Skip to main content
These endpoints are live in production today, served by the FloKit payments gateway. They are separate from the v1 REST API, which is still in design-partner preview.
Use the entitlement endpoints to gate premium features: after a purchase is verified (see the Paywall API), your app or backend can check whether the user’s entitlement is active. Base URL: https://payments-gateway.flokitai.com Two paths return the same result:
  • GET /api/paywall/entitlement — original path used by the paywall flow.
  • GET /api/entitlements/current — canonical alias; also accepts a userId query parameter as an identity fallback.
Both require your app’s publishable key (pk_..., created per app in the FloKit dashboard) in the x-app-key header — or a short-lived app-session token (minted via POST /api/paywall/token) in x-app-token instead. The key scopes the request to your app and is safe to embed in your app build. @flokit/subscriptions-sdk v0.2.0+ sends it automatically via the appKey option. Tenant resolution happens server-side from the app key and user identity — clients never send a company or tenant ID.
x-app-key enforcement is being phased in ahead of GA. Send it on every request today; once enforcement is on, requests without a valid key receive 401.

GET /api/paywall/entitlement

Headers

HeaderValue
x-app-keyYour publishable app key (required)
x-user-idYour authenticated user ID (required)

Example

curl https://payments-gateway.flokitai.com/api/paywall/entitlement \
  -H "x-app-key: pk_live_your_app_key" \
  -H "x-user-id: usr_abc123"

Response

{
  "active": true,
  "source": "iap"
}
FieldTypeDescription
activebooleanWhether the user currently has an active entitlement
sourcestringWhere the entitlement came from, e.g. iap

Errors

StatusBodyCondition
401{ "error": "x-app-key is required." }Missing app key (once enforcement is on)
401{ "error": "Invalid app key." }Unknown or revoked app key
401{ "error": "x-user-id is required." }Missing user identity

GET /api/entitlements/current

Alias for the same entitlement check. Identity resolution order: x-user-id header, then userId query parameter.
curl "https://payments-gateway.flokitai.com/api/entitlements/current?userId=usr_abc123" \
  -H "x-app-key: pk_live_your_app_key"
Response and errors are identical to GET /api/paywall/entitlement.