Holdify Holdify
Docs How Holdify Works

How Holdify Works

Holdify sits between your API and your customers, handling authentication and rate limiting.

Architecture

Request flow
text 
┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Customer   │────▶│  Your API   │────▶│   Holdify   │
│             │     │             │     │             │
│ API Request │     │ holdify.    │     │ Validates   │
│ with Key    │     │ verify(key) │     │ key & limits│
└─────────────┘     └─────────────┘     └─────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │ Your Logic  │
                    │ (if valid)  │
                    └─────────────┘

The flow

  1. 1

    Customer makes request

    Your customer makes a request to your API with their API key in the header.

  2. 2

    Your API calls Holdify

    Your middleware or API route calls holdify.verify(key).

  3. 3

    Holdify validates

    Holdify checks: Is the key valid? Is it revoked? What plan does this customer have? Are they within rate limits?

  4. 4

    Holdify returns result

    You receive the validation result with remaining quota, plan, and entitlements.

  5. 5

    Your API responds

    Based on the result, your API either processes the request or returns an appropriate error.

Payment provider sync

When you connect a payment provider (Polar, Stripe, etc.), subscriptions automatically sync to API access:

Subscription sync
text 
Customer buys "Pro" plan
        ↓
Payment provider webhook → Holdify
        ↓
Holdify creates entitlement:
  - Customer ID: cust_123
  - Plan: Pro (500k requests/mo)
        ↓
Customer's API keys now have Pro limits

What Holdify stores

DataPurpose
API Keys (hashed)Authentication
EntitlementsPlan → limits mapping
Usage countersRate limiting
Audit logsActivity tracking

What you store

DataPurpose
Your business logicYour product
Customer dataYour database
API responsesYour content

Your data stays with you. Holdify only handles access control. We never see your API responses or customer data.

Key concepts

API Keys

Unique identifiers you issue to customers. Keys are hashed and can be rotated or revoked at any time.

Rate Limits

Request quotas that reset on a schedule. Limits are set per plan and enforced in real-time.

Entitlements

Feature flags linked to subscription plans. Use entitlements to gate access to premium features.

Tenants

Your customers. Each tenant can have multiple API keys with shared rate limits and entitlements.