BlackLeach API Documentation

BlackLeach is a public multi-step keysystem and license validation platform for creators. It supports Linkvertise and LootLabs unlock flows, project-scoped API keys, HWID binding, license checks, and protected Lua/Luau script delivery.

This static page exists for search engines and AI crawlers that do not execute JavaScript. The interactive application is available at blackleach.xyz.

Validation Endpoint

Send a POST request to https://blackleach.xyz/api/validkey to validate a user license key for a specific keysystem.

Required Headers

{
  "Content-Type": "application/json",
  "X-BlackLeach-API-Key": "YOUR_API_KEY"
}

Every validation request must include a project-scoped API key generated from Dashboard > API Keys. The API key may also be sent as an Authorization: Bearer YOUR_API_KEY header.

Request Body

{
  "keysystem_id": "YOUR_KEYSYSTEM_ID",
  "key": "USER_LICENSE_KEY",
  "hwid": "DEVICE_OR_EXECUTOR_HWID",
  "include_script": true,
  "client_nonce": "RANDOM_PER_REQUEST_NONCE"
}

Request Fields

• keysystem_id: required project or keysystem ID.
• key: license key entered by the user.
• hwid: stable device or executor identifier. The first successful validation binds the license to this HWID.
• include_script: set to true to request protected script delivery, or false for validation only.
• client_nonce: random value generated per request. Required when using protected script delivery.

Success Response

{
  "valid": true,
  "expires_at": "2026-05-01T12:00:00Z",
  "loader": "...",
  "script": {
    "enabled": true,
    "version": 3,
    "format": "luau",
    "loader": "loadstring(game:HttpGet(\"https://api.blackleach.xyz/2d8f...\"))()",
    "payload": "loadstring(game:HttpGet(\"https://api.blackleach.xyz/2d8f...\"))()",
    "delivery_url": "https://api.blackleach.xyz/2d8f...",
    "signature": "...",
    "protection_tier": "starter",
    "issued_at": "2026-04-29T12:00:00Z",
    "expires_at": "2026-04-29T12:05:00Z"
  }
}

Failure Responses

• 400: missing key, missing HWID, missing keysystem ID, or malformed JSON.
• 401: missing or invalid API key.
• 405: only POST and OPTIONS are accepted.
• 429: too many validation attempts in a short period.
• 200 with valid: false: invalid, expired, revoked, mismatched, or wrong-project license key.

JavaScript Example

const response = await fetch("https://blackleach.xyz/api/validkey", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "X-BlackLeach-API-Key": "YOUR_API_KEY"
  },
  body: JSON.stringify({
    keysystem_id: "YOUR_KEYSYSTEM_ID",
    key: "USER_LICENSE_KEY",
    hwid: "DEVICE_OR_EXECUTOR_HWID",
    include_script: false
  })
});

const data = await response.json();
if (!data.valid) {
  throw new Error(data.message || "Invalid key");
}