One round trip to authenticate
End-user login is designed around onePOST /auth/validate call per attempt:
There is no multi-step OAuth redirect, no polling loop, and no second “confirm” call required for a standard successful login.
What happens on the wire
After TLS, the server does focused work: resolve the license, check status and expiration, enforce HWID slots and security lists, then sign the response. The SDK verifies that signature with your app secret—so integrity checks happen locally without another network hop. Rolling nonces are included so responses are not replayable; the SDK handles nonce generation and verification without complicating your UI code.What actually affects “how fast it feels”
| Factor | Role |
|---|---|
| Network RTT | Usually the largest part of wall-clock time. |
| Cold TLS / DNS | First request to a host may be slower; later calls reuse connections. |
| Your UX | Keep license entry non-blocking; avoid unnecessary work before calling login. |
Heartbeats are separate
After login, the SDK runs heartbeats on a timer. They are not part of the initial validation latency your user waits on at startup (unless you block your UI until a heartbeat completes—usually unnecessary).Going deeper
- Security best practices — Protecting your app secret and verifying auth early.
- API errors reference — Includes signature, nonce, and replay cases for SDK auth.
- SDK best practices — Error handling, offline behavior, and heartbeat modes.
- Core Concepts — Credits, sessions, and HWID binding.