Skip to main content

Documentation Index

Fetch the complete documentation index at: https://vpn-docs.wxapros.com/llms.txt

Use this file to discover all available pages before exploring further.

All endpoints except /public/* require an API key sent as the X-API-Key HTTP header. Keys are issued per user, scoped to one or more product families, and rate-limited per tier. 
X-API-Key: wxa_live_<key-id>_<key-secret>
Keys have two parts separated by an underscore:
  • Prefix (wxa_live_<key-id>) — visible in our logs and your dashboard
  • Secret (<key-secret>) — bcrypt-hashed at rest, shown to you exactly once at creation

Scopes

When generating a key, select the product scopes it should access. For VPN Intelligence, you need at least the vpn scope.
ScopeEndpoints unlocked
vpn/api/v1/vpn/* (lookup, stats, exports)
geo/api/v1/geo/* (sister product)
recon/api/v1/recon/* (sister product)
rank/api/v1/rank/* (sister product)
domains/api/v1/domains/* (sister product)
A single key can hold multiple scopes. Granting only what you need bounds the blast radius if a key leaks.

Tiers and rate limits

Rate limits are enforced per key. See tiers for the full ladder.
TierSustained req/sBurst (60 s)Monthly quota
Free1010010,000
Starter25250200,000
Pro505001,000,000
Business1001,0005,000,000
EnterpriseNegotiatedNegotiatedUnlimited (fair-use)
Exceeding sustained rate returns HTTP 429 with a Retry-After header indicating seconds until the next window. See error handling.

Rotation

Rotate keys at least every 90 days, or immediately if you suspect leakage:
  1. Generate a new key in the dashboard with the same scopes
  2. Deploy the new key to your applications
  3. Revoke the old key once traffic has migrated (30-second propagation)
Both keys remain valid during overlap — there’s no forced cutover window.

Multiple environments

Generate one key per environment (prod, staging, ci) and tag them in the dashboard so usage analytics break down cleanly. Keys are not environment-locked at the API layer; the tagging is for your own audit.

What not to do

  • Don’t commit keys to source control. Use environment variables, a secrets manager, or .env files added to .gitignore.
  • Don’t share keys across teams. Generate one key per team or service.
  • Don’t bypass per-key rate limits by issuing many keys. Distributed request patterns intended to evade quotas violate the Acceptable Use Policy.

Public no-auth endpoints

A subset of read endpoints under /public/* is available without an API key, with aggressive per-IP rate limits (10 req/min) and a restricted response shape. These exist for evaluation and self-checks. They are not suitable for production traffic.