Skip to content

API Keys

API key products let you sell access to your own APIs or services. After purchase, the customer receives a unique key that your application can validate against FOSSBilling.

  • Sell access to your REST API
  • Limit requests per customer
  • Offer tiered plans with different limits
  • Track usage per customer
  1. Enable the Extension

    Go to Extensions and install "API Key Product".

  2. Configure Key Generation

    When creating the product, set these options:

    OptionDefaultDescription
    Length32Total characters in the key
    SplitEnabledAdd dashes for readability
    Split Interval8Characters between dashes
    CapitalizationUppercaseUppercase, lowercase, or mixed

    Example key with default settings:

    BA907863-47C1A4F5-3CB914D3-AC927BDD
  3. Add Custom Parameters

    You can define custom parameters attached to each API key:

    • monthlyLimit — number of allowed requests per month
    • tier — pricing tier (basic, pro, enterprise)
    • Any other metadata your application needs
EndpointAccessDescription
/admin/serviceapikey/updateAdminUpdate API key config and validity
/admin/serviceapikey/resetAdminRegenerate a new API key
/client/serviceapikey/resetClientCustomer resets their own key
/guest/serviceapikey/checkGuestCheck if a key is valid
/guest/serviceapikey/get_infoGuestGet key validity + custom parameters
Terminal window
curl -X POST "https://your-fossbilling.com/api/guest/serviceapikey/check" \
-H "Content-Type: application/json" \
-d '{"key": "BA907863-47C1A4F5-3CB914D3-AC927BDD"}'

Response:

{
"result": true,
"error": null
}
Terminal window
curl -X POST "https://your-fossbilling.com/api/guest/serviceapikey/get_info" \
-H "Content-Type: application/json" \
-d '{"key": "BA907863-47C1A4F5-3CB914D3-AC927BDD"}'

Response:

{
"result": {
"valid": 1,
"config": {
"monthlyLimit": 250,
"tier": "pro"
}
},
"error": null
}

FOSSBilling includes rate limiting on all API requests (configured via the rate_limiter config block in 0.8.0+). This prevents brute-force attacks on your /check endpoints.

You can adjust rate limiting in the configuration.

  • Clients can reset their keys — they see and can regenerate their own API keys
  • To revoke access, change the key's validity rather than resetting it
  • Validate keys server-side — don't trust client-side checks
  • Use HTTPS — always encrypt API key traffic