Authentication

Simple auth model, two key types

The API uses Bearer tokens in the Authorization header. Use management bootstrap keys for /management/* routes, and generated server API keys for protected license lifecycle routes.

1) Management bootstrap key

Configure this with MANAGEMENT_API_KEYS (or MANAGEMENT_API_KEY) and keep it in trusted backend or operator tooling.

bash

curl -sS http://localhost:8080/management/api-keys \
  -H "Authorization: Bearer management_key_dev_123456"

2) Generated server API key

Create these from the Management API, then use them for /generate and /revoke.

bash

curl -sS http://localhost:8080/generate \
  -H "Authorization: Bearer <generated_server_api_key>" \
  -H "Content-Type: application/json" \
  -d '{"slug":"default","metadata":{"email":"user@example.com"}}'

Public runtime routes

/activate, /validate, and /deactivate do not require API keys, but you should still call them from your app backend when possible.