How do I validate a license key with ValidonX?

Send a POST request to /api/v1/integration/licenses/{licenseKey}/validate with your X-API-Key header. The response includes valid (boolean), license status, expiry date, and entitlements as a flexible JSON key-value object.

ValidonX is a multi-tenant SaaS licensing platform that provides license key validation, device activation tracking, entitlement enforcement, and usage metering via a REST API. Software vendors use it to manage licensing for their products.

How do ValidonX entitlements work?

Entitlements are a flexible JSON key-value store on each license. You define whatever keys make sense for your product (e.g., {"plan": "pro", "domains": 5, "api.access": true}). They are returned in the license validation response and can also be checked via the /entitlements/check endpoint.

What programming languages does ValidonX support?

ValidonX provides a REST API that works with any language. Official SDK examples and copy-paste client classes are provided for PHP, JavaScript/Node.js, Python, and cURL. The API uses standard JSON over HTTPS.

How much does ValidonX cost?

ValidonX offers a free Starter tier (1 product, 100 license keys, 10,000 API calls/month), a Pro tier at $49/month (5 products, unlimited keys, 100,000 API calls/month), and custom Enterprise pricing with unlimited everything and dedicated database.

API Key Authentication

Last updated: Phase 8.5

Overview

API keys authenticate requests to the Integration API (/api/v1/integration/*). Each key is bound to exactly one tenant. Keys are hashed with HMAC-SHA256 — the raw key is returned only once at creation.

Creating an API Key

Endpoint: POST /api/v1/tenant/api-keysAuth: Bearer token with tenant ability

json

{
  "name": "Production Server"
}

Response (201):

json

{
  "data": {
    "id": "key-uuid",
    "name": "Production Server",
    "key": "vx_a1b2c3d4e5f6...",
    "status": "active",
    "created_at": "2026-03-30T10:00:00.000000Z"
  },
  "meta": {
    "request_id": "uuid",
    "api_version": "1"
  }
}

Important: Save the key value immediately. It will never be shown again.

Using an API Key

Include the key in the X-API-Key header:

POST /api/v1/integration/licenses/VX-ACME-abc123/validate
X-API-Key: vx_a1b2c3d4e5f6...
Content-Type: application/json

How Resolution Works

Backend extracts X-API-Key header
Computes HMAC-SHA256 hash using the application key
Looks up the hash in the api_keys table (status must be active)
Resolves the associated tenant
Validates tenant is active (not suspended or closed)
Switches database connection to tenant's isolated DB
Updates last_used_at timestamp

Revoking an API Key

Endpoint: DELETE /api/v1/tenant/api-keys/{id}Auth: Bearer token with tenant ability

Response (200):

json

{
  "data": { "deleted": true, "id": "key-uuid" },
  "meta": { "request_id": "uuid", "api_version": "1" }
}

Revoked keys immediately stop working. Revocation is audit-logged.

Error Codes

Code	HTTP	Description
`AUTH.INVALID_API_KEY`	401	Missing, invalid, or revoked key
`TENANT.STATUS.SUSPENDED`	403	Tenant associated with the key is suspended

Security Notes

Keys use vx_ prefix for easy identification
Raw keys are 64 hex characters (32 bytes of entropy)
Keys are stored as HMAC-SHA256 hashes — even database access doesn't reveal raw keys
Each key is scoped to one tenant — no cross-tenant access
Rotate keys by creating a new key and revoking the old one

API Key Authentication ​

Overview ​

Creating an API Key ​

Using an API Key ​

How Resolution Works ​

Revoking an API Key ​

Error Codes ​

Security Notes ​

API Key Authentication

Overview

Creating an API Key

Using an API Key

How Resolution Works

Revoking an API Key

Error Codes

Security Notes