API Reference

Version v1.0 Updated: 2025-06-30

Authentication

FlexUnlock API uses API keys for authentication. Include your API key in the request header:

Authorization: Bearer YOUR_API_KEY

Keep your API key secure! Never share it or commit it to version control.

POST /v1/unlock/check

Check if a device is eligible for unlocking.

Request Parameters

Parameter	Type	Required	Description
imei	string	Yes	Device IMEI number
carrier	string	Yes	Current carrier name

Example Request

curl -X POST https://api.flexunlock.com/v1/unlock/check \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
    "Email": "demo@flexunlock.com",
    "Code Status": "demo@flexunlock.com successfully activated"
}'

Example Response

{
    "status": "success",
    "eligible": true,
    "price": 15.50,
    "estimated_time": "Instantly",
    "supported_services": [
        "Activation",
        "Active"
    ]
}

Similar structure as check-unlock, but for order endpoint

Similar structure as check-unlock, but for status endpoint

Error Handling

The API uses standard HTTP response codes and provides detailed error messages.

Code	Description	Example
400	Bad Request - Invalid parameters	{"error": "Invalid IMEI number"}
401	Unauthorized - Invalid API key	{"error": "Invalid API key"}

Rate Limits

To ensure system stability and fair usage, we implement rate limiting on all API endpoints. Rate limits are calculated based on your plan level.

Reseller

1,000 requests/day
60 requests/minute
Basic support

Distributor

10,000 requests/day
300 requests/minute
Priority support

BIG Seller

Unlimited requests/day
Custom rate limits
24/7 dedicated support

Rate Limit Headers

Every API response includes headers that let you know your current rate limit status:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1593504943

Header	Description
X-RateLimit-Limit	The maximum number of requests allowed per time window
X-RateLimit-Remaining	The number of requests remaining in the current time window
X-RateLimit-Reset	The time at which the current rate limit window resets (Unix timestamp)

Rate Limit Exceeded

When you exceed your rate limit, you'll receive a 429 Too Many Requests response with a Retry-After header indicating when you can resume making requests.

Webhooks

Webhooks allow you to receive real-time updates about unlock status changes and other events. Instead of polling our API, we'll send HTTP POST requests to your specified endpoint when events occur.

Setting Up Webhooks

POST /v1/webhooks
{
    "url": "https://your-domain.com/webhook",
    "events": ["unlock.completed", "unlock.failed"],
    "secret": "your-webhook-secret"
}

Available Events

Event	Description
unlock.created	When a new unlock order is created
unlock.processing	When an unlock order starts processing
unlock.completed	When an unlock is successfully completed
unlock.failed	When an unlock attempt fails

Example Webhook Payload

{
    "event": "unlock.completed",
    "created_at": "2025-10-27 23:11:29",
    "data": {
        "order_id": "ord_123456",
        "Email": "demo@flexunlock.com",
        "status": "completed",
        "unlock_code": "demo@flexunlock.com successfully activated",
        "completed_at": "2025-10-27 23:11:29"
    }
}

Security

Each webhook request includes a signature header (X-FlexUnlock-Signature) that you can use to verify the request came from us:

# PHP Example
$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_FLEXUNLOCK_SIGNATURE'];
$secret = 'your-webhook-secret';

$computed = hash_hmac('sha256', $payload, $secret);

if (hash_equals($computed, $signature)) {
    // Valid webhook
    http_response_code(200);
} else {
    // Invalid signature
    http_response_code(401);
}

Webhook Best Practices

Acknowledge webhook receipt quickly (return 2xx response)
Process webhooks asynchronously
Implement retry logic for failed webhook deliveries
Always verify webhook signatures
Store raw webhook data for debugging