Skip to main content
POST
/
api
/
v1
/
rewards
/
app
/
{rewardsAppId}
/
api-version-blocklist
Restrict Client-Side Reward Sending
curl --request POST \
  --url https://api.zebedee.io/api/v1/rewards/app/{rewardsAppId}/api-version-blocklist \
  --header 'Authorization: <authorization>' \
  --header 'Content-Type: <content-type>' \
  --header 'z-client: <z-client>' \
  --data '{
  "version": 123,
  "apiRoute": "<string>"
}'
{
  "success": true,
  "message": "API version blocklist created successfully.",
  "data": {
    "id": "e2fbc21e-b524-4304-aa55-b20941ede9f6",
    "rewardsAppId": "b28e0306-2c06-4092-8d56-a1623d6b97fb",
    "version": 1,
    "apiRoute": "/rewards/limited-achievement/reward",
    "createdAt": "2025-10-29T14:06:50.321Z"
  }
}
Block client-side SendReward calls by adding an API version blocklist entry to your Rewards App.
This step is optional but highly recommended for apps with high-value rewards or when you need complete control over reward issuance.
Enabling the blocklist rejects client SDK reward calls for this app. You can revert at any time by deleting the blocklist entry.

Configuration

Header Parameters

z-client
string
required
Client identifier (use “developer-dashboard” )
Authorization
string
required
Bearer token for authenticationFormat: Bearer {JWT_TOKEN}
Content-Type
string
required
Content Type

Path Parameters

rewardsAppId
string
required
Your Rewards App ID

Body Parameters

version
number
required
API version to blocklistUse 1 to block client SDK calls (to block Send Reward v1)
apiRoute
string
required
The API route to blocklistUse “/rewards/limited-achievement/reward” to block client reward sending
{
  "success": true,
  "message": "API version blocklist created successfully.",
  "data": {
    "id": "e2fbc21e-b524-4304-aa55-b20941ede9f6",
    "rewardsAppId": "b28e0306-2c06-4092-8d56-a1623d6b97fb",
    "version": 1,
    "apiRoute": "/rewards/limited-achievement/reward",
    "createdAt": "2025-10-29T14:06:50.321Z"
  }
}

{
  "success": false,
  "message": "Invalid parameters"
}

Response Fields

FieldTypeDescription
successbooleanWhether the request was successful
messagestringDescription of the result
dataobjectContains blocklist entry details
idstringUnique identifier for this blocklist entry
rewardsAppIdstringYour Rewards App ID
versionnumberAPI version that is blocklisted (Send Reward v1)
apiRoutestringThe API route that is blocklisted
createdAtstringISO 8601 timestamp of when the entry was created

Response Status Codes

CodeDescription
200Blocklist entry created successfully
400Bad request - invalid parameters
401Unauthorized - authentication required
403Forbidden - developer does not own this app
409Conflict - blocklist entry already exists
500Internal server error

What Happens After Restriction?

After applying this blocklist:

Client SDK Blocked

Client SDK calls to send rewards will be rejected

Backend Server Active

Server calls with API key will continue to work

Client SDK Behavior

When a client tries to send rewards via v1 after the blocklist is applied: 
Error: This endpoint requires API key authentication. Please use the API key endpoint instead.

Server Behavior

Your backend server can continue sending rewards normally using the v2 endpoint with your API key.

Code Examples

const rewardsAppId = 'YOUR_REWARDS_APP_ID';
const jwtToken = 'YOUR_JWT_TOKEN';

async function restrictClientRewards(rewardsAppId) {
  const response = await fetch(
    `https://api.zebedee.io/api/v1/rewards/app/${rewardsAppId}/api-version-blocklist`,
    {
      method: 'POST',
      headers: {
        'z-client': 'developer-dashboard',
        'Authorization': `Bearer ${jwtToken}`,
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        version: 1,
        apiRoute: '/rewards/limited-achievement/reward'
      })
    }
  );

  const data = await response.json();

  if (data.success) {
    console.log('Client rewards restricted successfully!');
    console.log(`Blocklist entry ID: ${data.data.id}`);
    return data.data;
  } else {
    throw new Error(`Failed: ${data.message}`);
  }
}

// Apply restriction
await restrictClientRewards('b28e0306-2c06-4092-8d56-a1623d6b97fb');
You only need to create a single block list entry with version 1 to disable client-side rewards. To re-enable client rewards, simply delete that block list entry. You can remove the blocklist entry at any time to re-enable client-side reward sending by deleting the blocklist entry.

What’s Next?

You’ve now restricted client-side reward sending and enforced backend-only control.
Next, continue managing and securing your Rewards App: