TsgcWSAPIKeyManager › Events › OnValidation
Final decision hook fired during ValidateKey; set Allow := False to reject a valid key.
property OnValidation: TsgcAPIKeyOnValidation;
// TsgcAPIKeyOnValidation = procedure(Sender: TObject; const aKey: string; var Allow: Boolean; var Reason: string) of object—
Fires from inside ValidateKey after every built-in check (hash, status, expiry, scope, IP allowlist) has already passed. Allow enters the handler as True and the handler may set it to False to reject an otherwise-valid key; Reason is a free-form string recorded on the audit entry and surfaced in OnKeyValidated. Use it for custom business rules that the built-in validation cannot express: time-of-day restrictions, per-tenant feature flags, maintenance bans, risk-score gates. The handler runs on the calling thread and inside the component's critical section — keep it fast. Do not mutate the key store from the handler.
procedure TForm1.sgcWSAPIKeyManager1Validation(Sender: TObject;
const aKey: string; var Allow: Boolean; var Reason: string);
begin
// Reject production keys during scheduled maintenance windows
if FMaintenanceActive and IsProductionKey(aKey) then
begin
Allow := False;
Reason := 'maintenance_window';
end;
end;