Skip to main content

Apps

An app represents the software you’re protecting. Each app has:
  • App ID — A UUID that identifies your app. Public (embedded in your binary).
  • App Secret — A UUID used to verify server response signatures. Keep this secret. Rotatable via the dashboard.
  • Settings — Configuration for your app (variables, security rules, webhooks).
You can create multiple apps under one account. Each app has its own license keys, variables, and security settings.

License Keys

License keys are alphanumeric strings in the format XXXX-XXXX-XXXX-XXXX (using A–Z excluding I and O, digits 2–9). Each key is bound to a single app. A license has the following properties:
FieldDescription
licenseKeyThe key string itself
appIdThe app this license belongs to
statusactive or revoked
expiresAtISO 8601 expiration date, or null for lifetime licenses
maxHwidSlotsHow many devices can use this key simultaneously (1–10)
hwidListArray of bound hardware IDs
labelOptional label for your records (e.g., order ID)
createdAtWhen the license was created
Generate keys in the dashboard or programmatically via the Developer API.

HWID (Hardware ID)

A hardware fingerprint of the user’s machine. The SDK collects three identifiers — CPU, MAC address, and disk serial — and computes a SHA-256 hash: 
SHA256("mac:<mac_address>|cpu:<cpu_id>|disk:<disk_serial>")
The HWID is sent during license validation. If the license hasn’t seen this HWID before and has available slots, the server binds it. If all slots are full and the HWID doesn’t match any bound device, authentication fails with hwid_mismatch.

HWID Slots

The number of machines a single license key can be active on simultaneously. When a user authenticates from a new device:
  • If there’s an open slot, the HWID is bound automatically.
  • If all slots are full, authentication fails.
To let a customer move to a new machine, reset their HWID bindings from the dashboard or via the API (reset-hwid action).

Credits

Credits are the unit of billing in AuthForge. Every billable operation deducts credits from your account.
OperationCost
Successful license validation1 credit
100 successful heartbeats1 credit
Purchase credits in the dashboard. Available tiers:
TierCreditsPrice
10k10,000$10
30k30,000$15
100k100,000$30
500k500,000$100
1M1,000,000$150
Set up auto-refill to automatically purchase credits when your balance drops below a threshold.

Heartbeats

After a successful login, the SDK runs periodic background checks to verify the license is still valid. The default interval is 15 minutes. If a heartbeat detects the license has been revoked, expired, or the session is invalid, the SDK triggers your onFailure callback (or terminates the process if no callback is set).

Heartbeat Modes

On each interval, the SDK sends POST /auth/heartbeat with a fresh nonce and the session token. The server verifies the session, checks the license status, and returns a signed response.Pros: Catches revocations immediately on the next heartbeat. Real-time enforcement.Cons: Requires network connectivity. Each heartbeat counts toward the 100-per-credit billing threshold.Use when: You need instant revocation enforcement, your users are always online, or you’re protecting high-value software.

Developer API

A server-to-server REST API for automating license management from your own backend. Authenticated with API keys (prefixed af_live_). Use the Developer API to:
  • Create licenses programmatically (e.g., after a Stripe payment)
  • Revoke, activate, extend, or reset HWID on licenses
  • List and query licenses
  • Manage app variables, webhooks, and security settings
See the API Reference for full documentation.

App Variables

Key-value pairs set per app, delivered to every SDK client during authentication in the appVariables field of the signed payload. Use cases:
  • Feature flags"maintenanceMode": true
  • Remote config"maxUploadSizeMb": 50
  • Messages"motd": "v2.0 releasing Friday!"
  • Version gating"minVersion": "1.5.0"
Limits: max 50 keys, 4 KB total, flat values only (string, number, or boolean). Set via the dashboard or the Variables API.

License Variables

Key-value pairs set per license, delivered only to that specific license holder during authentication in the licenseVariables field. Use cases:
  • Plan tiers"plan": "pro"
  • Per-user limits"maxProjects": 10
  • Custom metadata"customerName": "Acme Corp"
Same limits as app variables. Set via the dashboard or the Variables API.

Webhooks

Real-time HTTP notifications sent to your server when license events occur. Each delivery is HMAC-SHA256 signed with your webhook secret for verification. Supported events:
EventTrigger
license.validatedSuccessful authentication via SDK
license.createdLicense key generated
license.revokedLicense revoked
license.activatedRevoked license re-activated
license.hwid_boundHWID bound to a license slot
license.hwid_resetHWID bindings cleared
license.deletedLicense permanently deleted
Max 5 webhooks per app. See Webhooks for setup and verification details.

Blacklists & Whitelists

Per-app access control lists for HWIDs and IP addresses:
  • HWID blacklist — Block specific hardware IDs from authenticating.
  • HWID whitelist — When set, only listed HWIDs can authenticate (allowlist mode).
  • IP blacklist / whitelist — Same concept for IP addresses.
Blacklist takes precedence over whitelist. Max 1,000 entries per list. See Security for configuration details.