API REFERENCE

POST /api/v1/validate-license

WordPress plugins call this endpoint to validate a license, bind the first domain, refresh the local entitlement snapshot, and report the current build ID.

Method: POST
Path: /api/v1/validate-license

Request body

{
  "license_key": "SMS-7X4A-9KLM-2NQR-PV5Z",
  "site_url": "https://store.example.ge",
  "plugin_version": "0.3.10",
  "build_id": "1a8f7353-72ce-4f58-89ef-8e834f0dfc4f",
  "nonce": "optional-plugin-generated-string"
}

license_key: Required. Must pass the CodeOn checksum format.
site_url: Required. Normalized to a single host and used for domain binding.
domain: Legacy alias for site_url. New clients should send site_url.
plugin_version: Optional. Stored on the domain binding when not empty or 0.0.0.
build_id: Optional UUID from the watermarked ZIP. Used for telemetry and abuse review.
nonce: Optional. Echoed back inside the signed payload.

Successful response

{
  "status": "active",
  "message": "ok",
  "modules": ["tbc_card"],
  "features": {
    "tbc_card": ["refund"]
  },
  "expires": "2027-05-30",
  "issued_at": "2026-05-30T09:12:00.000Z",
  "grace_period_hours": 336,
  "nonce": "optional-plugin-generated-string",
  "site_url": "https://store.example.ge",
  "signature": "base64-rsa-sha256"
}

The signature signs the canonical JSON payload without the signature field. Plugins must verify it before trusting status, modules, features, or expiry.

Status mapping

Server state	Plugin status	Notes
`active`	`active`	Normal operation.
`grace`	`active`	The plugin keeps running; show a renewal or validation warning.
`expired`	`expired`	Paid features should be disabled after local grace handling.
`revoked`	`suspended`	Hard stop for paid features.

Domain binding

The first successful validation binds the license to the normalized domain from site_url. Future validations are idempotent for the same domain. A different domain receives a signedinvalid response with bound_domain.

Errors

HTTP	Response	When
400	`invalid`	Invalid JSON, missing key/site URL, or bad key format.
403	`suspended`	License is revoked.
403	`invalid`	License is already bound to another domain.
404	`invalid`	Unknown license key.
429	rate limit	More than 60 validations per IP per minute.

Request body

{
  "license_key": "SMS-7X4A-9KLM-2NQR-PV5Z",
  "site_url": "https://store.example.ge",
  "plugin_version": "0.3.10",
  "build_id": "1a8f7353-72ce-4f58-89ef-8e834f0dfc4f",
  "nonce": "optional-plugin-generated-string"
}

license_key: Required. Must pass the CodeOn checksum format.
site_url: Required. Normalized to a single host and used for domain binding.
domain: Legacy alias for site_url. New clients should send site_url.
plugin_version: Optional. Stored on the domain binding when not empty or 0.0.0.
build_id: Optional UUID from the watermarked ZIP. Used for telemetry and abuse review.
nonce: Optional. Echoed back inside the signed payload.

Successful response

{
  "status": "active",
  "message": "ok",
  "modules": ["tbc_card"],
  "features": {
    "tbc_card": ["refund"]
  },
  "expires": "2027-05-30",
  "issued_at": "2026-05-30T09:12:00.000Z",
  "grace_period_hours": 336,
  "nonce": "optional-plugin-generated-string",
  "site_url": "https://store.example.ge",
  "signature": "base64-rsa-sha256"
}

The signature signs the canonical JSON payload without the signature field. Plugins must verify it before trusting status, modules, features, or expiry.

Server state

Plugin status

Notes

active

Normal operation.

grace

active

The plugin keeps running; show a renewal or validation warning.

expired

Paid features should be disabled after local grace handling.

revoked

suspended

Hard stop for paid features.

HTTP

Response

When

400

invalid

Invalid JSON, missing key/site URL, or bad key format.

403

suspended

License is revoked.

403

invalid

License is already bound to another domain.

404

invalid

Unknown license key.

429

rate limit

More than 60 validations per IP per minute.