Elite Key
A master key for managing licenses, users, devices, and app settings from your own backend or tools — without going through the dashboard.
Endpoint
Parameters can be passed as query string (GET) or form-urlencoded body (POST).
Parameters
| Field | Description | |
|---|---|---|
| key | Required | Your Elite Key from the dashboard. Never expose this client-side. |
| function | Required | Module target: license, user, device, variable, subscription, version, response, hash, or app. |
| action | Required | The operation to run. Varies by function — see the table below. |
| url_prefix | Required | Your app's URL prefix, used for API validation. |
| app_name | Required | The registered name of your AuthlyX application. |
Example Request
GET /api/elite-key
?key=YOUR_KEY
&function=license
&action=generate
&url_prefix=myapp
&app_name=MyApp
&subscription=Default
&expiry_date=2027-01-01T00:00:00.000Z
&device_limit=1Default, Premium) when generating or editing licenses and users.
Elite plan.
IP & Domain Rules
Configure restrictions in Elite Key Settings in the dashboard.
*.example.com).CF-Connecting-IP, X-Forwarded-For, or the socket address.
Domain is read from the Origin header, with Referer as a fallback.
Functions & Actions
Route every request with function + action.
| function | Available actions |
|---|---|
| license | generate, edit, delete, extend, shorten, ban, unban, pause, unpause |
| user | generate, edit, delete, extend, shorten, ban, unban, pause, unpause, reset_password, verify_password |
| device | create, edit, delete, extend, ban, pause |
| variable | set, delete |
| subscription | create, edit, delete |
| version | add, edit, remove |
| response | set, reset |
| hash | register |
| app | edit |
403 with code PERMISSION_DENIED.
Required Parameters
Per-action field requirements on top of the common parameters.
licensegenerate—subscription,expiry_dateedit—license_keydelete—license_keyextend/shorten—license_key+daysorexpiry_dateban/unban/pause/unpause—license_key
usergenerate—username,password,subscription,expiry_dateedit—usernamedelete—usernameextend/shorten—username+daysorexpiry_dateban/unban/pause/unpause—usernamereset_password—username(optional:new_password)verify_password—username,password
devicecreate—device_type,device_id(optional:subscription,expiry_date,user_panel_access)edit/delete/extend/ban/pause—idordevice_type+device_id
variableset—key,valuedelete—key
subscriptioncreate—nameedit/delete—idorname
hashregister—hash_value(optional:hash_name)
version / response / appExample: Generate License
curl "https://authly.cc/api/elite-key?key=YOUR_KEY&function=license&action=generate&url_prefix=myapp&app_name=MyApp&subscription=Default&expiry_date=2027-01-01T00:00:00.000Z&device_limit=1"{
"success": true,
"license": {
"license_key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
"expiry_date": "2027-01-01T00:00:00.000Z",
"device_limit": 1,
"freeze_expiry": false,
"user_panel_access": true,
"note": null
}
}Example: Verify User Password
Authenticate a user from your own web panel without consuming a device slot or touching HWID/SID logic.
curl -X POST "https://authly.cc/api/elite-key?key=YOUR_KEY&function=user&action=verify_password&url_prefix=myapp&app_name=MyApp" \
-d "username=xela&password=mypassword"{
"success": true,
"username": "xela",
"email": "[email protected]",
"subscription": "Premium",
"subscription_level": 2,
"expiry": "2027-01-01T00:00:00.000Z",
"banned": false,
"paused": false
}Returns 401 with "error": "Invalid credentials" if the username doesn't exist or the password is wrong — same message for both to prevent user enumeration.
Example: Extend User
curl "https://authly.cc/api/elite-key?key=YOUR_KEY&function=user&action=extend&url_prefix=myapp&app_name=MyApp&username=xela&days=30"{
"success": true,
"user": {
"username": "xela",
"expiry_date": "2027-02-01T00:00:00.000Z"
}
}Example: Register Hash
Push a new valid file hash from your backend before a user downloads a polymorphic build. The hash is immediately accepted by the SDK Init integrity check — no dashboard visit needed.
curl -X POST "https://authly.cc/api/elite-key?key=YOUR_KEY&function=hash&action=register&url_prefix=myapp&app_name=MyApp" \
-H "Content-Type: application/json" \
-d '{"hash_value":"a3f1e9...","hash_name":"build-2026-05-31"}'{
"success": true,
"hash": {
"hash_value": "a3f1e9...",
"hash_name": "build-2026-05-31",
"created_at": "2026-05-31 10-22-00"
}
}Init and it passes — even though every download is different.
All registered hashes are visible in the Hash Management section of the dashboard.
This permission is off by default — enable it in Elite Key Settings → Hashes → Register.
Responses
Action completed. Response shape varies by function and action.
{
"success": true,
"message": "Action completed successfully"
}Missing or invalid parameters. Codes: MISSING_KEY, INVALID_PARAMETERS.
{
"success": false,
"code": "MISSING_KEY",
"message": "Missing key parameter"
}Elite Key is invalid, inactive, or malformed. Code: INVALID_KEY.
{
"success": false,
"code": "INVALID_KEY",
"message": "Invalid elite key"
}Plan limit, disabled action, or IP/domain restriction. Codes: PLAN_REQUIREMENT, PERMISSION_DENIED, ACCESS_DENIED.
{
"success": false,
"code": "PERMISSION_DENIED",
"message": "Elite key permission denied"
}Requested resource not found. Codes: APP_NOT_FOUND, SUBSCRIPTION_NOT_FOUND, LICENSE_NOT_FOUND, USER_NOT_FOUND.
{
"success": false,
"code": "APP_NOT_FOUND",
"message": "App not found or disabled"
}Hash already registered for this app. No duplicate entries are created.
{
"error": "Hash already registered"
}INTERNAL — Unexpected server-side error.
{
"success": false,
"code": "INTERNAL",
"message": "Internal server error"
}