← Back to blog

How to Add a License Key API to Your App

A license key API lets your software generate, validate, and activate license keys over HTTP instead of checking a local database. You issue a key when a customer buys, your app validates it on launch, and the API enforces expiry, activation limits, and entitlements. Here's the flow and how to choose between building it and using a platform.

The three core operations

Almost every license key API comes down to three calls: issue, validate, and activate.

1. Issue a key

When a customer completes checkout, your billing webhook calls the licensing API to mint a key tied to a product and plan. The API returns the key string, which you email or show to the customer.

POST /v1/integration/licenses
X-API-Key: <your-api-key>

{
  "product": "my-app",
  "plan": "pro",
  "email": "customer@example.com"
}

→ 201 { "key": "VLDX-XXXX-XXXX-XXXX", "status": "active" }

2. Validate a key

On launch — or periodically — your software asks the API whether the key is real, active, and unexpired. A good API returns the status and the entitlements in one response so you know not just whether the customer paid, but what they paid for.

POST /v1/integration/licenses/VLDX-XXXX-XXXX-XXXX/validate
X-API-Key: <your-api-key>

→ 200 {
  "valid": true,
  "status": "active",
  "entitlements": { "seats": 5, "export": true }
}

3. Activate a device

To stop one key being shared across a hundred machines, bind each install to a device fingerprint and enforce an activation limit. The platform — not your code — counts activations and rejects the one that exceeds the limit.

POST /v1/integration/activations
X-API-Key: <your-api-key>

{ "key": "VLDX-XXXX-XXXX-XXXX", "device": "fingerprint-hash" }

→ 201 { "activated": true, "activations": "3 / 5" }

Offline verification

Software that runs disconnected can't call a validate endpoint. The answer is a cryptographically signed license: the platform signs the license claims with a private key, and your software verifies the signature offline against the matching public key (published at a JWKS endpoint). No network, no trust in the local clock beyond the token's expiry. We cover the trade-offs in JWT vs opaque license keys.

What else a production system needs

  • Revocation — kill a key instantly on refund or abuse
  • Expiry and renewal — driven by the subscription, not a manual cron
  • Idempotency — issuing twice for one purchase must not mint two keys
  • Rate limiting — so a noisy client can't hammer your validate endpoint
  • Audit logging — every issue, validate, and revoke recorded

Build it or use a platform?

The three calls above are easy to prototype and hard to finish. Device fingerprinting, offline signatures, idempotent issuance, revocation, and an audit trail are where the weeks go. A licensing platform ships all of that. If you'd rather not own the plumbing, see how the options compare, or read why API-first licensing beats hardcoded checks.

Frequently asked questions

How do I generate license keys? Call an issuance endpoint (or a platform's dashboard/CLI) that mints a key tied to a product and plan. Don't roll your own random strings without a validation and revocation path behind them.

How do I validate a license key offline? Use signed licenses (e.g. Ed25519 JWTs) and verify the signature against a published public key — no network call required.

How do I stop license keys being shared? Bind activations to a device fingerprint and enforce an activation limit server-side.

Ready to try it? Start free and issue your first license key in minutes — no credit card.

We use essential cookies for authentication and session management. Privacy Policy