Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.authforge.cc/llms.txt

Use this file to discover all available pages before exploring further.

Frequently Asked Questions

Licensing

What happens when my credits run out?

Auth calls return no_credits. Active sessions with SERVER heartbeat fail on the next heartbeat. LOCAL mode sessions continue until the session token expires (24 hours by default, or whatever TTL the SDK requested; up to 7 days). Set up auto-refill to prevent this.

Can a customer use one key on multiple devices?

Yes. Configure maxHwidSlots (1-16) when generating the license. Each new device uses one slot.

How do I let a customer move to a new computer?

Reset their HWID bindings from the dashboard (app -> license -> Reset HWID) or via the Developer API.

What license key format does AuthForge use?

XXXX-XXXX-XXXX-XXXX using A-Z (excluding I and O) and digits 2-9.

SDK & Integration

My users are getting hwid_mismatch errors

Their HWID slots are full. Either increase maxHwidSlots on the license or reset their HWID bindings. HWIDs can change after OS reinstalls, hardware upgrades, or VM migrations.

Heartbeats are using too many credits

Heartbeats are cheap: 10 successful heartbeats cost 1 credit (billed on every 10th call). So even a 1-heartbeat-per-second server app costs roughly 8,640 credits/day. If that’s still more than you want, increase the heartbeat interval from the default 15 minutes (the credit cost scales directly with the number of heartbeats sent), or switch to LOCAL mode so the SDK re-verifies locally until the session token expires (~24h by default). Revocations always apply on the next server heartbeat, regardless of interval.

The SDK can’t reach the API

Check that auth.authforge.cc is reachable. The SDK uses HTTPS on port 443. Some corporate firewalls and China’s GFW may block it. The SDK respects the apiBaseUrl constructor param if you need to proxy.

I’m getting rate_limited errors

Only /auth/validate is rate-limited: 5 requests per license per minute and 30 per IP per minute. Heartbeats are not IP rate-limited. This usually means something is calling login() in a loop instead of once at startup.

Billing

Do failed auth attempts use credits?

No. Only successful validations (1 credit) and successful heartbeats (1 credit per 10) consume credits.

What payment methods do you accept?

Credit and debit cards via Stripe. No PayPal or crypto at this time.

Can I get a refund on credits?

Contact support. Unused credits don’t expire.

Security

Is my App Secret safe in the binary?

The App Secret authenticates /auth/validate requests, not webhook delivery and not Developer API access. Extracting it doesn’t let an attacker create or revoke licenses. However, obfuscating your binary is still recommended.

Can someone replay a captured auth request?

/auth/validate requests include a unique nonce and the server rejects duplicate nonces. Validate and heartbeat success responses are Ed25519-signed by AuthForge with your app’s private signing key. SDKs verify every signed payload using your app’s public key. /auth/validate additionally enforces per-request nonce matching; heartbeats rely on the short-lived session token + signature chain for replay protection.