REST API Reference
Complete reference for the LicenceForge REST API. All endpoints are registered under the wplf/v1 namespace and are available at https://your-site.com/wp-json/wplf/v1/.
Note
Public endpoints can be called without authentication. Admin endpoints require either a valid WordPress login cookie (for browser-based access) or an API key passed via the Authorization: Bearer <key> header. See API Keys for setup instructions.
Authentication
Admin endpoints accept two authentication methods:
| Method |
Header / mechanism |
Use case |
| Cookie |
Standard WordPress login cookie + nonce |
Admin panel AJAX requests |
| API Key |
Authorization: Bearer wplf_k1_... |
External integrations, CI/CD, scripts |
API keys have three permission levels: read, write, and admin. Each endpoint lists its minimum required permission.
Public endpoints
These endpoints are called by the client library on end-user sites or by external systems. No authentication is required unless noted otherwise.
Health check
| Property |
Value |
| Endpoint | GET /wplf/v1/health |
| Auth | None |
| Description | Returns system health status and individual check results. |
Response
{
"status": "healthy",
"checks": [
{ "name": "database", "status": "pass" },
{ "name": "file_storage", "status": "pass" },
{ "name": "stripe_webhook", "status": "pass" }
]
}
Validate licence
| Property |
Value |
| Endpoint | POST /wplf/v1/licenses/validate |
| Auth | None (or API key) |
| Rate limit | 30 requests/minute |
| Description | Verify a licence key is valid for a given product and site. |
Parameters
| Parameter |
Type |
Required |
Description |
license_key | string | Yes | The licence key to validate. |
product_slug | string | Yes | Product identifier. |
site_url | string | Yes | The site URL requesting validation. |
server_fingerprint | string | No | SHA-256 server fingerprint (when fingerprinting is enabled). |
Response
{
"valid": true,
"status": "active",
"expires": "2026-03-15T00:00:00Z",
"activation_limit": 5,
"activation_count": 2,
"already_activated": true,
"product_version": "2.1.0",
"is_trial": false,
"trial_ends": null,
"tier": {
"label": "Business",
"features": ["priority-support", "white-label", "multisite"]
}
}
Activate licence
| Property |
Value |
| Endpoint | POST /wplf/v1/licenses/activate |
| Auth | None (or API key) |
| Rate limit | 10 requests/minute |
| Description | Activate a licence on a specific site. Creates an activation record. |
Parameters
| Parameter |
Type |
Required |
Description |
license_key | string | Yes | The licence key to activate. |
product_slug | string | Yes | Product identifier. |
site_url | string | Yes | The site URL to activate on. |
server_fingerprint | string | No | SHA-256 server fingerprint. |
Deactivate licence
| Property |
Value |
| Endpoint | POST /wplf/v1/licenses/deactivate |
| Auth | None (or API key) |
| Rate limit | 10 requests/minute |
| Description | Remove an activation for a licence on a specific site. |
Parameters
| Parameter |
Type |
Required |
Description |
license_key | string | Yes | The licence key to deactivate. |
product_slug | string | Yes | Product identifier. |
site_url | string | Yes | The site URL to deactivate. |
Check for updates
| Property |
Value |
| Endpoint | GET /wplf/v1/updates/check |
| Auth | None (or API key) |
| Rate limit | 60 requests/minute |
| Description | Check whether a newer version of the product is available. |
Parameters
| Parameter |
Type |
Required |
Description |
product_slug | string | Yes | Product identifier. |
license_key | string | Yes | Licence key for entitlement verification. |
current_version | string | Yes | Version currently installed on the client site. |
site_url | string | Yes | The requesting site URL. |
Download product
| Property |
Value |
| Endpoint | GET /wplf/v1/downloads/{product_slug} |
| Auth | Token-based (via query param) |
| Description | Serves the product ZIP file. Tokens are short-lived and generated during update checks. |
Parameters
| Parameter |
Type |
Required |
Description |
token | string | Yes | One-time download token (query parameter). |
Request trial
| Property |
Value |
| Endpoint | POST /wplf/v1/trials/request |
| Auth | None |
| Rate limit | 5 requests/minute |
| Description | Request a free trial licence for a product. |
Parameters
| Parameter |
Type |
Required |
Description |
product_slug | string | Yes | Product to trial. |
email | string | Yes | Customer email address. |
name | string | No | Customer name. |
Stripe webhook receiver
| Property |
Value |
| Endpoint | POST /wplf/v1/webhooks/stripe |
| Auth | Stripe signature verification |
| Rate limit | 120 requests/minute |
| Description | Receives and processes Stripe webhook events. Verified using the Stripe-Signature header. |
Admin endpoints
All admin endpoints require authentication via cookie or API key. The minimum permission level is listed for each endpoint.
Products
| Method |
Endpoint |
Permission |
Description |
| GET |
/wplf/v1/admin/products |
read |
List all products with pagination. |
| POST |
/wplf/v1/admin/products |
write |
Create a new product. |
| GET |
/wplf/v1/admin/products/{id} |
read |
Get a single product by ID. |
| PUT |
/wplf/v1/admin/products/{id} |
write |
Update an existing product. |
| DELETE |
/wplf/v1/admin/products/{id} |
admin |
Delete a product (blocked if licences exist). |
Licences
| Method |
Endpoint |
Permission |
Description |
| GET |
/wplf/v1/admin/licenses |
read |
List licences with filters. |
| POST |
/wplf/v1/admin/licenses |
write |
Create a licence manually. |
| GET |
/wplf/v1/admin/licenses/{id} |
read |
Get a single licence by ID. |
| PUT |
/wplf/v1/admin/licenses/{id} |
write |
Update licence details (status, limits, etc.). |
| DELETE |
/wplf/v1/admin/licenses/{id} |
admin |
Permanently delete a licence and its activations. |
| POST |
/wplf/v1/admin/licenses/{id}/rotate-key |
write |
Generate a new licence key (invalidates the old key). |
| GET |
/wplf/v1/admin/licenses/{id}/activations |
read |
List all activations for a licence. |
List filters
The GET /wplf/v1/admin/licenses endpoint supports the following query parameters:
| Parameter |
Type |
Description |
status | string | Filter by status (active, expired, suspended, revoked, trial). |
product_id | integer | Filter by product ID. |
search | string | Search by customer email, name, or licence key prefix. |
page | integer | Page number (default: 1). |
per_page | integer | Results per page (default: 20, max: 100). |
API keys
| Method |
Endpoint |
Permission |
Description |
| GET |
/wplf/v1/admin/api-keys |
admin |
List all API keys (prefix and metadata only). |
| POST |
/wplf/v1/admin/api-keys |
admin |
Create a new API key. The full key is returned once. |
| DELETE |
/wplf/v1/admin/api-keys/{id} |
admin |
Revoke an API key (sets is_active = 0). |
Statistics
| Method |
Endpoint |
Permission |
Description |
| GET |
/wplf/v1/admin/stats |
read |
System-wide statistics: total licences, activations, revenue, and recent activity. |
Privacy (GDPR)
| Method |
Endpoint |
Permission |
Description |
| POST |
/wplf/v1/admin/privacy/export |
admin |
Export all data associated with a customer email (GDPR Subject Access Request). |
| POST |
/wplf/v1/admin/privacy/erase |
admin |
Erase all personal data for a customer email (GDPR Right to Erasure). |
Error responses
All error responses follow a consistent JSON structure:
{
"code": "license_not_found",
"message": "No licence was found matching the provided key.",
"data": {
"status": 404
}
}
Common error codes
| HTTP Status |
Code |
Description |
| 400 | invalid_params | One or more required parameters are missing or invalid. |
| 401 | unauthorized | Authentication is required but was not provided or is invalid. |
| 403 | forbidden | The authenticated user or API key lacks the required permission. |
| 404 | license_not_found | No licence matches the provided key and product combination. |
| 404 | product_not_found | The specified product slug does not exist. |
| 429 | rate_limit_exceeded | Too many requests. Retry after the period indicated in the Retry-After header. |
| 500 | internal_error | An unexpected server error occurred. Check the audit log for details. |
Rate limiting
Rate limits are applied per IP address for public endpoints and per API key for admin endpoints. When a limit is exceeded, the API returns HTTP 429 with the following headers:
| Header |
Description |
X-RateLimit-Limit | Maximum requests allowed in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
Retry-After | Seconds until the rate limit resets. |
Limits summary
| Endpoint |
Limit |
POST /licenses/validate | 30/min |
POST /licenses/activate | 10/min |
POST /licenses/deactivate | 10/min |
GET /updates/check | 60/min |
POST /trials/request | 5/min |
POST /webhooks/stripe | 120/min |
| Admin endpoints (all) | 120/min per API key |
Tip
Rate limits can be adjusted in Settings → API → Rate Limiting. For high-traffic products, consider increasing the validation limit or implementing client-side caching via the wplf_client_cache_duration filter.
Example requests
Validate a licence (cURL)
curl -X POST https://your-site.com/wp-json/wplf/v1/licenses/validate \
-H "Content-Type: application/json" \
-d '{
"license_key": "wplf_abc123...",
"product_slug": "my-plugin",
"site_url": "https://customer-site.com"
}'
List licences with API key (cURL)
curl -X GET "https://your-site.com/wp-json/wplf/v1/admin/licenses?status=active&per_page=50" \
-H "Authorization: Bearer wplf_k1_your_api_key_here"
Create a licence (cURL)
curl -X POST https://your-site.com/wp-json/wplf/v1/admin/licenses \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wplf_k1_your_api_key_here" \
-d '{
"product_id": 1,
"price_id": 3,
"customer_email": "[email protected]",
"customer_name": "Jane Smith",
"activation_limit": 5,
"status": "active"
}'
Related pages
