These endpoints are live in production today, served by the FloKit payments gateway. They are separate from the v1 REST API, which is still in design-partner preview.
Use the entitlement endpoints to gate premium features: after a purchase is verified (see the Paywall API), your app or backend can check whether the user’s entitlement is active.
Base URL: https://payments-gateway.flokitai.com
Two paths return the same result:
GET /api/paywall/entitlement — original path used by the paywall flow.
GET /api/entitlements/current — canonical alias; also accepts a userId query parameter as an identity fallback.
Both require your app’s publishable key (pk_..., created per app in the FloKit dashboard) in the x-app-key header — or a short-lived app-session token (minted via POST /api/paywall/token) in x-app-token instead. The key scopes the request to your app and is safe to embed in your app build. @flokit/subscriptions-sdk v0.2.0+ sends it automatically via the appKey option.
Tenant resolution happens server-side from the app key and user identity — clients never send a company or tenant ID.
x-app-key enforcement is being phased in ahead of GA. Send it on every request today; once enforcement is on, requests without a valid key receive 401.
GET /api/paywall/entitlement
| Header | Value |
|---|
x-app-key | Your publishable app key (required) |
x-user-id | Your authenticated user ID (required) |
Example
curl https://payments-gateway.flokitai.com/api/paywall/entitlement \
-H "x-app-key: pk_live_your_app_key" \
-H "x-user-id: usr_abc123"
Response
{
"active": true,
"source": "iap"
}
| Field | Type | Description |
|---|
active | boolean | Whether the user currently has an active entitlement |
source | string | Where the entitlement came from, e.g. iap |
Errors
| Status | Body | Condition |
|---|
401 | { "error": "x-app-key is required." } | Missing app key (once enforcement is on) |
401 | { "error": "Invalid app key." } | Unknown or revoked app key |
401 | { "error": "x-user-id is required." } | Missing user identity |
GET /api/entitlements/current
Alias for the same entitlement check. Identity resolution order: x-user-id header, then userId query parameter.
curl "https://payments-gateway.flokitai.com/api/entitlements/current?userId=usr_abc123" \
-H "x-app-key: pk_live_your_app_key"
Response and errors are identical to GET /api/paywall/entitlement.