API Keys

API key management requires adminSecret. Keys are scoped to a single creatorId and can only access that creator's resources.

---

Scoping and Security

An API key is permanently bound to one creatorId at creation time. A request authenticated with that key:

• Can only read and manage products, variants, licenses, and discount codes belonging to that creatorId.
• Cannot access or enumerate other creators' data.
• Receives a 404 (not 403) for any resource outside its scope, to prevent probing.

---

Create API Key

POST /createApiKey

Creates a new API key for a creator. The raw key is returned once in the response and is never retrievable again. Store it securely immediately.

Request

Field	Type	Required	Description
creatorId	string	yes	Creator this key is scoped to
name	string	yes	Human-readable label for the key

Response

{
  "success": true,
  "apiKey": "cgls_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "name": "Production Integration",
  "creatorId": "creator_01"
}

Save the key now

The raw API key is shown exactly once. The server only stores a hash. If you lose it, revoke and create a new one.

curlJavaScript

curl -X POST https://us-central1-cg-license-server.cloudfunctions.net/createApiKey \
  -H "Content-Type: application/json" \
  -d '{
    "adminSecret": "YOUR_ADMIN_SECRET",
    "creatorId": "creator_01",
    "name": "Production Integration"
  }'

const res = await fetch('.../createApiKey', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    adminSecret: 'YOUR_ADMIN_SECRET',
    creatorId: 'creator_01',
    name: 'Production Integration',
  }),
});
const { apiKey } = await res.json();
// Store apiKey immediately. It will not be shown again.

---

List API Keys

GET/POST /listApiKeys

Returns all API keys for a creator. The raw key is never returned, only its hash and metadata.

Request

Field	Type	Required	Description
creatorId	string	no	Filter keys by creator

Response

{
  "success": true,
  "keys": [
    {
      "hash": "abcdef...",
      "name": "Production Integration",
      "creatorId": "creator_01",
      "active": true,
      "createdAt": "2025-01-15T10:00:00Z"
    }
  ],
  "count": 1
}

curl

curl -X POST https://us-central1-cg-license-server.cloudfunctions.net/listApiKeys \
  -H "Content-Type: application/json" \
  -d '{
    "adminSecret": "YOUR_ADMIN_SECRET",
    "creatorId": "creator_01"
  }'

---

Revoke API Key

POST /revokeApiKey

Two modes of operation: revoke a specific key, or bulk-revoke all keys for a creator.

Option 1: Revoke a Specific Key

Field	Type	Required	Description
apiKeyToRevoke	string	yes	The raw API key to revoke

curl (specific key)

curl -X POST https://us-central1-cg-license-server.cloudfunctions.net/revokeApiKey \
  -H "Content-Type: application/json" \
  -d '{
    "adminSecret": "YOUR_ADMIN_SECRET",
    "apiKeyToRevoke": "cgls_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }'

Option 2: Bulk Revoke All Keys for a Creator

Field	Type	Required	Description
creatorId	string	yes	Revoke all active keys belonging to this creator

curl (bulk revoke)

curl -X POST https://us-central1-cg-license-server.cloudfunctions.net/revokeApiKey \
  -H "Content-Type: application/json" \
  -d '{
    "adminSecret": "YOUR_ADMIN_SECRET",
    "creatorId": "creator_01"
  }'

Bulk revoke

Revoking by creatorId immediately deactivates every API key for that creator. Any integrations using those keys will stop working instantly.