Skip to content
Thrive Tech Services
Thrive Tech Services
HomeServicesProductsDocsEnterpriseContactAbout
LoginRegister

Authentication

The ThriveTech API uses two authentication methods for vendor-facing operations.

Authentication Methods

1. Product API Key (PAK) — Activation Endpoints

Used for all activation endpoints (trial, purchase, validate, deactivate). PAK tokens are issued per distribution channel and identify the product being activated.

Header Format:

Authorization: Bearer pak_eyJhbGciOiJIUzI1NiIs...

Example:

bash
curl -X POST https://api.thrivetechservice.com/api/v1/activate/trial \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer pak_eyJhbGciOiJIUzI1NiIs..." \
  -d '{
    "deviceFingerprint": "sha256-device-hash",
    "deviceInfo": { "type": "desktop", "osType": "Windows" }
  }'

2. Channel API Key — Public/Channel-Specific Endpoints

Used for channel-specific public operations like product offering pages. Channel API keys use a ch_ prefix.

Header Format:

X-Channel-API-Key: ch_xxxxxxxxxxxxxxxxxxxx

Example:

bash
curl -X POST https://api.thrivetechservice.com/api/v1/activate/validate \
  -H "Content-Type: application/json" \
  -H "X-Channel-API-Key: ch_xxxxxxxxxxxxxxxxxxxx" \
  -d '{
    "licenseKey": "FULL-XXXX-XXXX-XXXX",
    "deviceFingerprint": "sha256-device-hash"
  }'

Obtaining Credentials

Product API Keys (PAK)

PAK tokens are managed in the Admin Dashboard:

  1. Navigate to Products → Your Product → Channels
  2. Select the distribution channel
  3. Click Generate Product API Key
  4. Copy the generated PAK (shown only once)

Channel API Keys

  1. Log in to the ThriveTech Admin Dashboard
  2. Navigate to Products → Your Product → API Keys
  3. Click Generate New Key
  4. Copy the generated key (shown only once)

API Key Types

TypePrefixPermissionsUse Case
Product API Key (PAK)pak_Activation onlyClient applications (trial, purchase, validate)
Channel API Keych_Channel-specificPublic operations, product offering pages

Rate Limits

TypeLimitWindow
Default (per IP)500 requests15 minutes
API Key (authenticated)3,000 requests15 minutes
Auth endpoints50 requests15 minutes

Rate limit headers are included in all responses:

X-RateLimit-Limit: 500 X-RateLimit-Remaining: 495 X-RateLimit-Reset: 1737331200

Security Best Practices

  1. Never expose keys in client-side code — embed keys securely in compiled applications
  2. Use environment-specific keys — separate keys for development, staging, and production
  3. Rotate keys regularly — generate new keys periodically and revoke old ones after migration
  4. Monitor key usage — review API usage in the admin dashboard
  5. Use HTTPS only — all API calls must use HTTPS in production

Error Responses

CodeErrorDescription
401invalid_api_keyAPI key is invalid or revoked
401missing_api_keyAPI key header not provided
401expired_api_keyAPI key has expired
403insufficient_permissionsKey doesn't have required permissions

Multi-Language Support

Error messages support localization via the Accept-Language header:

bash
curl -X POST https://api.thrivetechservice.com/api/v1/activate/validate \
  -H "Accept-Language: es-ES" \
  -H "X-Channel-API-Key: ch_xxx" \
  -d '...'

Supported languages: en-US, es-ES

Quick StartIntegration Guide

Was this helpful?