Introduction
Havoc offers a DRM API that allows you to integrate your DRM system with Havoc. This allows tweak developers to check if a device owns a given package and is designed to be mostly backwards compatible with the Packix DRM API.
Do NOT call this API directly from a user’s device. You MUST proxy the request through your own server. This is not a suggestion, it is a requirement. If you are not capable of proxying the request through your own server then you should not be using this API. Calling the API directly on the user’s device exposes your authentication token to the user which may allow them to make authenticated seller requests to your account in the future. Failure to follow these guidelines can result in your products being removed from the store and seller access being revoked.
Requirements
- Always make API requests from your own server, never call the DRM API directly from a user’s device as this would expose your token to the user.
- Always follow our DRM guidelines (Section 1.3).
Authentication
Much like the Packix DRM API, Havoc uses a token based authentication system. In order to make calls to the Havoc DRM API you must pass a token along with your request via one of the following methods:
- The
tokenfield in the JSON request body - The
tokenrequest header - The
authorizationrequest header
Read on for the differences in the types of tokens you can generate.
Seller based tokens
These tokens are generated on the seller dashboard settings page and allow querying for packages the seller has created.
Package based tokens
These tokens are generated on a specific package’s DRM page and only allow querying for that package. This is useful when working with multiple developers on a single package to allow multiple developers to manage tokens.
API Reference
HTTP Endpoint
POST https://havoc.app/api/v1/drm
Request Body (JSON)
| Field | Type | Required | Description |
|---|---|---|---|
| udid | string | Yes | The UDID of the device you are checking |
| model | string | Yes | The device model (e.g. iPhone15,2) |
| identifier | string | Yes | The package identifier (e.g. com.example.package) Note: Package identifiers on Havoc are lowercase |
| token | string | Yes, unless passed via header | The token generated by the developer |
Response (JSON)
| Field | Type | Description |
|---|---|---|
| status | string | The status of the request |
| error | string | The error message if the request failed |
The value of status will be one of the following:
completed: The specified device should be allowed to use the packagefailed: The device is not linked to an account with access to the packageerror: The request was invalid. Additionally, theerrorfield will contain an error message that is helpful for debugging.
TypeScript Types
If you are using TypeScript, you can use the following types:
Request
interface HavocDRMRequest {
udid: string;
model: string;
identifier: string;
token?: string;
}
Response
interface HavocDRMResponse {
status: 'completed' | 'failed';
}
interface HavocDRMError {
status: 'error';
error: string;
}
Differences from the Packix API
The Havoc DRM API is mostly backwards compatible with the Packix DRM API. The following differences are worth noting:
- The Havoc API does not support passing paramaters via the url query string.
Conclusion
DRM is a tool that comes with many pros and also many cons, if you are considering using our DRM API please be sure it is the right solution for you. Please read through our DRM guidelines (Section 1.3) to learn more about the do’s and dont’s of using the DRM API and please remember to be respectful of people’s devices.