Public Documentation
API Catalog
Beginner + Enterprise

Docs / API Domains / License Key Management

API Documentation Portal

A centralized integration hub for License Key Management today and future API domains like Payment API. Designed for fast onboarding, secure implementation, and production operations.

Explore API CatalogOpen License Key Management

API Catalog

Scalable grouping for multiple API domains.

License Key Management

Activate endpoint

Verify endpoint

Signing, Security, Errors, Operations

Payment API (planned)

This docs structure is ready for additional API groups.

Use the same endpoint + management hierarchy.

Quick Start

Beginner-friendly flow that works with legacy parameter aliases.

  1. Collect lk (license key), m (machine id), fp (fingerprint), un (username).
  2. Call /api/license/activate once to register machine and user.
  3. For verify, compute hash = sha256(fp + m + un).
  4. Generate fresh ts, nonce, and sig on every single request.
  5. Call /api/license/verify on startup and periodic intervals to check validity.

License API Overview

Supported routes, legacy alias mapping, and transport modes.

  • GET /api/license/activate and POST /api/license/activate
  • GET /api/license/verify and POST /api/license/verify
  • GET support may be enabled or disabled by server configuration.

Legacy aliases

lk - license key

m - machine id

fp - fingerprint

un - username

signature - alias for sig

Security params

ts - unix timestamp (seconds)

nonce - random one-time token

sig - HMAC-SHA256 signature

hash - only required in verify

Activate Endpoint

Activate -> Activate Endpoint

Required: licenseKey, fingerprint, machineId, username, ts, nonce, sig, and API key. Pass API key via X-Api-Key header (recommended), Authorization: Bearer, or body/query (apiKey, ak, key).

/api/license/activate?lk=lic_7h3k9p2r4t6v8x1z&fp=deviceFingerprint&m=cpuOrMachineId&un=john.doe&ts=1739160000&nonce=4f8f8f30e5ca4f5ab560f95c7f8f5301&sig=<computedSig>
{
  "lk": "lic_7h3k9p2r4t6v8x1z",
  "fp": "deviceFingerprint",
  "m": "cpuOrMachineId",
  "un": "john.doe",
  "ts": "1739160000",
  "nonce": "4f8f8f30e5ca4f5ab560f95c7f8f5301",
  "sig": "<computedSig>"
}

Verify Endpoint

Verify -> Verify Endpoint

Required: licenseKey, hash, username, ts, nonce, sig, and API key. Pass API key via X-Api-Key header (recommended), Authorization: Bearer, or body/query (apiKey, ak, key).

hash = sha256_hex(fingerprint + machineId + username)
/api/license/verify?lk=lic_7h3k9p2r4t6v8x1z&un=john.doe&hash=<sha256(fp+m+un)>&ts=1739160060&nonce=8ac32585b8ef4ef2a8d63f5fd8ad6ef0&sig=<computedSig>
{
  "lk": "lic_7h3k9p2r4t6v8x1z",
  "un": "john.doe",
  "hash": "<sha256(fp+m+un)>",
  "ts": "1739160060",
  "nonce": "8ac32585b8ef4ef2a8d63f5fd8ad6ef0",
  "sig": "<computedSig>"
}

Signing

License Key Management -> Signing

  • Every request is signed with HMAC-SHA256 using the public key (pk_test_... / pk_live_...) as the secret: sig = hmac_sha256_hex(apiKey, payload). Only public keys are accepted.
  • API key via X-Api-Key (recommended), Authorization: Bearer, or body/query (apiKey, ak, key).
  • Create a new ts and nonce for each request.
  • Sort canonical-body keys alphabetically and URL-encode values.
fingerprint=<urlencoded(fp)>&licenseKey=<urlencoded(lk)>&machineId=<urlencoded(m)>&username=<urlencoded(un)>
hash=<urlencoded(hash)>&licenseKey=<urlencoded(lk)>&username=<urlencoded(un)>
METHOD + "\n" + PATH + "\n" + ts + "\n" + nonce + "\n" + canonicalBody

Security

License Key Management -> Security

  • Use the public key (pk_...); only public keys are accepted.
  • Generate a new ts and nonce on every request.
  • Do not reuse nonce values between activate and verify requests.
  • Store the public key in config; it is safe for client apps.
  • Prefer X-Api-Key header over query/body to avoid leaking in URLs.
  • Use HTTPS only and rotate keys periodically.

Errors

License Key Management -> Errors

Activate response shape

Success returns plain text messages.

{ "error": "INVALID_SIGNATURE" }

Verify response shape

{
  "isValid": true,
  "demo": false,
  "error": false,
  "expiresInDays": 45
}
{
  "error": true,
  "status": 401,
  "message": "Unauthorized",
  "errorCode": "INVALID_SIGNATURE"
}

Common errors: INVALID_REQUEST, INVALID_JSON, UNSUPPORTED_MEDIA_TYPE, METHOD_NOT_ALLOWED, INVALID_TIMESTAMP, STALE_REQUEST, REPLAY_DETECTED, INVALID_SIGNATURE, RATE_LIMITED.

Enterprise Implementation Guide

Hardening and operational guidance for production deployments.

Security architecture

Store API keys in a secrets manager and rotate periodically. Use TEST keys for development.

Never log full secrets, signatures, or high-entropy device identifiers.

Enforce TLS and strict certificate validation.

Reliability and ops

Retry only transient failures. Do not retry auth/signature failures blindly.

Respect rate-limit backoff and retry-after windows.

Track error code metrics and alert on replay/signature spikes.

Go-Live Checklist

Final production validation before publishing client integrations.

  • Endpoints are reachable from client network paths.
  • All requests include fresh ts and nonce.
  • Verify computes hash = sha256(fp + m + un).
  • Signature payload uses exact method/path and canonical-body format.
  • Client handles auth, replay, and rate-limit errors correctly.
  • Secrets storage and rotation are configured and tested.
Open License API deep-dive