Managed Auth

ARCP Managed Auth lets you track user subscriptions and entitlements directly through the ARCP router, without running your own subscription management system.

Admin API keys

Managed auth endpoints require a scoped admin API key:

node scripts/generate-admin-key.mjs "my-backend" "managed:read,managed:write"
# Outputs: api_key, key_hash, and SQL INSERT statement

Link a user

POST /v1/router/managed/users/link
Authorization: Bearer <admin-key>

{
  "user_id": "user-123",
  "email": "user@example.com",
  "external_user_id": "stripe-cus-abc123"
}

Upsert a subscription

POST /v1/router/managed/subscriptions/upsert
Authorization: Bearer <admin-key>

{
  "user_id": "user-123",
  "publisher_id": "allreviews",
  "tier": "CERTIFIED",
  "status": "ACTIVE",
  "current_period_end": "2027-02-22T00:00:00Z"
}

Check entitlements

GET /v1/router/managed/entitlements?user_id=user-123&publisher_id=allreviews
Authorization: Bearer <admin-key>

// Response:
{
  "user_id": "user-123",
  "publisher_id": "allreviews",
  "tier": "CERTIFIED",
  "rights": ["render", "download", "offline"],
  "status": "ACTIVE"
}

Cancel a subscription

POST /v1/router/managed/subscriptions/cancel
Authorization: Bearer <admin-key>

{
  "user_id": "user-123",
  "publisher_id": "allreviews"
}

Scopes

Scope	Access
`managed:read`	Query entitlements only
`managed:write`	Link users, upsert/cancel subscriptions
`admin:full`	All managed operations