For developers

Game API

Your Roblox game servers call these to check keys and grant perks.

Authentication

Send your secret in the x-api-key header on every request (set GAME_API_KEY in your env). Calls must come from the game server (HttpService enabled). If no key is set, the API runs in demo mode with sample data.

GET/api/game/pingHealth + auth check.
GET/api/game/entitlement?userId=Does the user have an ACTIVE entitlement? The main check.
GET/api/game/perks?userId=Resolved perks object to apply in-game.
GET/api/game/user?userId=Full summary: active flag, entitlements, keys.
GET/api/game/keys?userId=All keys tied to a user (masked).
POST/api/game/validateCheck a key without redeeming. Body: { key }
POST/api/game/redeemRedeem a key (atomic, single-use). Body: { key, userId, discordId? }
POST/api/game/mintMint a key after an in-game dev-product purchase (idempotent per receipt). Body: { userId, product, receiptId }
POST/api/game/grantGrant an entitlement directly. Body: { userId, product, days? }
POST/api/game/extendAdd time to an entitlement. Body: { userId, product, days }
POST/api/game/revokeRevoke. Body: { key } or { userId, product? }
GET/api/game/statsTotals for dashboards.

Example — check a key in Luau

local HttpService = game:GetService("HttpService")
local BASE    = "https://bkpremium.online"   -- your site URL
local API_KEY = "YOUR_GAME_API_KEY"

-- Call this on PlayerAdded to see if a player has active perks
local function hasActiveKey(userId)
    local ok, res = pcall(function()
        return HttpService:GetAsync(
            BASE .. "/api/game/entitlement?userId=" .. userId,
            false,
            { ["x-api-key"] = API_KEY }
        )
    end)
    if not ok then return false end
    local data = HttpService:JSONDecode(res)
    return data.active == true
end

game.Players.PlayerAdded:Connect(function(plr)
    if hasActiveKey(plr.UserId) then
        -- grant your perks here
    end
end)