Link Search Menu Expand Document


Havoc offers a DRM API that allows you to integrate your DRM system with Havoc. This allows tweak developers to check if a device owns a given package and is designed to be mostly backwards compatible with the Packix DRM API.

Do NOT call this API directly from a user’s device. You MUST proxy the request through your own server. This is not a suggestion, it is a requirement. If you are not capable of proxying the request through your own server then you should not be using this API. Calling the API directly on the user’s device exposes your authentication token to the user which may allow them to make authenticated seller requests to your account in the future. Failure to follow these guidelines can result in your products being removed from the store and seller access being revoked.


  • Always make API requests from your own server, never call the DRM API directly from a user’s device as this would expose your token to the user.
  • Always follow our DRM guidelines (Section 1.3).


Much like the Packix DRM API, Havoc uses a token based authentication system. In order to make calls to the Havoc DRM API you must pass a token along with your request via one of the following methods:

  • The token field in the JSON request body
  • The token request header
  • The authorization request header

Read on for the differences in the types of tokens you can generate.

Seller based tokens

These tokens are generated on the seller dashboard settings page and allow querying for packages the seller has created.

Package based tokens

These tokens are generated on a specific package’s DRM page and only allow querying for that package. This is useful when working with multiple developers on a single package to allow multiple developers to manage tokens.

API Reference

HTTP Endpoint


Request Body (JSON)

Field Type Required Description
udid string Yes The UDID of the device you are checking
model string Yes The device model (e.g. iPhone15,2)
identifier string Yes The package identifier (e.g. com.example.package)

Note: Package identifiers on Havoc are lowercase
token string Yes, unless passed via header The token generated by the developer

Response (JSON)

Field Type Description
status string The status of the request
error string The error message if the request failed

The value of status will be one of the following:

  • completed: The specified device should be allowed to use the package
  • failed: The device is not linked to an account with access to the package
  • error: The request was invalid. Additionally, the error field will contain an error message that is helpful for debugging.

TypeScript Types

If you are using TypeScript, you can use the following types:


interface HavocDRMRequest {
  udid: string;
  model: string;
  identifier: string;
  token?: string;


interface HavocDRMResponse {
  status: 'completed' | 'failed';

interface HavocDRMError {
    status: 'error';
    error: string;

Differences from the Packix API

The Havoc DRM API is mostly backwards compatible with the Packix DRM API. The following differences are worth noting:

  • The Havoc API does not support passing paramaters via the url query string.


DRM is a tool that comes with many pros and also many cons, if you are considering using our DRM API please be sure it is the right solution for you. Please read through our DRM guidelines (Section 1.3) to learn more about the do’s and dont’s of using the DRM API and please remember to be respectful of people’s devices.