Authentication Guide

Every API request must be authenticated with a Bearer token.

How Authentication Works

Include your API key in the Authorization header of every request:

HTTP Header
Authorization: Bearer a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6

Authentication Flow

  1. 1 Generate your API key From the reseller dashboard: Profile → API Access → Generate API Key
  2. 2 Include in requests Add the Authorization: Bearer header to every API call
  3. 3 Server validates The server checks your key on every request for validity and GOLD plan status
  4. 4 Invalid keys rejected Expired, revoked, or invalid keys receive a 401 Unauthorized response
Important Rules:
  • Only GOLD plan resellers can generate and use API keys
  • Each reseller can have only one active API key at a time
  • Your API key is shown only once — save it securely
  • You can revoke and regenerate your key at any time from the dashboard

Getting Your API Key

Follow these steps to generate your API credentials.

  1. 1 Log in to your Reseller Dashboard Navigate to https://www.x-institute.site/x/ and log in with your credentials.
  2. 2 Open Profile Click the user icon in the top-right corner to open your profile modal.
  3. 3 Generate API Key If you are on the GOLD plan, you will see an API Access section. Click "Generate API Key".
  4. 4 Save Your Key Your API key is displayed only once. Copy and save it immediately. If lost, you must revoke and regenerate.
  5. 5 Start Using It Include your API key in the Authorization header of all API requests.

API Endpoints

Base URL: https://v1.x-institute.site

GET /products

Fetch all available products with GOLD plan discounted pricing (25% off).

Request

cURL
curl -X GET "https://v1.x-institute.site/products" \
  -H "Authorization: Bearer YOUR_API_KEY"
Python
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/products", headers=headers)
print(response.json())
JavaScript
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const response = await fetch(BASE_URL + "/products", {
    headers: { "Authorization": "Bearer " + API_KEY }
});
const data = await response.json();
console.log(data);
PHP
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$ch = curl_init($baseUrl . "/products");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => ["Authorization: Bearer $apiKey"]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Success Response 200 OK

JSON
{
  "status": "success",
  "code": 200,
  "message": "Products fetched successfully",
  "data": {
    "count": 15,
    "products": [
      {
        "product_id": "SPOTIFY_1Y",
        "product_name": "Spotify Premium 1 Year",
        "subscription_type": "1 Year",
        "category": "Music",
        "original_price": 50000,
        "discounted_price": 37500,
        "currency": "MMK",
        "stock_count": 100,
        "in_stock": true
      }
    ]
  },
  "timestamp": "2026-05-13T15:00:00+06:30"
}

Response Fields

FieldTypeDescription
product_idstringUnique product identifier
product_namestringDisplay name of the product
subscription_typestringSubscription duration
categorystringProduct category
original_pricefloatOriginal price in MMK
discounted_pricefloatGOLD plan price (25% off) in MMK
currencystringAlways "MMK"
stock_countintegerAvailable stock quantity
in_stockbooleanWhether the product is available
POST /order

Submit an order using your reseller balance. Balance is deducted automatically.

Request

cURL
curl -X POST "https://v1.x-institute.site/order" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"customer_email":"[email protected]","products":[{"product_id":"SPOTIFY_1Y","quantity":1},{"product_id":"NETFLIX_1M","quantity":2}],"note":"My order note"}'
Python
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

payload = {
    "customer_email": "[email protected]",
    "note": "My order note",
    "products": [
        {"product_id": "SPOTIFY_1Y", "quantity": 1},
        {"product_id": "NETFLIX_1M", "quantity": 2}
    ]
}

response = requests.post(f"{BASE_URL}/order", headers=headers, json=payload)
print(response.json())
JavaScript
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const payload = {
    customer_email: "[email protected]",
    note: "My order note",
    products: [
        { product_id: "SPOTIFY_1Y", quantity: 1 },
        { product_id: "NETFLIX_1M", quantity: 2 }
    ]
};

const response = await fetch(BASE_URL + "/order", {
    method: "POST",
    headers: {
        "Authorization": "Bearer " + API_KEY,
        "Content-Type": "application/json"
    },
    body: JSON.stringify(payload)
});
const data = await response.json();
console.log(data);
PHP
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$payload = json_encode([
    "customer_email" => "[email protected]",
    "note" => "My order note",
    "products" => [
        ["product_id" => "SPOTIFY_1Y", "quantity" => 1],
        ["product_id" => "NETFLIX_1M", "quantity" => 2]
    ]
]);

$ch = curl_init($baseUrl . "/order");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer $apiKey",
        "Content-Type: application/json"
    ]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Request Body Parameters

FieldTypeRequiredDescription
customer_emailstringYESCustomer's email address
productsarrayYESArray of product objects
products[].product_idstringYESProduct identifier
products[].quantityintegerYESQuantity (min: 1)
notestringNOOrder note / remarks (max: 500 chars)

Success Response 201 Created

JSON
{
  "status": "success",
  "code": 201,
  "message": "Order created successfully",
  "data": {
    "order_id": "XIREAPIO123451746789012",
    "customer_email": "[email protected]",
    "items": [...],
    "total_amount": 60000,
    "currency": "MMK",
    "balance_before": 100000,
    "balance_after": 40000,
    "status": "Processing",
    "created_at": "2026-05-13T15:00:00+06:30"
  }
}
Insufficient Balance — 400 Bad Request
{
  "status": "error",
  "code": 400,
  "message": "Insufficient balance. Required: 60,000.00 MMK, Available: 30,000.00 MMK",
  "data": {
    "required_amount": 60000,
    "current_balance": 30000
  }
}
GET /account

Fetch your reseller account information, current balance, and API key status.

Request

cURL
curl -X GET "https://v1.x-institute.site/account" \
  -H "Authorization: Bearer YOUR_API_KEY"
Python
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/account", headers=headers)
print(response.json())
JavaScript
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const response = await fetch(BASE_URL + "/account", {
    headers: { "Authorization": "Bearer " + API_KEY }
});
const data = await response.json();
console.log(data);
PHP
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$ch = curl_init($baseUrl . "/account");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => ["Authorization: Bearer $apiKey"]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Success Response 200 OK

JSON
{
  "status": "success",
  "code": 200,
  "data": {
    "reseller": {
      "id": 42,
      "name": "John Doe",
      "email": "[email protected]",
      "plan": "Gold",
      "status": "active",
      "exp_date": "2026-12-31"
    },
    "balance": {
      "amount": 150000,
      "currency": "MMK"
    },
    "api": {
      "has_active_key": true,
      "api_key_masked": "a1b2c3d4...c5d6",
      "last_used_at": "2026-05-13 14:30:00"
    },
    "recent_transactions": [...]
  }
}

Order Tracking

Check the status of any order placed through the API.

GET /track

Look up an order by its ID. Returns the current status, masked customer email, ordered items, and a human-readable status message. Only orders belonging to the authenticated reseller are returned.

Request

cURL
curl -X GET "https://v1.x-institute.site/track?order_id=XIAPIREO12345" \
  -H "Authorization: Bearer YOUR_API_KEY"
Python
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"
ORDER_ID = "XIAPIREO12345"

headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/track?order_id={ORDER_ID}", headers=headers)
print(response.json())
JavaScript
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";
const ORDER_ID = "XIAPIREO12345";

const response = await fetch(BASE_URL + "/track?order_id=" + ORDER_ID, {
    headers: { "Authorization": "Bearer " + API_KEY }
});
const data = await response.json();
console.log(data);
PHP
 true,
    CURLOPT_HTTPHEADER => ["Authorization: Bearer $apiKey"]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Query Parameters

ParameterTypeRequiredDescription
order_idstringYesThe order ID returned when the order was created (e.g. XIAPIREO12345)

Success Response 200 OK

JSON
{
  "status": "success",
  "code": 200,
  "data": {
    "order_id": "XIAPIREO12345",
    "status": "Processing",
    "status_message": "Your order is being processed.",
    "customer_email": "joh***@example.com",
    "items": [
      {
        "product_name": "Spotify Premium 1 Year",
        "quantity": 1
      }
    ],
    "created_at": "2026-05-13 14:30:00"
  }
}

Error Responses

StatusCodeMessage
400Bad RequestMissing required parameter: order_id
401UnauthorizedInvalid or missing API key
404Not FoundOrder not found. Please check your order ID and try again.
405Method Not AllowedMethod not allowed. Use GET.

Error Responses

All errors follow a consistent JSON format.

Error Format
{
  "status": "error",
  "code": 401,
  "message": "Human-readable error description",
  "data": null,
  "timestamp": "2026-05-13T15:00:00+06:30"
}

HTTP Status Codes

CodeMeaningWhen
200OKRequest succeeded
201CreatedOrder created successfully
400Bad RequestMissing fields, invalid data, insufficient balance
401UnauthorizedMissing or invalid API key
403ForbiddenAccount not active or not GOLD plan
404Not FoundEndpoint or product not found
405Method Not AllowedWrong HTTP method used
429Too Many RequestsRate limit exceeded
500Internal Server ErrorServer-side error

Webhook Guide

Receive real-time notifications when order statuses change.

How It Works

Admin Panel
Ship/Cancel Order
Webhook Sender
X-Institute Bridge
Your Server
Your webhook URL
Resellers Table
webhook_url + webhook_secret
  1. Admin Ship or Cancel Order in the admin panel
  2. Admin panel sends a POST to webhook sender with order data and your reseller_id
  3. Webhook sender looks up your webhook_url and webhook_secret from the database
  4. Webhook sender forwards the webhook to YOUR server
  5. Your server receives the webhook, verifies the signature, and processes the order

Setting Up Your Webhook

  1. 1 Create an endpoint On your server, create a URL that accepts POST requests (e.g., https://your-server.com/webhook-handler.php)
  2. 2 Configure in Dashboard Go to Dashboard → Profile (👤) → Webhook Settings → Enter your URL → Save
  3. 3 Get your secret A webhook_secret is auto-generated. Use it to verify incoming webhook signatures.

Webhook Payload

JSON Payload
{
  "reseller_id": 12345,
  "order_id": "XIREAPIO123451746789012",
  "event": "shipped",
  "shipping_status": "Shipped",
  "customer_data": {
    "email": "[email protected]",
    "note": "My order note",
    "products": [
      {
        "name": "Spotify Premium 1 Year",
        "email": "[email protected]",
        "password": Password
      }
    ]
  }
}

Price Changes Payload

JSON Payload
{
  "event": "price_changes"
}

Webhook Headers

HeaderDescription
Content-Typeapplication/json
X-Webhook-SignatureHMAC-SHA256 signature for verification
X-Webhook-EventEvent type (shipped, cancelled, price_changes)
User-AgentX-Institute-Webhook/1.0

Verifying Webhook Signatures

Use your webhook_secret to verify incoming webhooks are genuinely from X-Institute:

PHP — webhook-handler.php
// webhook-handler.php — Your endpoint that receives webhooks

$rawPayload = file_get_contents('php://input');
$receivedSignature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? '';
$webhookSecret = 'YOUR_WEBHOOK_SECRET'; // From dashboard

// Verify HMAC-SHA256 signature
$expectedSignature = hash_hmac('sha256', $rawPayload, $webhookSecret);

if (!hash_equals($expectedSignature, $receivedSignature)) {
    http_response_code(401);
    echo json_encode(['status' => 'error']);
    exit;
}

$data = json_decode($rawPayload, true);

switch ($data['event']) {
    case 'shipped':
        $orderId = $data['order_id'];
        $resellerId = $data['reseller_id'];
        $shippingStatus = $data['shipping_status'];
        $customerData = $data['customer_data'];
        $email = $customerData['email'];
        $note = $customerData['note'] ?? '';
        $products = $customerData['products'];
        // Update your system: mark order as shipped
        break;
    case 'cancelled':
        // Balance is auto-refunded by X-Institute
        break;
    case 'price_changes':
        // Update your local price catalog
        break;
}

http_response_code(200);
echo json_encode(['status' => 'success']);

Event Types

EventDescriptionAction
shippedOrder shipped with trackingUpdate order status, notify customer
cancelledOrder cancelledBalance auto-refunded
price_changesProduct prices updated by adminUpdate local price catalog
Retry Policy: If your endpoint returns a non-2xx status:
  • Attempt 1: Immediate
  • Attempt 2: After 60 seconds
  • Attempt 3: After 120 seconds
  • After 3 failures → marked as failed

Security Notes

Best practices for keeping your API integration secure.

API Key Security

  1. Never share your API key — treat it like a password
  2. Store it securely — use environment variables, never hardcode in source
  3. Use HTTPS only — all API requests must be over HTTPS
  4. Rotate regularly — revoke and regenerate your key periodically
  5. Revoke immediately if you suspect your key has been compromised

Best Practice Example

PHP — Secure key storage
// ✅ GOOD: Store API key in environment variable
$apiKey = getenv('XINSTITUTE_API_KEY');

// ❌ BAD: Never hardcode your API key
$apiKey = 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'; // DANGEROUS!

Rate Limiting

Understand API request limits to avoid disruptions.

LimitValueWindow
Max Requests60Per minute
Burst Allowance10Additional burst
Rate Limit Response (429):
{
  "status": "error",
  "code": 429,
  "message": "Rate limit exceeded. Try again in 45 seconds."
}

Code Examples

Ready-to-use integration examples in popular languages.

PHP

PHP
$apiKey = getenv('XINSTITUTE_API_KEY');
$baseUrl = 'https://v1.x-institute.site';

// Fetch products
$ch = curl_init($baseUrl . '/products');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer ' . $apiKey,
    'Accept: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

$products = json_decode($response, true);
print_r($products);

Python

Python
import os
import requests

API_KEY = os.environ.get('XINSTITUTE_API_KEY')
BASE_URL = 'https://v1.x-institute.site'

headers = {
    'Authorization': f'Bearer {API_KEY}',
    'Accept': 'application/json'
}

# Fetch products
response = requests.get(f'{BASE_URL}/products', headers=headers)
products = response.json()
print(products)

# Submit an order
order_data = {
    'customer_email': '[email protected]',
    'note': 'My order note',
    'products': [
        {'product_id': 'SPOTIFY_1Y', 'quantity': 1}
    ]
}
response = requests.post(f'{BASE_URL}/order', json=order_data, headers=headers)
print(response.json())

JavaScript (Node.js)

JavaScript
const API_KEY = process.env.XINSTITUTE_API_KEY;
const BASE_URL = 'https://v1.x-institute.site';

// Fetch products
const response = await fetch(BASE_URL + '/products', {
    headers: {
        'Authorization': 'Bearer ' + API_KEY,
        'Accept': 'application/json'
    }
});
const products = await response.json();
console.log(products);

// Submit an order
const orderResponse = await fetch(BASE_URL + '/order', {
    method: 'POST',
    headers: {
        'Authorization': 'Bearer ' + API_KEY,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({
        customer_email: '[email protected]',
        note: 'My order note',
        products: [{ product_id: 'SPOTIFY_1Y', quantity: 1 }]
    })
});
const order = await orderResponse.json();
console.log(order);