Gumroad license keys don't protect your software. Here's what does.
Gumroad generates license keys when someone buys your product. But those keys don't do anything on their own. No device validation, no HWID locking, no offline support, no piracy prevention. Here's how to add real licensing to your Gumroad sales.
If you sell software on Gumroad, you've probably enabled the "Generate a unique license key per sale" option and assumed your product is protected. It's not.
Searching for how to protect your Gumroad products? Whether you're shipping professional desktop software, creative tools, developer utilities, audio plugins, game mods, or digital assets, Gumroad's built-in license keys don't actually license anything. This guide explains exactly what's missing and how to fix it.
Gumroad's license keys are random strings attached to a purchase. They don't validate devices, they don't lock to hardware, they don't work offline, and they don't prevent your customer from sharing the key with everyone on a Discord server. Gumroad is a fantastic platform for selling digital products; it handles payments, delivery, and audience building better than almost anything else. But licensing? Gumroad's licensing is a checkbox feature, not a real system.
This page explains exactly what Gumroad's license keys can and can't do, why that matters for software developers, and how LicenseSeat fills the gap without requiring you to leave Gumroad or build your own licensing server.
What Gumroad's license keys actually do
Let's be specific about what you get when you enable Gumroad's license key feature.
Key generation
Gumroad generates one unique license key per sale. The key is a random alphanumeric string delivered to the buyer in their purchase confirmation. That part works fine.
But if a customer buys a quantity of 3, they still get one key. Gumroad's GitHub has an issue requesting multiple keys for multi-quantity purchases that was closed as "not planned." If you're selling team licenses, this means each team member needs to check out separately.
The verification API
Gumroad offers a single API endpoint for license verification:
POST https://api.gumroad.com/v2/licenses/verify
You send a product_id and license_key, and you get back a success boolean, a uses count, and some purchase metadata. That's the entire API. One endpoint. One operation.
The uses count is the closest thing Gumroad has to seat management. Each time you call the API with increment_uses_count: true, the counter goes up. You can check this counter against a limit you define in your own code. But there's no concept of "which device is this" or "has this device been seen before." It's a global counter with no context.
What's missing
Here's what Gumroad's license key system does NOT provide:
- No device fingerprinting. Gumroad doesn't know or care what device the key is being used on. Anyone with the key string can verify it from any machine.
- No HWID locking. There's no hardware identifier binding. A key shared on a forum works exactly the same as a legitimately purchased key.
- No seat management. The
usescounter is a blunt instrument. It can't distinguish between "user reinstalled the app" and "user shared the key with 10 friends." There's no way to deactivate a specific device or release a seat. - No offline validation. Every license check requires a live API call to Gumroad's servers. If Gumroad is down, or the user has no internet, the validation fails. There's no signed offline token or grace period.
- No entitlements. You can't attach feature flags or time-limited capabilities to a license. A key is either valid or it isn't.
- No activation portal. There's no customer-facing dashboard where buyers can manage their own licenses or deactivate old devices.
- No webhooks for licensing events. Gumroad has webhooks for purchases, but not for licensing events like activations, deactivations, or validation failures.
- No SDKs. You're writing raw HTTP requests to a single API endpoint. No Swift SDK, no C# SDK, no JavaScript SDK. Just cURL.
The security problem
Gumroad's license verification has had a documented vulnerability where attackers could create duplicate product permalinks on their own accounts and generate valid license keys for other creators' products for free. Gumroad patched this by switching from product_permalink to product_id, but it exposed a fundamental issue: the verification system was designed as an afterthought, not as security infrastructure.
Even after the fix, the system is trivially easy to bypass. Since there's no device binding, a pirate only needs one legitimate key to distribute to unlimited users. The uses counter can be circumvented by simply not passing increment_uses_count: true in the API call, or by building a local proxy that caches the response.
The real problem: you end up building your own licensing server
This is where it gets expensive. Developers who discover Gumroad's licensing limitations typically do one of three things:
Accept piracy. Just ship the software without real protection and hope for the best. This works for some products, but if you're selling FiveM scripts, Minecraft plugins, Blender addons, Procreate brushes, or desktop tools, your product will end up on nulled forums within days. Search for "blender addon free download" or "procreate brushes free download" and you'll see how common this is.
Build a custom licensing server. Write your own API, manage your own database, handle device fingerprinting, build a customer portal, deal with rate limiting, implement offline tokens. This is months of work that has nothing to do with your actual product.
Use a licensing service. Connect Gumroad to a proper licensing-as-a-service platform that handles everything Gumroad doesn't.
Option 3 is what LicenseSeat was built for.
How LicenseSeat works with Gumroad
LicenseSeat has native Gumroad integration. It's not a workaround or a hack; it's a first-class connection that automates the entire flow from purchase to protected software.
Here's what happens when a customer buys your software on Gumroad:
- Customer completes purchase on Gumroad. They pay, Gumroad handles the transaction.
- Gumroad sends a webhook to LicenseSeat. This happens automatically once you connect the integration.
- LicenseSeat generates a real license key. Not a random string; a key tied to your product, plan, and customer record with configurable seat limits and entitlements.
- Customer receives the LicenseSeat key. Delivered automatically.
- Your software calls LicenseSeat's API on launch. A single
activate()call that validates the key, registers the device fingerprint, checks seat limits, and returns a signed offline token. - Done. The software is licensed, the device is tracked, and the customer can manage their activations through a self-service portal.
You keep selling on Gumroad. You keep using Gumroad for payments, delivery, and audience. LicenseSeat handles the licensing part that Gumroad was never designed to handle.
What LicenseSeat adds to your Gumroad sales
Device fingerprinting and HWID locking
LicenseSeat uses composite device fingerprints that combine multiple hardware identifiers. When a customer activates their license, their device is uniquely identified and registered. If someone copies the key and tries to use it on a different machine, it either counts against the seat limit or gets rejected outright.
This is the difference between "anyone with the string can use your software" and "only authorized devices can use your software."
Real seat management
Instead of Gumroad's global counter, LicenseSeat tracks individual device activations. You can configure exact seat limits per license: one device, three devices, ten devices. Customers can deactivate old devices to free up seats. You can see exactly which devices are using each license.
If a customer reinstalls their OS, they can deactivate the old device and reactivate on the new one. If someone shares a key, it stops working after the seat limit is hit. This is how software licensing is supposed to work.
Offline validation
LicenseSeat generates Ed25519-signed offline tokens that your software can verify locally without any network call. The token contains the license status, entitlements, and expiration data, all cryptographically signed so it can't be tampered with.
This means your software works on airplanes, in remote offices, and during internet outages. The offline token has a configurable grace period, and when connectivity returns, the SDK automatically revalidates online.
Entitlements
Attach capabilities to licenses. "Pro" features, "updates" access with an expiration date, "priority support" flags. Each license can have different entitlements, and your software can check them at runtime. When the "updates" entitlement expires, the customer can still use their current version but can't activate newer releases.
Self-service activation portal
Your customers get a branded portal where they can view their licenses, see which devices are activated, copy license keys, and deactivate devices without contacting you. No more "I bought your script but the key doesn't work" support tickets; they can manage it themselves.
Native SDKs
LicenseSeat provides SDKs for the languages developers actually use:
- Swift for macOS and iOS apps
- C# for Unity games, Windows apps, .NET applications
- C++ for Unreal Engine, JUCE audio plugins, native desktop apps
- JavaScript/TypeScript for Electron apps and Node.js tools
For FiveM (Lua), Roblox (Lua), Minecraft (Java), and any HTTP-capable environment, you call the REST API directly. It's three endpoints: activate, validate, deactivate. No SDK required, just standard HTTP calls.
Feature comparison
| Feature | Gumroad | LicenseSeat + Gumroad |
|---|---|---|
| Payment processing | Yes | Yes (through Gumroad) |
| License key generation | Random string | Configurable format with prefixes |
| License verification | Single API endpoint | Full REST API + native SDKs |
| Device fingerprinting | No | Composite HWID |
| Seat management | Global counter only | Per-device tracking with limits |
| HWID locking | No | Yes |
| Offline validation | No | Ed25519 signed tokens |
| Entitlements | No | Time-limited feature flags |
| Customer portal | No | Self-service activation manager |
| Multi-quantity keys | 1 key regardless of quantity | 1 key per unit |
| Webhooks | Purchase only | Purchase + licensing events |
| SDKs | None | Swift, C#, C++, JS/TS |
| Analytics | Purchase data only | Device telemetry, version adoption, geographic distribution |
| Secure downloads | Direct download link | Token-gated, license-verified downloads |
| Audit trail | No | Full event log |
| Python SDK | No | Yes (Blender, scripts) |
| Lua support | No | REST API |
| Java support | No | REST API |
| Offline grace period | No | Configurable (hours to days) |
| Key format | Random alphanumeric | Configurable prefix + format |
| Refund handling | Manual | Webhook-triggered revocation |
| Trial licenses | No | Time-limited keys |
The left column is what you get with Gumroad alone. The right column is what you get when you connect LicenseSeat. You don't lose anything from Gumroad; you gain everything in the licensing column.
For FiveM script developers
FiveM scripts are commonly sold through Gumroad. The typical workflow today: sell on Gumroad, get a license key, paste the key into a config file, and... hope nobody shares it. That's not protection.
With LicenseSeat connected to your Gumroad:
- Customer buys your script on Gumroad
- LicenseSeat automatically generates and delivers the license key
- Your Lua script calls the LicenseSeat API on server start
- The server's hardware fingerprint is registered and validated
- Key sharing is prevented by seat limits and HWID binding
No user registration flows in your Lua code. No complex session management. No building your own validation server. Just real protection that works.
For Minecraft plugin developers
SpigotMC's marketplace bans DRM in uploaded plugins, which means premium plugin developers need external licensing. If you sell through Gumroad, BuiltByBit, or Polymart and deliver keys manually, you're doing extra work that LicenseSeat automates.
Add a simple API call to your plugin's onEnable() method. The plugin validates the license key against the server's hardware fingerprint, checks seat limits, and either enables full functionality or runs in demo mode. Invalid keys don't work. Period.
For server networks buying multi-seat licenses, LicenseSeat handles this correctly. Each server activates against the same key, counting toward the seat limit. When a server is decommissioned, the customer can deactivate it through the self-service portal.
For Discord bot developers
Discord bots sold on Gumroad run on customer-managed servers. Without node-locked licensing, a customer can buy one copy of your bot and run it on unlimited servers. Gumroad's license key counter doesn't distinguish between "same server restarted" and "new server added."
LicenseSeat's device fingerprinting ties each license to specific servers. The JavaScript SDK works directly in Node.js. A single activate() call on bot startup handles device registration, seat checking, and offline caching. If a customer tries to run your bot on more servers than their license allows, it fails activation.
For Roblox script developers
Roblox scripts and executors face constant piracy. The community shares paid scripts freely, and Gumroad's license key does nothing to prevent this since anyone can copy the string.
LicenseSeat's composite HWID fingerprinting provides actual protection because it combines multiple hardware identifiers. Even if someone spoofs one component, the fingerprint changes and the license fails validation. For Lua-based Roblox scripts, call the REST API directly: one HTTP request to activate, one to validate.
For desktop app and macOS developers
Professional macOS apps and Windows tools require professional licensing infrastructure. If you sell through Gumroad, you've probably noticed the licensing gap immediately. Gumroad's license key is just a string. It doesn't know if someone is running your app on one machine or a hundred.
LicenseSeat's Swift SDK integrates in minutes. A single activate() call on app launch handles device fingerprinting, license validation, seat checking, and offline caching. Your app works without internet, handles device changes gracefully, and enforces your licensing terms through hardware binding.
For Windows developers, the C# and C++ SDKs provide the same functionality. Teams shipping design tools, developer utilities, or creative software get enterprise-grade licensing without enterprise complexity. One integration, proper protection, and your customers manage their own activations through a branded portal.
For audio plugin developers
JUCE developers and VST/AU plugin creators have specific requirements: your plugin runs inside a DAW host, so the licensing check needs to be fast, non-blocking, and reliable across different hosts and operating systems. Professional audio software companies can't afford licensing that interferes with the user experience.
LicenseSeat's C++ SDK handles this. The activation check happens once, the result is cached with an Ed25519-signed offline token, and your plugin doesn't phone home every time the user opens a project. Composite hardware fingerprinting works correctly across macOS and Windows without platform-specific configuration.
Whether you're a solo plugin developer or a team shipping commercial audio software, LicenseSeat provides the same infrastructure. Sell on Gumroad, license with LicenseSeat, and spend your time building your plugin instead of your licensing infrastructure.
For Unity asset and tool developers
Unity developers selling editor extensions, tools, and professional assets on Gumroad face a unique challenge: your scripts and tools can be duplicated and shared instantly. Once someone buys your Unity package, they can zip it up and distribute it anywhere. Gumroad's license key doesn't prevent this.
LicenseSeat's C# SDK integrates directly into the Unity editor. Add a license check to your asset's initialization, and the SDK handles device fingerprinting, seat limits, and offline validation. Unity editor tools can verify licenses at edit-time, and runtime scripts can validate before execution. One integration protects both editor extensions and runtime functionality.
For teams shipping commercial Unity tools: you get the same licensing infrastructure as standalone desktop applications. Keep selling on Gumroad, connect the LicenseSeat integration, and your Unity products are properly protected.
For Blender addon developers
Blender addons are one of the most pirated categories on Gumroad. Search for "blender addon free download" and you'll find entire curated collections of stolen addons. The piracy problem is severe because Gumroad provides no device binding, no activation limits, and no way to detect or prevent key sharing.
LicenseSeat's Python SDK (or direct REST API calls from Blender's Python environment) lets you add real license validation to your addon. The activation ties to the user's hardware fingerprint, seat limits prevent unlimited sharing, and the offline token means the addon works even when Blender is running without internet access.
If you're building Blender tools and selling on Gumroad, you're leaving money on the table every day you don't have real licensing. The free tier covers your first 100 devices while you validate that your addon has a market.
For Procreate brush and Lightroom preset sellers
"Procreate brushes free download" gets nearly 600 monthly searches. "Lightroom presets free download" gets over 1,000. If you're selling digital assets on Gumroad, your products are being pirated right now.
Most brush and preset sellers assume there's nothing they can do. After all, these are just files, not software. But if you bundle your brushes or presets with a small installer or delivery app, you can validate licenses at download time. LicenseSeat's token-gated file distribution means customers can only download your actual files after activating a valid license. No valid license, no download.
This turns a passive piracy problem into an active protection system. Your Gumroad sale generates a LicenseSeat key, the customer uses that key to access their files through a license-verified download link, and casual piracy becomes significantly harder.
Pricing
You keep paying Gumroad for payment processing (their standard fees). LicenseSeat adds the licensing layer:
| Plan | Monthly | Devices | What you get |
|---|---|---|---|
| Hobby | Free | 100 | Everything above. Seriously. |
| Indie | $9/mo | 500 | Multiple products, same features |
| Starter | $25/mo | 1,500 | 5 products |
| Pro | $69/mo | 5,000 | Unlimited products |
The free tier gives you 100 devices — enough to validate your market before committing. As you scale, pricing stays predictable. Teams shipping professional desktop software, creative tools, or developer utilities get the same enterprise-grade infrastructure as the free tier: Ed25519 cryptographic signatures, composite device fingerprinting, and a complete licensing API.
Compare this to the alternative: building your own licensing server. A VPS costs $5-20/month. A database costs more. Development time costs the most. And you still need to maintain it, handle scaling, deal with security, and fix bugs. LicenseSeat replaces all of that with a five-minute integration — same cryptographic security and device fingerprinting used by enterprise licensing platforms, without the enterprise price tag or complexity.
Works with any payment platform
Whether you sell through Gumroad, run your own storefront, or use multiple sales channels, LicenseSeat integrates with your existing payment infrastructure. Your sales flow stays the same — LicenseSeat handles the licensing layer.
LicenseSeat connects to:
- Gumroad - Native webhook integration
- LemonSqueezy - Native webhook integration
- Stripe - Direct integration for custom storefronts
- FastSpring - Coming soon
- Any platform with webhooks - Custom integration via our API
Migrating from another licensing provider? Generate new keys for existing customers, swap the SDK, and you're protected. The API is straightforward, the SDKs handle the complexity, and your customers see a seamless transition.
Getting started
Sign up for LicenseSeat (free tier, no credit card). Create your product.
Connect Gumroad. In your LicenseSeat dashboard, add a Gumroad webhook endpoint. Copy the webhook URL into your Gumroad product settings. Map your Gumroad product to a LicenseSeat product and plan.
Integrate the SDK. Add the LicenseSeat SDK to your software. For most languages, it's a single
activate(key)call. For Lua and Java, it's a direct REST API call.Test. Make a test purchase on Gumroad. Verify the license is automatically created in LicenseSeat. Verify your software activates correctly.
Ship. Your Gumroad sales now come with real software protection. Customers get license keys that actually mean something.
The integration typically takes less than an hour. Most of that time is testing.
The bottom line
Gumroad is great at what it does: selling digital products. It handles payments, audience, and distribution exceptionally well. But Gumroad's license keys are decoration, not protection. They're a random string with a counter, backed by a single API endpoint that has no concept of devices, hardware, seats, or offline access.
If you sell software that runs on customer machines — professional design tools, developer utilities, creative applications, audio plugins, macOS apps, Windows tools, Electron apps, game server scripts, or any downloadable software — you need real software licensing. Not a checkbox that generates a string, but actual device fingerprinting, HWID locking, seat management, offline validation, and a self-service customer portal.
The Gumroad license key API is a single verification endpoint. LicenseSeat's software licensing API is a complete licensing infrastructure with native SDKs for Swift, C#, C++, JavaScript, TypeScript, and REST API access for Lua, Java, Python, and everything else.
LicenseSeat adds all of that to your existing Gumroad workflow. You don't have to migrate your sales, rebuild your audience, or learn a new payment platform. You connect the integration, add the SDK, and your Gumroad license keys become real licenses.
Start with the free tier (100 devices, no credit card). Your first Gumroad sale with real protection is an hour away.
Frequently asked questions
How do I use Gumroad license keys?
Gumroad generates a random alphanumeric license key when a customer purchases a product with the license key option enabled. You can verify this key by calling POST https://api.gumroad.com/v2/licenses/verify with the product_id and license_key. The API returns a success boolean and a uses counter. That's the extent of what Gumroad license keys can do. For real device binding, HWID locking, seat management, and offline validation, you need to connect a licensing service like LicenseSeat.
Does the Gumroad license key API support device fingerprinting?
No. The Gumroad API has no concept of devices, hardware identifiers, or machine fingerprints. Any device that knows the license key string can verify it. LicenseSeat adds composite device fingerprinting that combines multiple hardware identifiers to uniquely identify each activation.
Can I limit how many devices use a Gumroad license key?
Gumroad provides a uses counter that increments each time you call the API with increment_uses_count: true. But this counter has no context; it can't distinguish between "same device, different session" and "new device." LicenseSeat provides per-device tracking with configurable seat limits, device deactivation, and a customer portal for self-service management.
Do Gumroad license keys work offline?
No. Every Gumroad license check requires a live API call to Gumroad's servers. If Gumroad is down or the user has no internet, the validation fails. LicenseSeat generates Ed25519-signed offline tokens that your software can verify locally with no network call required.
How do I sell software licenses online?
The typical approach: use a payment platform like Gumroad, LemonSqueezy, or Stripe for transactions, and connect a licensing service like LicenseSeat for actual license management. The payment platform handles money; the licensing service handles device validation, key management, and piracy prevention. Learn more about how software licensing works.
Can I use Gumroad license keys with Unity?
Gumroad's license keys are just strings. You can verify them via HTTP, but there's no Unity SDK. LicenseSeat provides a native C# SDK that integrates directly into Unity's editor and runtime, handling device fingerprinting and offline validation automatically.