License keys can be limited to one or more hardware IDs (HWIDs). Each successful login binds the key to a fingerprint of the user’s machine so the same key cannot be reused on unlimited PCs.
How locking works
- The SDK collects identifiers from the local system (details vary by language and OS APIs).
- The SDK hashes that material into a 64-character hex string and sends it with
POST /auth/validate.
- The server stores that string as an opaque ID. If the license has free HWID slots, the new ID is bound. If all slots are full and this ID is not already bound, validation fails with
hwid_mismatch.
You configure how many simultaneous machines a key may use (max HWID slots) when you create or edit licenses.
HWIDs are SDK-specific (important)
The same physical computer can produce different HWID strings for different AuthForge SDKs. There is no single “true” hardware fingerprint across Python, C#, C++, Rust, Go, and Node — each SDK implements collection and hashing for its own runtime and platform APIs.
- One product, one SDK — Users get a consistent HWID for your app. Seat limits and resets behave as you expect.
- Different apps or SDKs on one machine — If a user runs two products that each use a different AuthForge SDK (or different versions with different fingerprint logic), those products may report different HWIDs to AuthForge even on the same box. That is expected: the server only compares the string your SDK sends.
- Support and dashboards — When you look up a license’s bound HWIDs, you are seeing per-integration identities, not a universal device serial. For blacklist entries in Security lists, the value must match the exact string produced by the SDK you ship.
For the general model (slots, binding, reset), see Core Concepts — HWID.
- Blacklists & whitelists — Block or allow specific HWID strings (exact match).
- License API — Generate keys with
maxHwidSlots, reset bindings, and more.
- SDK overview — Choose one SDK per product and keep it consistent across releases for stable fingerprints.
