xCrypt gives developers and SaaS teams a battle-tested API to generate, validate, and revoke license keys — with full audit trails and webhook automation.
Stop reinventing license logic. xCrypt is the dedicated layer between your SaaS and your customers' deployments.
Every API key is SHA-256 fingerprinted and bound to your account identity. No plaintext storage, no reversible tokens.
Set expiration dates, activation limits, device binding, and revocation policies. Issue licenses in milliseconds via a single POST call.
Every validation, generation, and revocation event is logged with timestamps, response codes, and metadata — ready for compliance reviews.
Push real-time events to your system the moment a license activates, expires, or gets revoked. No polling required.
Register sub-clients under your master account. Each tenant gets isolated keys, logs, and webhooks — perfect for white-label deployments.
Built from the ground up for South African and EU compliance. Data Processing Agreements, retention policies, and audit exports included.
xCrypt exposes a clean REST API. Integrate in minutes with any stack — PHP, Node, Python, or raw cURL.
Select endpoint
Possible responses
curl -X POST https://api.xcrypt.co.za/verify-license \ -H "Content-Type: application/json" \ -d '{ "api_key": "8f50e805b5b3fe15eaaf943f9795b2f7ee1ddb6...", "lic_key": "986ed01917d417b64fde74a2c4606b37" }' # Response 200 { "status": "valid" }
$response = file_get_contents('https://api.xcrypt.co.za/verify-license', false, stream_context_create(['http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode([ 'api_key' => $apiKey, 'lic_key' => $licKey ]) ]]) ); $data = json_decode($response, true); if ($data['status'] === 'valid') { // proceed with protected feature }
const res = await fetch('https://api.xcrypt.co.za/verify-license', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ api_key: process.env.XCRYPT_API_KEY, lic_key: licenseKey }) }); const { status } = await res.json(); // status === "valid" | "expired" | "revoked"
import requests r = requests.post( "https://api.xcrypt.co.za/verify-license", json={ "api_key": api_key, "lic_key": lic_key } ) if r.status_code == 200: print("License valid") else: print("Access denied:", r.json()["error"])
curl -X POST https://api.xcrypt.co.za/generate-license \ -H "Content-Type: application/json" \ -d '{ "api_key": "8f50e805...", "client_id": "d9f17c25b3ceefff10d793f1cfd4385d", "user_uuid": "cb08c0a4-355b-11f0-896a-001dd8b7399f", "expiration_date":"2026-12-31" }' # Response 201 { "license_key": "270094d52c2738a16f1cf7fecf5006ec" }
$payload = [ 'api_key' => $apiKey, 'client_id' => $clientId, 'user_uuid' => $userUuid, 'expiration_date' => '2026-12-31' ]; $response = file_get_contents( 'https://api.xcrypt.co.za/generate-license', false, stream_context_create(['http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode($payload) ]]) ); $licenseKey = json_decode($response)->license_key;
const res = await fetch('https://api.xcrypt.co.za/generate-license', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ api_key: process.env.XCRYPT_API_KEY, client_id: clientId, user_uuid: userUuid, expiration_date: '2026-12-31' }) }); const { license_key } = await res.json();
r = requests.post( "https://api.xcrypt.co.za/generate-license", json={ "api_key": api_key, "client_id": client_id, "user_uuid": user_uuid, "expiration_date": "2026-12-31" } ) license_key = r.json()["license_key"]
curl -X POST https://api.xcrypt.co.za/register-client \ -H "Content-Type: application/json" \ -d '{ "client_name": "SkyDev", "email": "admin@skydev.com", "webHookUrl": "https://skydev.com/xcrypt-webhook", "parent_uuid": "cb08c0a4-355b-11f0-896a-001dd8b7399f" }' # Response 201 { "error": "false", "client_id": "a38d4f1c161be2499aab3efcffc4a689", "api_key": "5c03fe7f9d8b5176069b0754e4ea352d...", "webHookUrl": "https://skydev.com/xcrypt-webhook" }
$response = file_get_contents( 'https://api.xcrypt.co.za/register-client', false, stream_context_create(['http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode([ 'client_name' => 'SkyDev', 'email' => 'admin@skydev.com', 'webHookUrl' => 'https://skydev.com/webhook', 'parent_uuid' => $parentUuid ]) ]]) ); $client = json_decode($response); // Store $client->api_key securely
const res = await fetch('https://api.xcrypt.co.za/register-client', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ client_name: 'SkyDev', email: 'admin@skydev.com', webHookUrl: 'https://skydev.com/webhook', parent_uuid: parentUuid }) }); const { api_key, client_id } = await res.json();
r = requests.post( "https://api.xcrypt.co.za/register-client", json={ "client_name": "SkyDev", "email": "admin@skydev.com", "webHookUrl": "https://skydev.com/webhook", "parent_uuid": parent_uuid } ) client = r.json() # Securely store client["api_key"]
curl -X POST https://api.xcrypt.co.za/get-api-logs \ -H "Content-Type: application/json" \ -d '{ "role": "admin", "user_uuid": "85123bc1-4143-11f0-896a-001dd8b7399f" }' # Returns paginated log array { "logs": [ { "endpoint": "generate_license", "response_code": 201, "timestamp": "2025-06-30T11:10:33Z" } ] }
$response = file_get_contents( 'https://api.xcrypt.co.za/get-api-logs', false, stream_context_create(['http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode([ 'role' => 'admin', 'user_uuid' => $userUuid ]) ]]) ); $logs = json_decode($response)->logs; foreach ($logs as $log) { error_log($log->endpoint . ' → ' . $log->response_code); }
const res = await fetch('https://api.xcrypt.co.za/get-api-logs', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ role: 'admin', user_uuid: userUuid }) }); const { logs } = await res.json(); logs.forEach(log => console.log(log.endpoint, log.response_code));
r = requests.post( "https://api.xcrypt.co.za/get-api-logs", json={ "role": "admin", "user_uuid": user_uuid } ) for log in r.json()["logs"]: print(log["endpoint"], log["response_code"])
Four steps. No PhD required.
Create a free account on the xCrypt dashboard. Your master API key is issued instantly — no waiting, no approval queue.
Register each of your end-customers or products as a sub-client. Set a webhook URL so your system gets notified on every event.
POST to /generate-license with an expiry date and get a unique license key back in milliseconds.
Inside your app, call /verify-license on every startup or session. Revoke instantly from your dashboard if needed.
Gate features by plan. Each tier gets a license with specific expiration and activation rules. Upgrades just re-issue a new key.
Resellers and white-label partners register as sub-clients. They manage their own licenses; you keep full visibility from the top.
Issue licenses only after KYC/AML checks clear (via Verilink). Revoke access the moment compliance lapses — automated, auditable.
Bind licenses to device fingerprints. Limit activations per key. Prevent casual sharing and piracy without complex DRM infrastructure.
Treat your own API like a product. Use xCrypt keys as bearer tokens with usage caps, expiration windows, and revocation on demand.
Provision temporary access for contractors with time-limited keys. Auto-revoke on offboarding without touching source code.
All plans include unlimited validations within your tier. You pay for licenses, not API calls.
Trusted across the SkyL4rk ecosystem