

GET/v1/admin/apps/:appId/sessions

List all active sessions for an application.

Response

{
  "success": true,
  "data": [{
    "id": "sess_123",
    "token": "...",
    "ip": "192.168.1.1",
    "hwid": "HWID-...",
    "appUser": { "username": "john" },
    "createdAt": "2025-06-15T12:00:00Z"
  }]
}

DELETE/v1/admin/apps/:appId/sessions/:sessionId

Kill a specific session (force logout).

Response

{ "success": true, "message": "Session killed" }

Reseller API

Endpoints for resellers to login, generate license keys, and check their balance. Resellers authenticate with app credentials + reseller login.

POST/v1/reseller/login

Authenticate as a reseller. Returns a JWT token valid for 24 hours.

Request

{
  "appId": "your-app-id",
  "apiKey": "your-api-key",
  "username": "reseller1",
  "password": "resellerpass"
}

Response

{
  "success": true,
  "data": {
    "token": "eyJhbG...",
    "username": "reseller1",
    "balance": 50
  }
}

POST/v1/reseller/licenses

Generate license keys (deducts from reseller balance). Max 50 per request.

Request

{
  "count": 5,
  "durationType": "30d",
  "level": 1,
  "maxDevices": 1,
  "prefix": "RESELL"
}

Response

{
  "success": true,
  "data": [
    { "key": "RESELL-XXXX-XXXX-XXXX", "durationType": "30d", "status": "UNUSED" }
  ],
  "balance": 45
}

GET/v1/reseller/licenses

List all licenses generated by this reseller.

Response

{
  "success": true,
  "data": [
    { "key": "RESELL-XXXX-XXXX-XXXX", "status": "USED", "durationType": "30d", "createdAt": "..." }
  ]
}

GET/v1/reseller/balance

Check remaining reseller balance (credits).

Response

{
  "success": true,
  "data": { "balance": 45 }
}

Builder API

Build custom loader executables with your app credentials baked in. Requires seller authentication.

GET/v1/builder/status

Check if the builder service is ready and templates are available.

Response

{
  "success": true,
  "templates": { "loader_cpp.exe": true }
}

POST/v1/builder/build

Build a loader EXE with your credentials embedded. Returns the binary file as download.

Request

{
  "appId": "your-app-id",
  "language": "cpp",
  "fileId": "optional-file-id",
  "title": "My App Loader",
  "authType": "both"
}

Response

// Returns binary file (application/octet-stream)
// Content-Disposition: attachment; filename="My_App_Loader_loader.exe"

// authType options: "login", "license", "both"

Error Codes

All errors follow a consistent format with HTTP status codes and descriptive messages.

Error Response Format

{
  "success": false,
  "message": "Error description here"
}

Code	Description
400	Bad request - missing required fields or invalid data
401	Unauthorized - invalid credentials, API key, or session token
403	Forbidden - HWID mismatch, banned user, paused app, or expired subscription
404	Not found - resource doesn't exist or doesn't belong to you
409	Conflict - username or email already exists
429	Rate limited - too many requests, slow down
500	Internal server error - contact support