BlackLeach API Documentation

BlackLeach is a public multi-step keysystem and license validation platform for creators. It supports Linkvertise and LootLabs unlock flows, project-scoped API keys, HWID binding, license validation, and protected Lua/Luau script delivery.

Validation endpoint

Use POST https://blackleach.xyz/api/validkey to validate a license key for a keysystem. Requests must include the project keysystem_id, the user license key, a stable hwid, and a project API key.

Required API key header

Every validation request must include X-BlackLeach-API-Key with an API key generated from Dashboard > API Keys. The same key can also be sent as an Authorization Bearer token.

Request body

{
  "keysystem_id": "YOUR_KEYSYSTEM_ID",
  "key": "USER_LICENSE_KEY",
  "hwid": "DEVICE_OR_EXECUTOR_HWID",
  "include_script": true,
  "client_nonce": "RANDOM_PER_REQUEST_NONCE"
}

Response

A successful response returns valid: true, the license expiry, optional loader metadata, and when script delivery is enabled, a short-lived protected script loader. Failed responses return valid: false with a message such as missing API key, invalid key, expired key, or HWID mismatch.