Download Reference

Lockette API Documentation

Welcome to the Lockette API. Our API provides privacy-preserving age verification with a simple, RESTful interface. Verify users with a single API call while collecting zero personal information.

Quick Start

Get your API key from the Customer Portal, then make your first verification request in under 5 minutes.

Authentication

All API requests require authentication using your API key. Include it in the request headers:

Headers 
X-API-Key: your_api_key_here
Content-Type: application/json

Keep Your Keys Secure

Never expose your API key in client-side code. Always make API calls from your server.

Base URL

All API endpoints are accessed via:

https://api.lockette.dev

All requests must be made over HTTPS. HTTP requests will be rejected.

Rate Limits

API rate limits are based on your subscription tier:

Plan Requests/Second Requests/Day
Starter 10 10,000
Growth 50 100,000
Enterprise Unlimited Unlimited

Rate limit headers are included in all responses:

  • X-RateLimit-Limit - Maximum requests per window
  • X-RateLimit-Remaining - Remaining requests in current window
  • X-RateLimit-Reset - Unix timestamp when the window resets

Verify User

The primary endpoint for age verification. Returns a boolean indicating whether the user is verified.

POST /api/verify

Request Body

Parameter Type Required Description
instanceId string Yes The user's Lockette instance ID
restrictionLevel string No Minimum age requirement: "18+", "21+", or "25+"

Example Request

JavaScript 
const response = await fetch('https://api.lockette.dev/api/verify', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'X-API-Key': 'your_api_key'
    },
    body: JSON.stringify({
        instanceId: 'lk_inst_abc123xyz',
        restrictionLevel: '21+'
    })
});

const result = await response.json();

Response

200 OK 
{
    "verified": true,
    "restrictionLevel": "21+",
    "sessionActive": true,
    "expiresAt": "2025-01-15T12:00:00Z"
}

Check Status

Check the verification status of an instance without triggering a verification event.

GET /api/status/{instanceId}

Path Parameters

Parameter Type Description
instanceId string The user's Lockette instance ID

Response

200 OK 
{
    "instanceId": "lk_inst_abc123xyz",
    "state": "VERIFIED",
    "restrictionLevel": "21+",
    "sessionActive": true,
    "registeredAt": "2024-12-01T10:30:00Z",
    "sessionExpiresAt": "2025-01-15T12:00:00Z"
}

Health Check

Check API availability. No authentication required.

GET /health

Response

200 OK 
{
    "status": "healthy",
    "version": "1.0.0",
    "timestamp": "2025-01-10T15:30:00Z"
}

Webhook Setup

Configure webhooks to receive real-time notifications when verification events occur.

Webhooks can be configured in the Customer Portal under Settings → Webhooks.

Endpoint Requirements

Your webhook endpoint must be HTTPS, respond within 5 seconds, and return a 2xx status code to acknowledge receipt.

Webhook Events

Event Description
verification.success A user was successfully verified
verification.failed A verification attempt failed
session.expired A user's session has expired
instance.revoked An instance was revoked

Example Payload

Webhook Payload 
{
    "id": "evt_123abc",
    "type": "verification.success",
    "timestamp": "2025-01-10T15:30:00Z",
    "data": {
        "instanceId": "lk_inst_abc123xyz",
        "restrictionLevel": "21+"
    }
}

Webhook Security

All webhook payloads are signed using HMAC-SHA256. Verify the signature to ensure the webhook is from Lockette:

Node.js Example 
const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
    const expected = crypto
        .createHmac('sha256', secret)
        .update(payload)
        .digest('hex');
    
    return crypto.timingSafeEqual(
        Buffer.from(signature),
        Buffer.from('sha256=' + expected)
    );
}

The signature is included in the X-Lockette-Signature header.

Error Codes

Code Status Description
invalid_api_key 401 The API key provided is invalid or expired
invalid_instance 400 The instance ID format is invalid
instance_not_found 404 No instance found with the provided ID
session_expired 401 The user's session has expired
rate_limited 429 Too many requests - slow down
server_error 500 Internal server error

Error Response Format

Error Response 
{
    "error": {
        "code": "invalid_instance",
        "message": "The instance ID format is invalid",
        "details": "Instance ID must start with 'lk_inst_'"
    }
}

SDKs & Libraries

Official SDKs are coming soon. In the meantime, the API is fully accessible via standard HTTP requests.

Coming Soon

Official SDKs for Node.js, Python, Ruby, and PHP are under development. Sign up for updates at inquiry@lockette.dev.

Questions? Contact support@lockette.dev

© 2025 Lockette Privacy Software, LLC