Overview
SwiftAuth is a high-performance authentication and licensing platform. The API is split into two parts: the Dashboard API (for managing your apps) and the Client API (for your application to authenticate users).
All requests and responses use JSON. Include Content-Type: application/json in all requests with a body.
Quickstart
Get up and running in under 5 minutes:
1. Create an account
Sign up at swiftauth.net/dashboard and verify your email.
2. Create an application
From the dashboard, create a new app. Copy your App ID and App Secret.
3. Authenticate users
Call /api/client/init then /api/client/login or /api/client/license.
Rate Limits
All endpoints are rate limited. Client API endpoints share a global limit, with stricter limits on sensitive operations.
| Endpoint | Limit | Window |
|---|---|---|
| /api/auth/login | 5 requests | 15 minutes per IP+username |
| /api/auth/register | 3 requests | 1 hour per IP |
| /api/auth/forgot-password | 2 requests | 24 hours per IP |
| /api/client/* (general) | 60 requests | 1 minute per IP |
| /api/client/login, /register, /license | 20 requests | 1 minute per IP |
| /api/client/init | 5 requests | 5 minutes per IP |
| /api/client/check | 10 requests | 1 minute per IP+appId |
When rate limited, the API returns 429 Too Many Requests with a descriptive message.
Authentication
The Dashboard API uses JWT bearer tokens. After logging in via /api/auth/login, include the token in subsequent requests:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
The Client API uses session tokens obtained from /api/client/init. Pass the session token in the request body. Requests that mutate state also require a nonce via the X-Nonce header.
Error Handling
Errors return a consistent JSON structure:
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Username and password are required"
}
}
Common HTTP status codes: 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 429 Rate Limited.
Auth
| Parameter | Type | Description |
|---|---|---|
| string | required Account email | |
| username | string | required Account username |
| password | string | required Account password (8+ chars, uppercase, lowercase, number) |
Returns a generic response regardless of success/failure to prevent account enumeration. If email service is configured, sends a verification email. Rate limited to 3 per IP per hour.
// Response (202 Accepted)
{
"success": true,
"data": {
"message": "If this email is not already registered, you will receive a verification link shortly.",
"requireVerify": true
}
}
| Parameter | Type | Description |
|---|---|---|
| username | string | required |
| password | string | required |
| twoFactorCode | string | optional TOTP code if 2FA is enabled |
Rate limited to 5 attempts per IP+username per 15 minutes. If 2FA is enabled and no code is provided, returns requires2FA: true. If email is unverified, returns requireVerify: true.
// Success Response
{
"data": {
"token": "eyJhbGciOi...",
"account": { "id": "...", "username": "...", "email": "...",
"role": "user", "twoFactorEnabled": false }
}
}
// 2FA Required Response
{ "success": false, "requires2FA": true, "message": "Two-factor authentication code required" }
// Unverified Email Response (403)
{ "success": false, "requireVerify": true, "message": "Please verify your email address before logging in." }
Returns the authenticated account details including plan info, API usage, and application count. Requires Bearer token.
// Response
{
"data": {
"id": "...", "email": "[email protected]", "username": "john",
"role": "user", "apiKey": "sa_...xyz1",
"emailVerified": true, "twoFactorEnabled": false,
"lastLoginAt": "2025-01-15T10:30:00Z",
"createdAt": "2025-01-01T00:00:00Z",
"applicationCount": 2,
"plan": {
"name": "free", "displayName": "Free", "priceMonth": 0,
"limits": { "maxApps": 1, "maxUsersPerApp": 15, "maxApiCallsMonth": 2500, "webSocketAccess": false }
},
"apiCallsUsed": 150,
"apiCallsResetAt": "2025-02-01T00:00:00Z"
}
}
Requires Bearer token. Accepts either the current password or a 2FA code (if 2FA is enabled) for verification.
| Parameter | Type | Description |
|---|---|---|
| currentPassword | string | required* Current password |
| twoFactorCode | string | optional TOTP code (alternative to currentPassword if 2FA is enabled) |
| newPassword | string | required Must meet password complexity: 8+ chars, uppercase, lowercase, number |
// Response
{ "success": true, "data": { "message": "Password changed" } }
Verifies the account email using the token sent during registration. On success, automatically signs in the user and returns a JWT.
| Parameter | Type | Description |
|---|---|---|
| token | string | required Verification token from email |
// Response
{
"data": {
"message": "Email verified successfully",
"account": { "id": "...", "email": "...", "username": "...", "role": "user" },
"token": "eyJhbGciOi..."
}
}
Generates a new verification token and sends a verification email. Returns a generic message regardless of whether the account exists (prevents enumeration).
| Parameter | Type | Description |
|---|---|---|
| string | required Account email |
// Response
{ "success": true, "data": { "message": "If an account with that email exists, a verification email has been sent." } }
Sends a password reset email. Returns a generic response regardless of whether the account exists. Rate limited to 2 requests per IP per 24 hours.
| Parameter | Type | Description |
|---|---|---|
| string | required Account email |
// Response
{ "success": true, "data": { "message": "If an account with that email exists, a password reset link has been sent." } }
Resets the account password using a token from the password reset email. Token expires after 1 hour and is single-use.
| Parameter | Type | Description |
|---|---|---|
| token | string | required Reset token from email |
| newPassword | string | required Must meet password complexity requirements |
// Response
{ "success": true, "data": { "message": "Password has been reset successfully. You can now log in." } }
Reset password using username + TOTP code for users who have 2FA enabled but lost email access. Rate limited to 2 requests per IP per 24 hours.
| Parameter | Type | Description |
|---|---|---|
| username | string | required Username or email |
| twoFactorCode | string | required Current TOTP code |
| newPassword | string | required New password |
Revokes the current JWT token by adding it to a blocklist. The token will be rejected on subsequent requests until it naturally expires. Requires Bearer token.
// Response
{ "success": true, "data": { "message": "Logged out" } }
Generates a new API key for the authenticated account. The old key is immediately invalidated. Requires Bearer token.
// Response
{ "data": { "apiKey": "sa_new_key_here..." } }
Two-Factor Authentication (2FA)
Generates a TOTP secret and returns it along with the otpauth URL for QR code scanning. The secret is stored but 2FA is not enabled until verified with /2fa/enable. Requires Bearer token.
// Response
{
"data": {
"secret": "JBSWY3DPEHPK3PXP",
"otpauth": "otpauth://totp/SwiftAuth:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=SwiftAuth"
}
}
Verifies the TOTP code and enables 2FA on the account. Must call /2fa/setup first. Requires Bearer token.
| Parameter | Type | Description |
|---|---|---|
| code | string | required 6-digit TOTP code from authenticator app |
// Response
{ "success": true, "data": { "message": "2FA enabled successfully" } }
Disables 2FA. Requires both the current password and a valid TOTP code for security. Requires Bearer token.
| Parameter | Type | Description |
|---|---|---|
| password | string | required Current account password |
| code | string | required Current 6-digit TOTP code |
// Response
{ "success": true, "data": { "message": "2FA disabled" } }
Returns all available subscription plans with pricing and feature limits. No authentication required.
// Response
{
"data": [
{
"name": "free",
"displayName": "Free",
"priceMonth": 0,
"limits": {
"maxApps": 1,
"maxUsersPerApp": 15,
"maxApiCallsMonth": 2500,
"webSocketAccess": false,
"features": ["users", "licenses", "devices", "logs"]
}
},
{ "name": "pro", "displayName": "Pro", "priceMonth": 4.99, ... },
{ "name": "business", "displayName": "Business", "priceMonth": 9.99, ... }
]
}
| Parameter | Type | Description |
|---|---|---|
| plan | string | required Plan name: free, pro, or business |
free is currently available via self-service. Paid plan upgrades (pro, business) must be assigned by an administrator.
Applications
All application endpoints require Bearer token authentication.
Returns all applications owned by the authenticated account with resource counts.
// Response
{
"data": [{
"id": "...", "name": "MyApp", "secret": "***abc123",
"enabled": true, "version": "1.0.0", "paused": false,
"antiDebug": false, "antiVM": false, "description": "",
"createdAt": "...", "updatedAt": "...",
"counts": { "users": 150, "licenses": 500, "sessions": 42,
"variables": 10, "files": 3, "tokens": 5, "rules": 2 }
}]
}
Creates a new application. Subject to plan limits on max applications.
| Parameter | Type | Description |
|---|---|---|
| name | string | required Application name (must be unique per account) |
| description | string | optional |
| version | string | optional Default: "1.0.0" |
// Response (201 Created)
{
"data": {
"id": "...", "name": "MyApp", "secret": "full_secret_shown_only_on_creation",
"enabled": true, "version": "1.0.0", "description": ""
}
}
Returns a single application's details. The secret is masked (last 6 characters only).
// Response
{
"data": {
"id": "...", "name": "MyApp", "secret": "***abc123",
"enabled": true, "paused": false, "version": "1.0.0",
"antiDebug": false, "antiVM": false,
"lockHwid": false, "lockIp": false, "lockPcName": false,
"description": "", "createdAt": "...", "updatedAt": "..."
}
}
Update any combination of application settings.
| Parameter | Type | Description |
|---|---|---|
| name | string | optional Application name |
| description | string | optional |
| version | string | optional |
| enabled | boolean | optional Enable/disable the app |
| paused | boolean | optional Pause app (blocks new logins) |
| antiDebug | boolean | optional Enable anti-debug detection |
| antiVM | boolean | optional Enable VM detection |
| lockHwid | boolean | optional Lock users to hardware ID |
| lockIp | boolean | optional Lock users to IP address |
| lockPcName | boolean | optional Lock users to PC name |
Permanently deletes the application and all associated data (users, licenses, sessions, variables, files, rules, logs, integrations).
| Parameter | Type | Description |
|---|---|---|
| confirm | boolean | required Must be true to confirm deletion |
Generates a new secret key for the application. The old secret is immediately invalidated. All SDK clients will need the new secret to call /api/client/init.
// Response
{ "data": { "secret": "new_full_secret_48chars..." } }
Returns aggregate statistics for the application including user, license, session, and login counts.
// Response
{
"data": {
"users": { "total": 150, "active": 120, "banned": 5 },
"licenses": { "total": 500, "used": 300, "unused": 200 },
"sessions": { "active": 42 },
"logins": { "today": 85, "thisWeek": 450 }
}
}
Users
Manage application users. All endpoints require :appId.
| Query Param | Type | Description |
|---|---|---|
| search | string | Search by username or email |
| limit | int | Default: 50 |
| offset | int | Default: 0 |
| sortBy | string | username, created_at, last_login_at, expires_at |
| sortOrder | string | asc or desc |
| banned | string | "true" or "false" |
| expired | string | "true" to filter expired users |
| Parameter | Type | Description |
|---|---|---|
| username | string | required |
| password | string | required |
| string | optional | |
| level | int | optional Default: 1 |
| expiresAt | string | optional RFC3339 format |
| deviceLimit | int | optional Default: 1 |
| metadata | object | optional JSON metadata |
Returns user with preloaded devices and subscriptions.
Accepts any combination of: password, email, level, expiresAt, deviceLimit, enabled, banned, banReason, hwid, displayName, pcName, lockedIp, hwidResetMax, hwidResetCooldown, ipResetMax, ipResetCooldown, metadata.
Permanently removes the user.
Clears HWID, locked IP, and all registered devices. Respects per-user cooldown and max reset limits.
| Parameter | Type | Description |
|---|---|---|
| duration | int | required Seconds to add |
Returns the user's last login IP and locked IP. Admin only — requires the account to have the admin role.
// Response
{ "data": { "lastLoginIp": "1.2.3.4", "lockedIp": "1.2.3.4" } }
Deletes all active sessions for the specified user. Also sends a force_logout event via WebSocket if the user is connected.
// Response
{ "data": { "deleted": 3 } }
Licenses
| Query Param | Type | Description |
|---|---|---|
| search | string | Search key, used_by, or note |
| limit | int | Default: 50 |
| offset | int | Default: 0 |
| sortBy | string | key, created_at, expires_at, used_count |
| used | string | "true" or "false" |
| banned | string | "true" |
| expired | string | "true" |
| Parameter | Type | Description |
|---|---|---|
| count | int | Number of keys to generate (1-1000) |
| level | int | License level (default: 1) |
| maxUses | int | Max activations (0 = unlimited) |
| duration | int | Expiry duration in seconds (applied on activation) |
| expiresAt | string | RFC3339 absolute expiry for the key itself |
| prefix | string | Key prefix (e.g., "SWIFT") |
| note | string | Admin note |
| Parameter | Type | Description |
|---|---|---|
| key | string | required License key to verify |
Returns the license details if valid, or an error if not found/expired/banned.
Accepts: level, maxUses, duration, deviceLimit, displayName, note, enabled, banned.
Permanently removes the license key.
Returns full details for a single license key.
Delete multiple licenses at once, either by IDs or by filter. Provide ids for specific deletions, or filter for bulk cleanup.
| Parameter | Type | Description |
|---|---|---|
| ids | array | optional Array of license IDs to delete |
| filter | string | optional Bulk filter: "used", "expired", or "banned" |
// Response
{ "data": { "deleted": 15 } }
Returns IP and device info for the user who activated this license. Admin only — requires the account to have the admin role.
// Response
{
"data": {
"lastLoginIp": "1.2.3.4", "lockedIp": "1.2.3.4",
"hwid": "ABC123...", "pcName": "DESKTOP-XYZ"
}
}
Devices
View and manage trusted devices registered via HWID tracking.
| Query Param | Type | Description |
|---|---|---|
| search | string | Search by HWID or username |
| limit | int | Default: 50 |
| offset | int | Default: 0 |
Removes a registered device, allowing the user to authenticate from a new device.
Tokens
Generate and manage application access tokens.
| Query Param | Type | Description |
|---|---|---|
| limit | int | Default: 50 |
| offset | int | Default: 0 |
| Parameter | Type | Description |
|---|---|---|
| count | int | Number of tokens (1-500) |
| maxUses | int | 0 = unlimited |
| expiresAt | string | RFC3339 expiry |
| note | string | Admin note |
| level | int | Token level (default: 1) |
Update token properties.
| Parameter | Type | Description |
|---|---|---|
| maxUses | int | optional |
| note | string | optional |
| enabled | boolean | optional |
| level | int | optional |
Permanently removes the token.
Variables
Key-value configuration variables accessible by your application at runtime.
Returns all variables sorted by key.
| Parameter | Type | Description |
|---|---|---|
| key | string | required |
| value | string | required |
| type | string | STRING, INT, FLOAT, BOOL, JSON (default: STRING) |
| Parameter | Type | Description |
|---|---|---|
| variables | array | Array of {key, value, type} objects |
| Parameter | Type | Description |
|---|---|---|
| value | string | optional New value |
| type | string | optional STRING, INT, FLOAT, BOOL, JSON |
Permanently removes the variable.
User Variables
Per-user key-value storage scoped to individual app users. Unlike app variables which are shared across all users, user variables store data specific to each user (preferences, progress, state, etc.).
Returns all variables for the specified user, sorted by key.
| Parameter | Type | Description |
|---|---|---|
| key | string | required |
| value | string | required |
Pushes a user_variable_update event to the user via WebSocket if connected.
| Parameter | Type | Description |
|---|---|---|
| value | string | New value for the variable |
Permanently removes the variable. Pushes a user_variable_delete event via WebSocket.
License Variables
Per-license key-value storage scoped to individual license keys. Attach custom data (configuration, metadata, feature flags) directly to a license. Pro+
Returns all variables attached to the specified license, sorted by key.
| Parameter | Type | Description |
|---|---|---|
| key | string | required Unique variable key |
| value | string | Variable value |
| type | string | STRING, INT, FLOAT, BOOL, or JSON (default: STRING) |
Value is validated against the specified type. Duplicate keys within the same license are rejected.
| Parameter | Type | Description |
|---|---|---|
| value | string | New value for the variable |
| type | string | New type (optional) |
Permanently removes the variable from the license.
Files
Returns all uploaded files for the application.
Use multipart/form-data with field file. Optional fields: name, version.
Returns the file as a binary download with Content-Disposition header.
| Parameter | Type | Description |
|---|---|---|
| name | string | optional Display name |
| version | string | optional File version |
Permanently removes the file from storage and database.
Rules
IP, HWID, and country blacklist/whitelist rules enforced during authentication.
| Query Param | Type | Description |
|---|---|---|
| type | string | Filter by type (ip, hwid, country) |
| action | string | Filter by action (blacklist, whitelist) |
| Parameter | Type | Description |
|---|---|---|
| type | string | required ip, hwid, country |
| action | string | required blacklist or whitelist |
| value | string | required The value to match |
| note | string | optional |
Create multiple rules at once.
| Parameter | Type | Description |
|---|---|---|
| rules | array | required Array of {type, action, value, note} objects |
| Parameter | Type | Description |
|---|---|---|
| value | string | optional |
| note | string | optional |
| enabled | boolean | optional |
Permanently removes the rule.
Logs
| Query Param | Type | Description |
|---|---|---|
| event | string | Filter by event type |
| level | string | DEBUG, INFO, WARNING, ERROR, CRITICAL |
| username | string | Search by username (ILIKE) |
| startDate | string | RFC3339 start date |
| endDate | string | RFC3339 end date |
| limit | int | Default: 50 |
| offset | int | Default: 0 |
| Query Param | Type | Description |
|---|---|---|
| hours | int | Lookback period (default: 24) |
// Response
{
"data": {
"total": 1250, "byLevel": { "INFO": 900, "WARNING": 200, "ERROR": 150 },
"byEvent": { "user.login": 500, "session.init": 300, ... }
}
}
Returns all distinct event types that have been logged for this application.
// Response
{ "data": ["user.login", "user.register", "session.init", "license.activate", ...] }
Deletes log entries older than the specified number of days.
| Query Param | Type | Description |
|---|---|---|
| days | int | Delete logs older than N days (default: 30) |
// Response
{ "data": { "deleted": 500 } }
Integrations
Configure webhook integrations for Discord, Telegram, Slack, and custom endpoints.
| Parameter | Type | Description |
|---|---|---|
| name | string | required |
| type | string | required DISCORD, TELEGRAM, SLACK, CUSTOM |
| webhookUrl | string | required |
| events | array | required Event types to listen for |
Returns all integrations for the application. Webhook URLs are masked for security.
Returns all event types that can be subscribed to via integrations.
// Response
{ "data": [
"user.login", "user.login_failed", "user.register", "user.create", "user.update",
"user.delete", "user.ban", "user.extend", "user.hwid_reset", "user.session_kill",
"license.activate", "license.create", "license.update", "license.delete",
"session.init", "session.end", "token.validate", "token.create", "token.delete",
"file.upload", "file.download", "file.update", "file.delete",
"variable.create", "variable.update", "variable.delete",
"rule.create", "rule.update", "rule.delete", "rule.triggered",
"integration.create", "integration.update", "integration.delete",
"app.update", "app.secret_reset"
] }
| Parameter | Type | Description |
|---|---|---|
| name | string | optional |
| webhookUrl | string | optional Must be HTTPS and public |
| events | array | optional Event types to listen for |
| enabled | boolean | optional |
Permanently removes the integration.
Sends a test webhook to the integration's configured URL. Supports Discord embeds, Telegram messages, Slack attachments, and custom JSON payloads.
// Response
{ "success": true, "data": { "message": "Test webhook sent" } }
Generates a new signing secret for CUSTOM type integrations. The old secret is immediately invalidated.
// Response
{ "data": { "secret": "new_secret_32chars..." } }
Analytics
Application analytics endpoints providing usage metrics, activity trends, geographic data, and recent events. All endpoints require Bearer token and :appId.
Returns aggregate metrics for users, licenses, sessions, and activity within the specified period.
| Query Param | Type | Description |
|---|---|---|
| period | string | Time period: "1h", "24h" (default), "7d", or "30d" |
// Response
{
"data": {
"period": "24h",
"users": { "total": 150, "new": 5, "active": 42, "banned": 3 },
"licenses": { "total": 500, "unused": 200 },
"sessions": { "active": 28 },
"activity": { "logins": 85, "failedLogins": 12, "registrations": 5 }
}
}
Returns event counts bucketed by hour or day for charting activity trends.
| Query Param | Type | Description |
|---|---|---|
| period | string | "24h" (hourly buckets), "7d" (default, daily), or "30d" (daily) |
| event | string | Event type to chart (default: "user.login") |
// Response
{ "data": [
{ "bucket": "2025-01-15", "count": 42 },
{ "bucket": "2025-01-16", "count": 55 },
...
] }
Returns login counts grouped by country code, based on IP geolocation data from log entries.
| Query Param | Type | Description |
|---|---|---|
| days | int | Lookback period in days (default: 30) |
// Response
{ "data": [
{ "country": "US", "count": 250 },
{ "country": "GB", "count": 80 },
...
] }
Returns the most recent log entries for the application, useful for a live activity feed.
| Query Param | Type | Description |
|---|---|---|
| limit | int | Number of entries (default: 20) |
// Response
{ "data": [
{ "id": "...", "event": "user.login", "message": "User logged in",
"username": "john", "ipAddress": "1.2.3.4", "level": "INFO",
"createdAt": "2025-01-15T10:30:00Z" },
...
] }
Client API: Init & Nonce
The Client API is used by your application to authenticate users. All endpoints are under /api/client.
X-Nonce header. Fetch a nonce via POST /api/client/nonce immediately before each mutating request.
| Parameter | Type | Description |
|---|---|---|
| secret | string | required Application secret key |
// Response
{
"data": {
"sessionToken": "sess_abc123...",
"app": { "name": "MyApp", "version": "1.0.0" }
}
}
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
// Response
{ "data": { "nonce": "abc123..." } }
Client API: Login & Register
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| username | string | required |
| password | string | required |
| licenseKey | string | optional License key to attach on login |
| hwid | string | optional Hardware ID for device locking |
| pcName | string | optional |
Requires X-Nonce header.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| username | string | required |
| password | string | required |
| licenseKey | string | optional License to activate on registration |
Requires X-Nonce header.
Client API: Licensing
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| licenseKey | string | required |
| hwid | string | optional |
Authenticate using only a license key (no username/password). Requires X-Nonce header.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| licenseKey | string | required |
Activates a license key for the currently logged-in user. Requires X-Nonce header.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| licenseKey | string | required License key to check |
Checks if a license key is valid without activating it. Returns validity status, issues, and license details.
// Response
{
"data": {
"valid": true,
"exists": true,
"banned": false,
"enabled": true,
"issues": [],
"license": {
"level": 1,
"duration": 2592000,
"expiresAt": "2025-12-31T00:00:00Z",
"usedCount": 1,
"maxUses": 5,
"usedBy": "user123"
}
}
}
Client API: Sessions
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
Keep-alive ping. Must be called periodically to prevent session expiry. Requires X-Nonce header.
Validates if a session token is still active. Body: { "sessionToken": "..." }
Gracefully ends the session. Body: { "sessionToken": "..." }
Client API: Data & Files
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| key | string | required |
Returns all variables for the application. Body: { "sessionToken": "..." }
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| key | string | required |
Returns the value of a variable attached to the user's active license. Returns { key, value, type }.
Returns all variables attached to the user's active license. Body: { "sessionToken": "..." }
Response is an array of { key, value, type } objects.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| key | string | required |
Returns the value of a user-specific variable. Requires an authenticated (logged-in) session.
Returns all variables for the authenticated user. Body: { "sessionToken": "..." }
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| key | string | required |
| value | string | required |
Creates or updates a user variable. If the key already exists, its value is overwritten (upsert).
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| key | string | required |
Permanently deletes a user variable by key.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| fileName | string | required |
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| currentVersion | string | required |
| fileName | string | required |
Compares the current version against the latest file version. Returns download URL if update available.
Returns the authenticated user's profile. Body: { "sessionToken": "..." }
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| event | string | required Event name (e.g., "app.crash", "feature.used") |
| message | string | required Log message |
| data | object | optional Additional JSON data |
Client API: Account & Tokens
Validates an application access token and increments its usage counter. Returns the token's level for permission checks.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| token | string | required The access token to validate |
// Response
{ "data": { "valid": true, "level": 1 } }
Allows the logged-in app user to change their password.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| currentPassword | string | required |
| newPassword | string | required |
// Response
{ "success": true, "data": { "message": "Password changed" } }
Requests an HWID/IP reset for a user via their license key. Sends a confirmation email to the user's registered email. Respects per-user reset limits and cooldowns.
| Parameter | Type | Description |
|---|---|---|
| sessionToken | string | required |
| licenseKey | string | required License key linked to the user |
| hwid | string | optional New HWID to set after reset |
// Response
{ "success": true, "data": { "message": "Reset confirmation email sent" } }
Confirms the HWID/IP reset using the token from the confirmation email. Returns an HTML success page. Token is single-use and time-limited.
| Parameter | Type | Description |
|---|---|---|
| token | string | required Reset confirmation token (URL param) |
WebSocket API: Overview
The WebSocket API provides real-time bidirectional communication between your application dashboard, your server, and connected client SDK users. WebSocket features are available on the Business plan only.
403 PLAN_FEATURE error.
Connection Types
There are two WebSocket connection types:
Dashboard Connection — Authenticated via JWT token. Used by the app owner's dashboard to receive real-time events (user connects/disconnects, online counts, live sessions, chat, custom events).
Client Connection — Authenticated via session token. Used by end-user applications to receive messages, commands, force-logouts, and custom payloads from the dashboard.
Connection Limits
| Limit | Value | Description |
|---|---|---|
| Per app | 500 | Maximum client connections per application |
| Per user | 1 | Maximum WebSocket connections per user |
| Upgrade rate | 10/min | Maximum upgrade requests per IP per minute |
| Message rate | 20/10s | Client message rate limit (30/10s for dashboard) |
Event Format
All messages are JSON with a type field and optional data field:
{
"type": "event_name",
"data": { ... }
}
WebSocket: Dashboard Connection
Upgrades the HTTP connection to a WebSocket. Authentication is done via the token query parameter (your JWT), since browsers cannot send custom headers during WebSocket upgrade.
| Parameter | Type | Description |
|---|---|---|
| appId | string | required Application ID (URL param) |
| token | string | required JWT token (query param) |
On connect, the server automatically sends the current online_count and sessions list.
Sending Messages (Dashboard → Server)
| Type | Fields | Description |
|---|---|---|
| ping | Keepalive ping (server replies with pong) | |
| get_online | Request current online user count | |
| get_sessions | Request list of live sessions with metadata | |
| chat | userId, message | Send a chat message to a specific user |
| push_json | userId?, payload | Push custom JSON to a user (or broadcast if no userId) |
| typing | userId, typing | Send typing indicator to a user |
| kick | userId, reason? | Kick a user with an optional reason |
| ban | userId, reason? | Ban a user and disconnect them |
| command | command, userId?, payload? | Send a named command to a user or all clients |
| set_filters | events | Subscribe to specific event types only |
Receiving Events (Server → Dashboard)
| Type | Data | Description |
|---|---|---|
| pong | Response to ping | |
| online_count | count | Current online user count |
| sessions | sessions | Array of live sessions |
| session_connect | userId, username, ip | A user connected |
| session_disconnect | userId, username | A user disconnected |
| chat | userId, username, message | Chat message from a user |
| custom_event | event, userId, username, data | Custom event sent by a client |
| error | message | Error message (e.g. rate limited) |
// Example: Connect to dashboard WebSocket
const ws = new WebSocket(
`wss://swiftauth.net/api/apps/${appId}/ws/connect?token=${jwt}`
);
ws.onopen = () => {
// Subscribe to specific events only
ws.send(JSON.stringify({ type: "set_filters", events: ["chat", "session_connect"] }));
};
ws.onmessage = (event) => {
const msg = JSON.parse(event.data);
if (msg.type === "online_count") {
console.log("Online users:", msg.data.count);
}
};
// Send a chat message to a user
ws.send(JSON.stringify({ type: "chat", userId: "user_123", message: "Hello!" }));
WebSocket: Client Connection
Upgrades the HTTP connection to a WebSocket for client SDK users. Authenticated via the token query parameter (session token from login). The server enforces IP pinning, user state validation, and rule checks before allowing upgrade.
| Parameter | Type | Description |
|---|---|---|
| token | string | required Session token (query param) |
The server revalidates the session and user state every 30 seconds. If the session expires, user gets banned, or the app is paused/disabled, the server sends a force_logout event and closes the connection.
Sending Messages (Client → Server)
| Type | Fields | Description |
|---|---|---|
| ping | Keepalive ping (server replies with pong) | |
| set_status | status | Set presence status (e.g. "online", "away", "busy") |
| chat | message | Send a chat message (forwarded to dashboard) |
| typing | typing | Send typing indicator (boolean) |
| set_metadata | metadata | Set custom metadata (max 20 key-value pairs) |
| custom | data?, message? | Any other type triggers hook evaluation and is forwarded to the dashboard |
Receiving Events (Server → Client)
| Type | Data | Description |
|---|---|---|
| pong | Response to ping | |
| variable_update | key, value, type | An app variable was created or updated |
| variable_delete | key | An app variable was deleted |
| user_variable_update | key, value | A per-user variable was created or updated |
| user_variable_delete | key | A per-user variable was deleted |
| message | message, type | Broadcast or targeted message from dashboard |
| chat | message | Chat message from dashboard |
| command | command, payload | Named command from dashboard |
| custom | * | Custom JSON payload pushed from dashboard |
| force_logout | reason | Forced disconnect (session expired, kicked, etc.) |
| banned | reason | Banned by application owner |
| typing | typing | Typing indicator from dashboard |
| error | message | Error message (e.g. rate limited) |
// Example: Connect as a client SDK user
const ws = new WebSocket(
`wss://swiftauth.net/api/client/ws?token=${sessionToken}`
);
ws.onmessage = (event) => {
const msg = JSON.parse(event.data);
switch (msg.type) {
case "variable_update":
console.log("Variable changed:", msg.data.key, "=", msg.data.value);
break;
case "variable_delete":
console.log("Variable removed:", msg.data.key);
break;
case "user_variable_update":
console.log("User variable:", msg.data.key, "=", msg.data.value);
break;
case "message":
console.log(`[${msg.data.type}] ${msg.data.message}`);
break;
case "force_logout":
console.log("Disconnected:", msg.data.reason);
ws.close();
break;
case "banned":
console.log("Banned:", msg.data.reason);
ws.close();
break;
case "command":
handleCommand(msg.data.command, msg.data.payload);
break;
}
};
// Set presence status
ws.send(JSON.stringify({ type: "set_status", status: "online" }));
// Send a chat message
ws.send(JSON.stringify({ type: "chat", message: "Hello from client!" }));
// Send a custom event (triggers hooks)
ws.send(JSON.stringify({ type: "player_score", data: { score: 1500, level: 3 } }));
WebSocket: REST Endpoints
These REST endpoints allow you to interact with WebSocket-connected users from your server without maintaining a WebSocket connection yourself. All require dashboard JWT authentication and the :appId URL parameter.
Returns the number of currently connected client WebSocket users.
// Response
{ "success": true, "data": { "count": 42 } }
Returns all currently connected WebSocket sessions with user details.
// Response
{
"success": true,
"data": {
"count": 2,
"sessions": [
{ "userId": "...", "username": "john", "ip": "1.2.3.4", "connectedAt": "..." },
{ "userId": "...", "username": "jane", "ip": "5.6.7.8", "connectedAt": "..." }
]
}
}
Send a message to all connected client WebSocket users.
| Parameter | Type | Description |
|---|---|---|
| message | string | required The message to broadcast |
| type | string | optional Message type: "info" (default), "warning", "alert" |
// Response
{ "success": true, "data": { "sent": true, "onlineUsers": 42 } }
Send a force-logout event to a specific user, disconnecting them.
| Parameter | Type | Description |
|---|---|---|
| userId | string | required Target user ID (URL param) |
| reason | string | optional Reason shown to the user |
Kick a user from the WebSocket connection with an optional reason.
| Parameter | Type | Description |
|---|---|---|
| userId | string | required Target user ID (URL param) |
| reason | string | optional Kick reason shown to the user |
Ban a user (sets banned flag in database) and immediately disconnects them from WebSocket.
| Parameter | Type | Description |
|---|---|---|
| userId | string | required Target user ID (URL param) |
| reason | string | optional Ban reason |
Send a chat message to a specific connected user.
| Parameter | Type | Description |
|---|---|---|
| userId | string | required Target user ID |
| message | string | required Chat message |
Send a named command to a specific user or all connected clients. If userId is omitted, the command is broadcast to all clients.
| Parameter | Type | Description |
|---|---|---|
| command | string | required Command name |
| userId | string | optional Target user ID (omit to broadcast) |
| payload | object | optional Arbitrary JSON payload |
Push a custom JSON payload to a specific user or all connected clients.
| Parameter | Type | Description |
|---|---|---|
| payload | object | required Arbitrary JSON payload to push |
| userId | string | optional Target user ID (omit to broadcast to all) |
WebSocket: Hooks
WebSocket hooks let you automate server-side responses to custom events sent by clients. When a client sends a message with a custom type, the hook engine evaluates matching hooks and executes their actions. Maximum 20 hooks per application.
Hook Actions
Each hook can have up to 5 actions. Supported action types:
| Action Type | Target | Description |
|---|---|---|
| respond | sender | Send a response back to the user who triggered the event |
| send_message | userId | Send a message to a specific user |
| broadcast | all | Broadcast a message to all connected clients |
| push_json | userId or all | Push a custom JSON payload |
| kick | userId or sender | Kick a user |
| ban | userId or sender | Ban a user |
| log | Create a log entry |
Hook Conditions
Conditions (max 5 per hook) filter when a hook fires. All conditions must match (AND logic).
| Operator | Description |
|---|---|
| eq | Field equals value |
| neq | Field does not equal value |
| contains | Field contains value (substring) |
| exists | Field exists (is not empty) |
Returns all WebSocket hooks for the application, ordered by priority.
// Response
{
"success": true,
"data": {
"count": 1,
"hooks": [{
"id": "...",
"name": "Welcome Message",
"event": "join_room",
"conditions": [{ "field": "data.room", "operator": "eq", "value": "lobby" }],
"actions": [{ "type": "respond", "message": "Welcome to the lobby!" }],
"enabled": true,
"priority": 0
}]
}
}
| Parameter | Type | Description |
|---|---|---|
| name | string | required Hook name (max 100 chars) |
| event | string | required Custom event type to trigger on (max 50 chars, cannot be a system event) |
| actions | array | required Array of action objects (max 5) |
| conditions | array | optional Array of condition objects (max 5) |
| description | string | optional Hook description (max 500 chars) |
| priority | integer | optional Execution priority, lower runs first (0-999, default 0) |
// Example: Create a hook
POST /api/apps/:appId/ws/hooks
{
"name": "Auto-welcome",
"event": "join_room",
"conditions": [
{ "field": "data.room", "operator": "eq", "value": "lobby" }
],
"actions": [
{ "type": "respond", "message": "Welcome to the lobby!" },
{ "type": "log", "message": "User joined lobby" }
]
}
Update any field of an existing hook. Only include the fields you want to change.
| Parameter | Type | Description |
|---|---|---|
| name | string | optional New name |
| event | string | optional New trigger event |
| actions | array | optional New actions array |
| conditions | array | optional New conditions array |
| description | string | optional New description |
| enabled | boolean | optional Enable or disable the hook |
| priority | integer | optional New priority (0-999) |
Permanently deletes a WebSocket hook.
| Parameter | Type | Description |
|---|---|---|
| hookId | string | required Hook ID (URL param) |