Public API

The Public API provides endpoints used by WordPress installations for license verification, updates, and component delivery. These endpoints require no authentication (or license-based auth via query parameters/headers).

Base path: /api/v1

License Endpoints

Activate License

POST /api/v1/licenses/activate

Rate limit: 10/minute

Activates a license key on a specific domain. Called automatically by the WordPress plugin/theme when a user enters their license key.

Request Body:

{
  "license_key": "FLVR-ABCD-EFGH-IJKL-MNOP",
  "domain": "mysite.com",
  "product_slug": "flavor-starter"
}

Response:

{
  "status": "activated",
  "tier": "starter",
  "expires_at": "2027-03-30T00:00:00Z"
}

Deactivate License

POST /api/v1/licenses/deactivate

Rate limit: 10/minute

Removes a domain from a license's activation list.

Request Body:

{
  "license_key": "FLVR-ABCD-EFGH-IJKL-MNOP",
  "domain": "mysite.com"
}

Verify License

POST /api/v1/licenses/verify

Rate limit: 30/minute

Checks if a license is valid and active on a specific domain. Used by the WordPress cron for periodic verification.

Request Body:

{
  "license_key": "FLVR-ABCD-EFGH-IJKL-MNOP",
  "domain": "mysite.com"
}

Response:

{
  "valid": true,
  "tier": "starter",
  "status": "active",
  "expires_at": "2027-03-30T00:00:00Z"
}

Update Endpoints

These endpoints are compatible with the Plugin Update Checker (PUC) library format.

Check for Updates

GET /api/v1/updates/check/{slug}

Rate limit: 30/minute

Returns the latest version metadata for a product.

Parameter	Location	Description
`slug`	path	Product slug (e.g., `flavor-starter`, `wp-ecommerce-core`)

Response: PUC-compatible metadata including version, download URL, changelog excerpt, and requirements.

Get Update Info

GET /api/v1/updates/info/{slug}

Rate limit: 30/minute

Returns detailed information about the latest version, including the full changelog.

Download Update

GET /api/v1/updates/download/{slug}/{version}

Rate limit: 5/minute

Downloads the product ZIP file. Requires license-based authentication via query parameters.

Parameter	Location	Description
`slug`	path	Product slug
`version`	path	Version string
`license_key`	query	Valid license key
`domain`	query	Activated domain

Example:

GET /api/v1/updates/download/flavor-starter/4.2.0?license_key=FLVR-...&domain=mysite.com

Feature Manifest

GET /api/v1/manifest/{product_slug}

Rate limit: 60/minute

Returns the Ed25519-signed feature manifest that maps features to license tiers. WordPress installations cache this manifest and use it for feature gating.

The manifest is signed with an Ed25519 private key. The plugin/theme verifies the signature using the embedded public key.

Component Endpoints

Components are modular add-ons (payment gateways, shipping couriers, ERP modules, etc.) that can be downloaded individually based on license tier.

List Components

GET /api/v1/components/{slug}/list

Rate limit: 30/minute

Lists all active components for a product.

List Available Components

GET /api/v1/components/{slug}/available

Rate limit: 30/minute

Lists components accessible to the requesting license's tier.

Header	Description
`X-License-Key`	Valid license key
`X-Domain`	Activated domain

Check Component Updates

POST /api/v1/components/{slug}/check-updates

Rate limit: 30/minute

Compares installed component versions against the latest available versions.

Request Body:

{
  "installed": {
    "acs-courier": "1.0.0",
    "stripe-gateway": "2.1.0"
  }
}

Download Component

GET /api/v1/components/{slug}/download/{component_id}

Rate limit: 100/minute

Downloads a component ZIP file. Requires license + tier verification via headers.

Header	Description
`X-License-Key`	Valid license key
`X-Domain`	Activated domain

Telemetry Endpoints

Used by the WordPress plugin/theme for integrity monitoring.

Report Integrity Failure

POST /api/v1/telemetry/integrity

Rate limit: 20/minute

Reports file integrity check failures detected by the runtime integrity verifier.

Report Sentinel

POST /api/v1/telemetry/sentinel-report

Rate limit: 20/minute

Reports sentinel flags that indicate potential file tampering.

Announcements

GET /api/v1/announcements/public

Returns active announcements targeted at the login page. No authentication required.

Viva Wallet Webhooks

These endpoints handle payment callback notifications from Viva Wallet.

GET /api/v1/webhooks/viva    # Verification (returns key)
POST /api/v1/webhooks/viva   # Payment callback

These are called by Viva Wallet's systems, not by users or integrations.

License Endpoints​

Activate License​

Deactivate License​

Verify License​

Update Endpoints​

Check for Updates​

Get Update Info​

Download Update​

Feature Manifest​

Component Endpoints​

List Components​

List Available Components​

Check Component Updates​

Download Component​

Telemetry Endpoints​

Report Integrity Failure​

Report Sentinel​

Announcements​

Login Page Announcements​

Viva Wallet Webhooks​

License Endpoints

Activate License

Deactivate License

Verify License

Update Endpoints

Check for Updates

Get Update Info

Download Update

Feature Manifest

Component Endpoints

List Components

List Available Components

Check Component Updates

Download Component

Telemetry Endpoints

Report Integrity Failure

Report Sentinel

Announcements

Login Page Announcements

Viva Wallet Webhooks