License

The license endpoints power the IndigiArmor Chrome extension. They use license keys directly for authentication instead of API keys — no Authorization header is required. License keys are passed as request body fields or query parameters.

These endpoints are public and do not require API key authentication. They authenticate via the licenseKey parameter tied to your organization.

POST

/v1/license/activate

Activate a license key on a new device, or re-activate a previously deactivated device.

Request Body

Parameter	Type	Required	Description
`licenseKey`	string	Yes	The organization license key
`fingerprint`	string	Yes	Unique device fingerprint identifying this browser/machine
`deviceName`	string	No	Human-readable device name (e.g. "Work Laptop")

Activate Response

200 OK

{
  "valid": true,
  "orgName": "Acme University",
  "plan": "education",
  "seatsUsed": 3,
  "seatsTotal": 25
}

200 — Seat limit reached

{
  "valid": false,
  "error": "Seat limit reached. Contact your administrator.",
  "seatsUsed": 25,
  "seatsTotal": 25
}

Activate Response Fields

Parameter	Type	Required	Description
`valid`	boolean	Yes	Whether activation succeeded
`orgName`	string	Yes	Organization name (on success)
`plan`	string	Yes	Current plan tier (on success)
`seatsUsed`	number	Yes	Number of active device activations
`seatsTotal`	number	Yes	Maximum allowed seats (-1 for unlimited)
`error`	string	No	Error message (on failure)

Activation is idempotent — calling it again for an already-active device updates the heartbeat timestamp. Re-activating a previously deactivated device consumes a seat. Rate limit: 10 requests/minute per license key.

POST

/v1/license/heartbeat

Send a heartbeat to confirm the device is still active. Updates the last-seen timestamp.

Request Body

Parameter	Type	Required	Description
`licenseKey`	string	Yes	The organization license key
`fingerprint`	string	Yes	Device fingerprint from the original activation

Heartbeat Response

200 OK

{ "valid": true }

200 — No active activation

{
  "valid": false,
  "error": "No active activation found"
}

The extension sends heartbeats periodically to keep the activation alive. If the license key has been revoked or the device was deactivated, the heartbeat returns valid: false. Rate limit: 5 requests/minute per license key.

GET

/v1/license/status

Check the current license and activation status for a specific device.

Query Parameters

Parameter	Type	Required	Description
`key`	string	Yes	The organization license key
`fingerprint`	string	Yes	Device fingerprint to check

Status Response

200 OK

{
  "valid": true,
  "orgName": "Acme University",
  "plan": "education",
  "seatsUsed": 3,
  "seatsTotal": 25
}

200 — Device not activated

{
  "valid": false,
  "error": "Device not activated"
}

Status Response Fields

Parameter	Type	Required	Description
`valid`	boolean	Yes	Whether the device has an active activation
`orgName`	string	Yes	Organization name (on success)
`plan`	string	Yes	Current plan tier (on success)
`seatsUsed`	number	Yes	Number of active device activations
`seatsTotal`	number	Yes	Maximum allowed seats (-1 for unlimited)
`error`	string	No	Error message (on failure)

Rate limit: 30 requests/minute per license key.

GET

/v1/license/custom-rules

Fetch the organization's allowlist and blocklist rules for local scanning in the extension.

Query Parameters

Parameter	Type	Required	Description
`key`	string	Yes	The organization license key

Custom Rules Response

200 OK

{
  "allowlist": [
    { "term": "Acme Corp", "domain": "pii" },
    { "term": "University of Example", "domain": null }
  ],
  "blocklist": [
    { "term": "classified-project", "severity": "high" },
    { "term": "internal-codename", "severity": "medium" }
  ]
}

Custom Rules Response Fields

Parameter	Type	Required	Description
`allowlist`	object[]	Yes	Terms that bypass detection. Each has term (string) and domain (string \| null).
`blocklist`	object[]	Yes	Terms that trigger alerts. Each has term (string) and severity (string).

The extension caches these rules locally and re-fetches periodically. Only enabled blocklist entries are returned. Rate limit: 10 requests/minute per license key.

Common Error Responses

400 Bad Request

{ "valid": false, "error": "Missing licenseKey or fingerprint" }

401 Unauthorized (custom-rules)

{ "error": "Invalid or inactive license key" }

429 Too Many Requests

{ "valid": false, "error": "Too many requests" }
// Retry-After header included

500 Internal Server Error

{ "valid": false, "error": "Internal server error" }

Examples

cURL — Activate

curl -X POST https://indigiarmor.com/v1/license/activate \
  -H "Content-Type: application/json" \
  -d '{
    "licenseKey": "lic_abc123...",
    "fingerprint": "fp_device_hash",
    "deviceName": "Work Laptop"
  }'

cURL — Heartbeat

curl -X POST https://indigiarmor.com/v1/license/heartbeat \
  -H "Content-Type: application/json" \
  -d '{
    "licenseKey": "lic_abc123...",
    "fingerprint": "fp_device_hash"
  }'

cURL — Status

curl "https://indigiarmor.com/v1/license/status?key=lic_abc123...&fingerprint=fp_device_hash"

cURL — Custom Rules

curl "https://indigiarmor.com/v1/license/custom-rules?key=lic_abc123..."