Skip to main content

Frequently Asked Questions

Licensing

What happens when my credits run out?

Auth calls return no_credits. Active sessions with SERVER heartbeat fail on the next heartbeat. LOCAL mode sessions continue until their prepaid block expires (about 25h). Set up auto-refill to prevent this.

Can a customer use one key on multiple devices?

Yes. Configure maxHwidSlots (1-16) when generating the license. Each new device uses one slot.

How do I let a customer move to a new computer?

Reset their HWID bindings from the dashboard (app -> license -> Reset HWID) or via the Developer API.

What license key format does AuthForge use?

XXXX-XXXX-XXXX-XXXX using A-Z (excluding I and O) and digits 2-9.

SDK & Integration

My users are getting hwid_mismatch errors

Their HWID slots are full. Either increase maxHwidSlots on the license or reset their HWID bindings. HWIDs can change after OS reinstalls, hardware upgrades, or VM migrations.

Heartbeats are using too many credits

Switch to LOCAL heartbeat mode (re-validates only every ~25h instead of every heartbeat). Or increase the heartbeat interval from the default 15 minutes.

The SDK can’t reach the API

Check that auth.authforge.cc is reachable. The SDK uses HTTPS on port 443. Some corporate firewalls and China’s GFW may block it. The SDK respects the apiBaseUrl constructor param if you need to proxy.

I’m getting rate_limited errors

Validation is limited to 5 requests per license per minute and 30 per IP per minute. This usually means something is calling login() in a loop instead of once at startup.

Billing

Do failed auth attempts use credits?

No. Only successful validations (1 credit) and successful heartbeats (1 credit per 100) consume credits.

What payment methods do you accept?

Credit and debit cards via Stripe. No PayPal or crypto at this time.

Can I get a refund on credits?

Contact support. Unused credits don’t expire.

Security

Is my App Secret safe in the binary?

The App Secret is used for HMAC signature verification, not as an API key. Extracting it doesn’t let an attacker create or revoke licenses. However, obfuscating your binary is still recommended.

Can someone replay a captured auth request?

No. Every request includes a unique nonce. The server rejects duplicate nonces. Responses are signed with HMAC-SHA256 using a key derived from the nonce + app secret.