Authentication Guide

Every API request must be authenticated with a Bearer token.

How Authentication Works

Include your API key in the Authorization header of every request:

HTTP Header 
Authorization: Bearer a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6

Authentication Flow

  1. 1 Generate your API key From the reseller dashboard: Profile → API Access → Generate API Key
  2. 2 Include in requests Add the Authorization: Bearer header to every API call
  3. 3 Server validates The server checks your key on every request for validity and GOLD plan status
  4. 4 Invalid keys rejected Expired, revoked, or invalid keys receive a 401 Unauthorized response
Important Rules:
  • Only GOLD plan resellers can generate and use API keys
  • Each reseller can have only one active API key at a time
  • Your API key is shown only once — save it securely
  • You can revoke and regenerate your key at any time from the dashboard

Getting Your API Key

Follow these steps to generate your API credentials.

  1. 1 Log in to your Reseller Dashboard Navigate to https://www.x-institute.site/x/ and log in with your credentials.
  2. 2 Open Profile Click the user icon in the top-right corner to open your profile modal.
  3. 3 Generate API Key If you are on the GOLD plan, you will see an API Access section. Click "Generate API Key".
  4. 4 Save Your Key ⚠️ Your API key is displayed only once. Copy and save it immediately. If lost, you must revoke and regenerate.
  5. 5 Start Using It Include your API key in the Authorization header of all API requests.

API Endpoints

Base URL: https://v1.x-institute.site

GET /products

Fetch all available products with GOLD plan discounted pricing (25% off).

Request

cURL 
curl -X GET "https://v1.x-institute.site/products" \
  -H "Authorization: Bearer YOUR_API_KEY"
Python 
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/products", headers=headers)
print(response.json())
JavaScript 
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const response = await fetch(BASE_URL + "/products", {
    headers: { "Authorization": "Bearer " + API_KEY }
});
const data = await response.json();
console.log(data);
PHP 
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$ch = curl_init($baseUrl . "/products");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => ["Authorization: Bearer $apiKey"]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Success Response 200 OK

JSON 
{
  "status": "success",
  "code": 200,
  "message": "Products fetched successfully",
  "data": {
    "count": 15,
    "products": [
      {
        "product_id": "SPOTIFY_1Y",
        "product_name": "Spotify Premium 1 Year",
        "subscription_type": "1 Year",
        "category": "Music",
        "original_price": 50000,
        "discounted_price": 37500,
        "currency": "MMK",
        "stock_count": 100,
        "in_stock": true
      }
    ]
  },
  "timestamp": "2026-05-13T15:00:00+06:30"
}

Response Fields

FieldTypeDescription
product_idstringUnique product identifier
product_namestringDisplay name of the product
subscription_typestringSubscription duration
categorystringProduct category
original_pricefloatOriginal price in MMK
discounted_pricefloatGOLD plan price (25% off) in MMK
currencystringAlways "MMK"
stock_countintegerAvailable stock quantity
in_stockbooleanWhether the product is available
POST /order

Submit an order using your reseller balance. Balance is deducted automatically.

Request

cURL 
curl -X POST "https://v1.x-institute.site/order" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"customer_email":"[email protected]","products":[{"product_id":"SPOTIFY_1Y","quantity":1},{"product_id":"NETFLIX_1M","quantity":2}]}'
Python 
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

payload = {
    "customer_email": "[email protected]",
    "products": [
        {"product_id": "SPOTIFY_1Y", "quantity": 1},
        {"product_id": "NETFLIX_1M", "quantity": 2}
    ]
}

response = requests.post(f"{BASE_URL}/order", headers=headers, json=payload)
print(response.json())
JavaScript 
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const payload = {
    customer_email: "[email protected]",
    products: [
        { product_id: "SPOTIFY_1Y", quantity: 1 },
        { product_id: "NETFLIX_1M", quantity: 2 }
    ]
};

const response = await fetch(BASE_URL + "/order", {
    method: "POST",
    headers: {
        "Authorization": "Bearer " + API_KEY,
        "Content-Type": "application/json"
    },
    body: JSON.stringify(payload)
});
const data = await response.json();
console.log(data);
PHP 
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$payload = json_encode([
    "customer_email" => "[email protected]",
    "products" => [
        ["product_id" => "SPOTIFY_1Y", "quantity" => 1],
        ["product_id" => "NETFLIX_1M", "quantity" => 2]
    ]
]);

$ch = curl_init($baseUrl . "/order");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer $apiKey",
        "Content-Type: application/json"
    ]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Request Body Parameters

FieldTypeRequiredDescription
customer_emailstring✅ YesCustomer's email address
productsarray✅ YesArray of product objects
products[].product_idstring✅ YesProduct identifier
products[].quantityinteger✅ YesQuantity (min: 1)

Success Response 201 Created

JSON 
{
  "status": "success",
  "code": 201,
  "message": "Order created successfully",
  "data": {
    "order_id": "XIREO123451746789012",
    "customer_email": "[email protected]",
    "items": [...],
    "total_amount": 60000,
    "currency": "MMK",
    "balance_before": 100000,
    "balance_after": 40000,
    "status": "Processing",
    "created_at": "2026-05-13T15:00:00+06:30"
  }
}
Insufficient Balance — 400 Bad Request 
{
  "status": "error",
  "code": 400,
  "message": "Insufficient balance. Required: 60,000.00 MMK, Available: 30,000.00 MMK",
  "data": {
    "required_amount": 60000,
    "current_balance": 30000
  }
}
GET /account

Fetch your reseller account information, current balance, and API key status.

Request

cURL 
curl -X GET "https://v1.x-institute.site/account" \
  -H "Authorization: Bearer YOUR_API_KEY"
Python 
import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://v1.x-institute.site"

headers = {"Authorization": f"Bearer {API_KEY}"}
response = requests.get(f"{BASE_URL}/account", headers=headers)
print(response.json())
JavaScript 
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://v1.x-institute.site";

const response = await fetch(BASE_URL + "/account", {
    headers: { "Authorization": "Bearer " + API_KEY }
});
const data = await response.json();
console.log(data);
PHP 
<?php
$apiKey = "YOUR_API_KEY";
$baseUrl = "https://v1.x-institute.site";

$ch = curl_init($baseUrl . "/account");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => ["Authorization: Bearer $apiKey"]
]);
$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);
print_r($data);

Success Response 200 OK

JSON 
{
  "status": "success",
  "code": 200,
  "data": {
    "reseller": {
      "id": 42,
      "name": "John Doe",
      "email": "[email protected]",
      "plan": "Gold",
      "status": "active",
      "exp_date": "2026-12-31"
    },
    "balance": {
      "amount": 150000,
      "currency": "MMK"
    },
    "api": {
      "has_active_key": true,
      "api_key_masked": "a1b2c3d4...c5d6",
      "last_used_at": "2026-05-13 14:30:00"
    },
    "recent_transactions": [...]
  }
}

Error Responses

All errors follow a consistent JSON format.

Error Format
{
  "status": "error",
  "code": 401,
  "message": "Human-readable error description",
  "data": null,
  "timestamp": "2026-05-13T15:00:00+06:30"
}

HTTP Status Codes

CodeMeaningWhen
200OKRequest succeeded
201CreatedOrder created successfully
400Bad RequestMissing fields, invalid data, insufficient balance
401UnauthorizedMissing or invalid API key
403ForbiddenAccount not active or not GOLD plan
404Not FoundEndpoint or product not found
405Method Not AllowedWrong HTTP method used
429Too Many RequestsRate limit exceeded
500Internal Server ErrorServer-side error

Webhook Guide

Receive real-time notifications when order statuses change.

How It Works

Admin Panel
Clicks "Ship"
webhook/request.php
X-Institute Bridge
Your Server
Your webhook URL
Resellers Table
webhook_url + webhook_secret
  1. Admin clicks "Ship" in the admin panel
  2. Admin panel sends a POST to webhook/request.php with order data and your reseller_id
  3. webhook/request.php looks up your webhook_url and webhook_secret from the database
  4. webhook/request.php forwards the webhook to YOUR server
  5. Your server receives the webhook, verifies the signature, and processes the order

Setting Up Your Webhook

  1. 1 Create an endpoint On your server, create a URL that accepts POST requests (e.g., https://your-server.com/webhook-handler.php)
  2. 2 Configure in Dashboard Go to Dashboard → Profile (👤) → Webhook Settings → Enter your URL → Save
  3. 3 Get your secret A webhook_secret is auto-generated. Use it to verify incoming webhook signatures.

Webhook Payload

JSON Payload
{
  "event": "shipped",
  "order_id": "XIREO123451746789012",
  "timestamp": "2026-05-13T15:00:00+06:30",
  "data": {
    "tracking_info": "TRACK123456",
    "shipping_status": "In Transit",
    "customer_data": {
      "email": "[email protected]"
    }
  }
}

Webhook Headers

HeaderDescription
Content-Typeapplication/json
X-Webhook-SignatureHMAC-SHA256 signature for verification
X-Webhook-EventEvent type (shipped, cancelled, failed_delivery)
User-AgentX-Institute-Webhook/1.0

Verifying Webhook Signatures

Use your webhook_secret to verify incoming webhooks are genuinely from X-Institute:

PHP — webhook-handler.php 
// webhook-handler.php — Your endpoint that receives webhooks

$rawPayload = file_get_contents('php://input');
$receivedSignature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? '';
$webhookSecret = 'YOUR_WEBHOOK_SECRET'; // From dashboard

// Verify HMAC-SHA256 signature
$expectedSignature = hash_hmac('sha256', $rawPayload, $webhookSecret);

if (!hash_equals($expectedSignature, $receivedSignature)) {
    http_response_code(401);
    echo json_encode(['status' => 'error']);
    exit;
}

$data = json_decode($rawPayload, true);

switch ($data['event']) {
    case 'shipped':
        // Update your system: mark order as shipped
        break;
    case 'cancelled':
        // Balance is auto-refunded by X-Institute
        break;
}

http_response_code(200);
echo json_encode(['status' => 'success']);

Event Types

EventDescriptionAction
shippedOrder shipped with trackingUpdate order status, notify customer
cancelledOrder cancelledBalance auto-refunded
failed_deliveryDelivery attempt failedHandle delivery failure
Retry Policy: If your endpoint returns a non-2xx status:
  • Attempt 1: Immediate
  • Attempt 2: After 60 seconds
  • Attempt 3: After 120 seconds
  • After 3 failures → marked as failed

Security Notes

Best practices for keeping your API integration secure.

API Key Security

  1. Never share your API key — treat it like a password
  2. Store it securely — use environment variables, never hardcode in source
  3. Use HTTPS only — all API requests must be over HTTPS
  4. Rotate regularly — revoke and regenerate your key periodically
  5. Revoke immediately if you suspect your key has been compromised

Best Practice Example

PHP — Secure key storage
// ✅ GOOD: Store API key in environment variable
$apiKey = getenv('XINSTITUTE_API_KEY');

// ❌ BAD: Never hardcode your API key
$apiKey = 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'; // DANGEROUS!

Rate Limiting

Understand API request limits to avoid disruptions.

LimitValueWindow
Max Requests60Per minute
Burst Allowance10Additional burst
Rate Limit Response (429): 
{
  "status": "error",
  "code": 429,
  "message": "Rate limit exceeded. Try again in 45 seconds."
}

Code Examples

Ready-to-use integration examples in popular languages.

PHP

PHP 
$apiKey = getenv('XINSTITUTE_API_KEY');
$baseUrl = 'https://v1.x-institute.site';

// Fetch products
$ch = curl_init($baseUrl . '/products');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer ' . $apiKey,
    'Accept: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

$products = json_decode($response, true);
print_r($products);

Python

Python 
import os
import requests

API_KEY = os.environ.get('XINSTITUTE_API_KEY')
BASE_URL = 'https://v1.x-institute.site'

headers = {
    'Authorization': f'Bearer {API_KEY}',
    'Accept': 'application/json'
}

# Fetch products
response = requests.get(f'{BASE_URL}/products', headers=headers)
products = response.json()
print(products)

# Submit an order
order_data = {
    'customer_email': '[email protected]',
    'products': [
        {'product_id': 'SPOTIFY_1Y', 'quantity': 1}
    ]
}
response = requests.post(f'{BASE_URL}/order', json=order_data, headers=headers)
print(response.json())

JavaScript (Node.js)

JavaScript 
const API_KEY = process.env.XINSTITUTE_API_KEY;
const BASE_URL = 'https://v1.x-institute.site';

// Fetch products
const response = await fetch(BASE_URL + '/products', {
    headers: {
        'Authorization': 'Bearer ' + API_KEY,
        'Accept': 'application/json'
    }
});
const products = await response.json();
console.log(products);

// Submit an order
const orderResponse = await fetch(BASE_URL + '/order', {
    method: 'POST',
    headers: {
        'Authorization': 'Bearer ' + API_KEY,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({
        customer_email: '[email protected]',
        products: [{ product_id: 'SPOTIFY_1Y', quantity: 1 }]
    })
});
const order = await orderResponse.json();
console.log(order);