For the complete documentation index, see llms.txt. This page is also available as Markdown.

Verify sessions server-side

For time-based billing, access is controlled through paywall events on the client. But if your backend serves premium content (articles, streams, API data), you need to verify the session on the server before delivering it. This guide walks you through that flow.

Verify sessions flow: frontend captures sessionId, sends to backend, backend validates with tiun API

How it works

  1. The paywallHide event includes a sessionId when the user has access.

  2. Your frontend sends that session ID to your backend.

  3. Your backend validates it against the tiun Session API.

  4. If valid, you serve the premium content.

For the sessionId concept itself and its lifecycle, see Sessions in Reference.


Setup: API key

Before you can verify sessions, create an API key in the dashboard: open APIs in the sidebar and click Create new key. Store it securely in your backend environment variables.


1. Capture the session ID

When paywallHide fires, its payload includes a sessionId. Pass it to your backend on the protected request.


2. Validate the session on your server

Call the tiun Session API to confirm the session is valid before serving content.

Endpoint:

PATCH /live_api/s2s/v1/sessions/{sessionId}/status

Base URLs:

Environment
URL

Live

https://api.tiun.live

Sandbox

https://api-sandbox.tiun.live

Use the base URL and API key from the same environment as your frontend (sandbox: true in the SDK → sandbox URL and sandbox key). API keys are not shared between live and sandbox.

Header: X-TIUN-API-KEY: <your-api-key>

Response codes:

Status
Meaning

200

Session is valid — serve the content

404

Session is invalid, expired, or user has no funds

401

API key is incorrect


3. Backend implementation


Full round-trip

Frontend — capture the session ID and fetch content:

Backend — validate and serve:


Live and sandbox are independent environments — each has its own API base URL and API keys. Use sandbox credentials while your app runs with sandbox: true; switch URL and key together when you ship live traffic. See Sandbox.

Last updated

Was this helpful?