Skip to main content

1. Create an account

Sign up at authforge.cc. You’ll receive free credits to get started.

2. Create an app

Go to the Dashboard and click Create App. Give it a name — this represents the software you’re protecting.

3. Copy your credentials

After creating the app, copy your App ID and App Secret. The secret is shown once — store it securely.
Your App Secret is used to verify server responses cryptographically. Never expose it in logs, source control, or client-visible locations.

4. Install the SDK

Download the SDK file for your language and add it to your project. Each SDK is a single file (C++ needs a header + implementation) with zero external dependencies beyond the standard library.

Python

authforge.py — Python 3.9+

C#

AuthForgeClient.cs — .NET 6+

C++

authforge_sdk.h + .cpp — C++17

5. Add the SDK to your project

from authforge import AuthForgeClient

client = AuthForgeClient(
    app_id="YOUR_APP_ID",
    app_secret="YOUR_APP_SECRET",
    heartbeat_mode="SERVER",
)

license_key = input("Enter license key: ")

if client.login(license_key):
    print("Authenticated! Running app...")
    # Your app logic here — heartbeats run automatically in background
else:
    print("Invalid license key.")
    exit(1)

6. Create a license key

In the dashboard, open your app and click Generate Licenses. Set the quantity, expiration (or lifetime), and HWID slots (how many devices can use the same key). Click Generate. Copy one of the generated keys — the format is XXXX-XXXX-XXXX-XXXX.

7. Run your app

Launch your application and enter the license key when prompted. You should see “Authenticated!” — the license is now active and bound to your machine.

8. What just happened?

Here’s what the SDK did behind the scenes:
  1. Collected HWID — The SDK fingerprinted your machine by hashing the CPU identifier, MAC address, and disk serial into a SHA-256 hash.
  2. Generated a nonce — A random string to prevent replay attacks. Every request uses a fresh nonce.
  3. Sent a validate requestPOST /auth/validate with your App ID, App Secret, license key, HWID, and nonce.
  4. Server validated — The server checked the license exists, is active, hasn’t expired, and the HWID is allowed (or bound it to a new slot). One credit was deducted from your account.
  5. Signed the response — The server built a JSON payload with a session token and signed it with HMAC-SHA256(SHA256(appSecret + nonce), payload).
  6. SDK verified — The SDK recomputed the signature locally and confirmed it matches. This proves the response came from AuthForge and wasn’t tampered with.
  7. Heartbeats started — A background thread now sends POST /auth/heartbeat every 15 minutes (default). Each heartbeat uses a fresh nonce and verifies the signed response. If the license is revoked or expires, the SDK triggers the failure handler.

Next steps