LicenseSeat

Lemon Squeezy license keys are just strings. Here's how to make them actually protect your software.

Lemon Squeezy handles payments, taxes, and delivery brilliantly. But its license keys are just random strings with no device validation, no HWID binding, and no protection against key sharing. Here's how to add real licensing without leaving Lemon Squeezy.

Lemon Squeezy license keys are just strings. Here's how to make them actually protect your software.

Lemon Squeezy is one of the best platforms for selling digital products. Now part of Stripe, it handles global payments, VAT/sales tax compliance, affiliate programs, and subscription management. As a Merchant of Record, it takes care of all the legal complexity so you can focus on building your product.

But when it comes to software licensing? Lemon Squeezy's license key feature is a checkbox, not a system.

If you've enabled license key generation on your Lemon Squeezy product and assumed your software is protected, it isn't. Those keys are random strings attached to purchases. They don't validate devices, they don't prevent key sharing, and they don't work offline. Anyone with the key string can use it from any machine, unlimited times.

This page explains what Lemon Squeezy's license keys actually do, why that's a problem for software developers, and how LicenseSeat adds real licensing to your Lemon Squeezy sales without requiring you to build your own infrastructure.

What Lemon Squeezy's license keys actually do

Lemon Squeezy generates license keys when you enable the option on a product. Here's what you get.

Key generation

When a customer purchases your product, Lemon Squeezy creates a unique license key and includes it in the purchase confirmation. The key is a random alphanumeric string. This part works fine.

License verification API

Lemon Squeezy provides API endpoints for license management:

POST /v1/licenses/validate
POST /v1/licenses/activate
POST /v1/licenses/deactivate

You can validate a key, activate an "instance" (tracked by a label you provide), and deactivate instances. There's a configurable activation limit per license. This is more sophisticated than some competitors, but the implementation has significant gaps.

What's actually missing

Here's what Lemon Squeezy's licensing system does NOT provide:

  • No device fingerprinting. Lemon Squeezy tracks "instances" by a label you provide (the instance_name parameter), but there's no automatic hardware detection. You're responsible for deciding what identifies a device. If you pass the same label twice, it's the same instance. If you don't implement fingerprinting yourself, anyone can activate from any machine.
  • No HWID locking. There's no hardware identifier binding. The instance system tracks labels, not hardware. A pirate who knows the key can activate on any device by simply providing a unique label, working around your activation limit.
  • Label-based instance tracking only. While you can deactivate specific instances, the system relies on labels you provide. If a customer reinstalls their OS, the "device" identity is whatever label your code sends. You need to implement device fingerprinting yourself and pass it as the instance name.
  • No offline validation. Every license check requires a live API call to Lemon Squeezy's servers. If their API is slow, your software launch is slow. If it's down, validation fails. There's no signed offline token or grace period.
  • No feature entitlements. You can't attach capabilities like "pro features" or "updates until 2025" to a license. A key is valid or it isn't; there's no granularity.
  • No customer self-service portal. Your customers can't manage their own licenses. They can't see what devices are activated or deactivate an old machine without contacting you.
  • No native SDKs. You're writing raw HTTP requests. There's no Swift SDK for macOS, no C# SDK for Unity, no C++ SDK for audio plugins. Just documentation and cURL examples.
  • Limited analytics. You can see activation counts, but not device types, geographic distribution, version adoption, or actual usage patterns.

The security reality

The activation count is trivially easy to game. Since there's no device fingerprinting:

  1. A pirate buys one copy of your software
  2. They extract the license key
  3. They distribute it, with instructions to never call the activate endpoint
  4. Or they build a local proxy that returns cached "valid" responses

Without device binding, your only defense is the activation count, and that's easy to bypass by simply not incrementing it. The count is server-side enforcement of a client-side honor system.

The real cost: building your own licensing server

When developers discover these limitations, they typically choose one of three paths:

  1. Accept the losses. Ship without real protection. If you're selling FiveM scripts, Minecraft plugins, audio plugins, or desktop tools, expect your product on nulled sites within weeks. For some business models this is acceptable; for most indie developers it's death by a thousand cuts.

  2. Build custom infrastructure. Write your own licensing server with device fingerprinting, seat management, offline tokens, and a customer portal. This is months of work that has nothing to do with your actual product. And you're now responsible for uptime, security, and maintenance forever.

  3. Add a real licensing layer. Keep Lemon Squeezy for what it's great at (payments, taxes, subscriptions) and connect it to a proper licensing-as-a-service platform.

Option 3 is exactly what LicenseSeat was built for.

How LicenseSeat works with Lemon Squeezy

LicenseSeat has native Lemon Squeezy integration. Not a workaround, not a Zapier hack; a first-class webhook connection that automates the entire purchase-to-protection flow.

Here's what happens when a customer buys your software on Lemon Squeezy:

  1. Customer completes purchase. Lemon Squeezy handles the payment, VAT calculation, and transaction.
  2. Lemon Squeezy sends a webhook to LicenseSeat. Automatic, no code required on your end.
  3. LicenseSeat generates a real license key. A key tied to your product, plan, customer, with configurable seat limits and entitlements.
  4. Customer receives the LicenseSeat key. Delivered automatically.
  5. Your software calls LicenseSeat's API on launch. A single activate() call that validates the key, registers the device's hardware fingerprint, checks seat limits, and returns a signed offline token.
  6. Done. The software is licensed, the device is tracked, and the customer can manage their activations through a self-service portal.

You keep using Lemon Squeezy for everything it's great at: payments, VAT compliance, subscriptions, affiliate programs, email sequences. LicenseSeat handles the licensing part that Lemon Squeezy was never designed for.

What LicenseSeat adds to your Lemon Squeezy sales

Device fingerprinting and HWID locking

LicenseSeat uses composite device fingerprints combining multiple hardware identifiers. When a customer activates their license, their specific device is uniquely identified and registered. If someone copies the key and tries to use it on a different machine, it either counts against the seat limit or gets rejected.

This is the difference between "anyone with the string can use your software" and "only the machines you authorize can use your software."

Real per-device seat management

Instead of Lemon Squeezy's activation counter, LicenseSeat tracks individual device activations. You can:

  • Configure exact seat limits per license (1 device, 3 devices, 10 devices)
  • See which specific devices are using each license
  • Let customers deactivate specific devices to free up seats
  • Handle "I got a new computer" without support tickets

If a customer reinstalls their OS, they can deactivate the old device fingerprint and reactivate on the new installation. If someone shares a key, it stops working after the seat limit is hit with clear error messaging about which devices are using the license.

Offline validation

LicenseSeat generates Ed25519-signed offline tokens that your software can verify locally without any network call. The token contains license status, entitlements, and expiration, all cryptographically signed so it can't be tampered with.

Your software works on airplanes, in basements with bad WiFi, during ISP outages. The offline token has a configurable grace period, and when connectivity returns, the SDK automatically revalidates online.

Feature entitlements

Attach capabilities to licenses:

  • "Pro" features unlocked for premium tiers
  • "Updates" entitlement that expires on a specific date (perpetual license with 1-year updates)
  • "Priority support" flags
  • Custom entitlements specific to your product

Each license can have different entitlements, and your software checks them at runtime. When an entitlement expires, the customer can still use their current version but can't access newer releases or premium features.

Self-service activation portal

Your customers get a branded portal where they can:

  • View all their licenses and purchase history
  • See which devices are currently activated
  • Copy license keys without digging through email
  • Deactivate old devices to free up seats
  • Download software updates (if you use LicenseSeat's distribution)

No more "I lost my license key" or "I need to transfer to my new laptop" support tickets. Customers handle it themselves.

Native SDKs

LicenseSeat provides SDKs for the languages software developers actually use:

  • Swift for macOS apps and iOS applications
  • C# for Unity games, Windows apps, .NET applications
  • C++ for Unreal Engine, JUCE audio plugins, native desktop apps
  • JavaScript/TypeScript for Electron apps and Node.js tools

For FiveM (Lua), Roblox (Lua), Minecraft (Java), and other environments, you call the REST API directly. Three endpoints: activate, validate, deactivate.

Feature comparison

Feature Lemon Squeezy LicenseSeat + Lemon Squeezy
Payment processing Yes (MoR with VAT/tax handling) Yes (through Lemon Squeezy)
License key generation Random string Configurable format with prefixes
License verification Activation count API Full REST API + native SDKs
Device fingerprinting No (label-based instances) Composite HWID
Seat management Instance labels (you implement fingerprinting) Per-device tracking with limits
HWID locking No Yes
Offline validation No Ed25519 signed tokens
Feature entitlements No Time-limited capability flags
Customer portal No Self-service activation manager
Automatic device detection No Yes
SDKs None Swift, C#, C++, JS/TS
Analytics Activation counts Device telemetry, version adoption, geographic distribution
Secure downloads Direct links Token-gated, license-verified downloads
Audit trail No Full event log
Subscription support Yes Yes (integrated with Lemon Squeezy webhooks)

The left column is Lemon Squeezy alone. The right column is what you get when you connect LicenseSeat. You don't lose any Lemon Squeezy functionality; you gain everything in the licensing column.

For FiveM script developers

FiveM scripts are commonly sold through Lemon Squeezy. The typical workflow: sell on Lemon Squeezy, generate a license key, customer pastes it into a config file, and... hope nobody shares it on Discord.

With LicenseSeat connected to your Lemon Squeezy:

  1. Customer buys your script on Lemon Squeezy
  2. LicenseSeat automatically generates and delivers the license key
  3. Your Lua script calls the LicenseSeat API on server start
  4. The server's hardware fingerprint is registered and validated
  5. Key sharing is prevented by seat limits and HWID binding

No building your own validation server. No complex webhook handlers in your Lua code. Just real protection that works.

For desktop app developers

If you sell a macOS app or Windows tool through Lemon Squeezy, you've noticed the licensing gap. Lemon Squeezy's key is just a string with a counter. It doesn't know if someone is running your app on one machine or distributing it across a company.

LicenseSeat's Swift SDK (macOS) and C# SDK (Windows/.NET) integrate in minutes. A single activate() call on app launch handles device fingerprinting, license validation, seat checking, and offline caching. Your app works without internet, handles device changes gracefully, and prevents casual piracy through hardware binding.

For audio plugin developers

JUCE developers and VST/AU plugin creators have specific requirements: the licensing check must be fast, non-blocking, and work reliably across different DAW hosts and operating systems.

LicenseSeat's C++ SDK handles this. The activation check happens once, the result is cached with an Ed25519-signed offline token, and your plugin doesn't phone home every time a user opens their project. Composite hardware fingerprinting works correctly across macOS and Windows without platform-specific code paths.

Sell on Lemon Squeezy (with its excellent subscription management for plugin tiers), license with LicenseSeat, and focus on building your plugin.

For game mod and script developers

Minecraft plugins, Roblox scripts, Discord bots: these all face the same challenge. Your product is code that runs on customer machines or servers, and without real device binding, a single leaked key means unlimited piracy.

With LicenseSeat:

  1. Sell on Lemon Squeezy (subscriptions work great for Discord bots)
  2. LicenseSeat automatically generates license keys on purchase
  3. Your code calls the LicenseSeat API to validate
  4. Server or device fingerprint is registered
  5. Sharing is blocked by seat limits and HWID binding

For Lua and Java environments, the REST API is three endpoints. No SDK required.

Pricing

You keep paying Lemon Squeezy for payment processing (their MoR fees). LicenseSeat adds the licensing layer:

Plan Monthly Devices What you get
Hobby Free 100 Full licensing features
Indie $9/mo 500 Multiple products
Starter $29/mo 1,500 5 products
Pro $79/mo 5,000 Unlimited products

The free tier gives you 100 devices. If you're selling a FiveM script or a small utility through Lemon Squeezy, that's enough to validate the market and start generating revenue before you pay anything for licensing.

Compare this to building your own: server hosting, database, development time, ongoing maintenance. LicenseSeat's free tier replaces all of that with a connection that takes less than an hour to set up.

Getting started

  1. Sign up for LicenseSeat (free tier, no credit card). Create your product and license plan.

  2. Connect Lemon Squeezy. In your LicenseSeat dashboard, add a Lemon Squeezy webhook endpoint. Copy the webhook URL to your Lemon Squeezy store settings. Map your Lemon Squeezy product/variant to a LicenseSeat product and plan.

  3. Integrate the SDK. Add the LicenseSeat SDK to your software. For Swift, C#, C++, or JavaScript, it's a single activate(key) call. For Lua and Java, it's a direct REST API call.

  4. Test. Make a test purchase on Lemon Squeezy. Verify the license is automatically created in LicenseSeat. Verify your software activates correctly and rejects invalid keys.

  5. Ship. Your Lemon Squeezy sales now come with real software protection.

The integration typically takes under an hour. Most of that time is testing.

When to use Lemon Squeezy alone

To be fair: not every product needs device-level licensing. Lemon Squeezy's built-in license keys are sufficient if:

  • You're selling digital downloads that don't need copy protection (ebooks, templates, design assets)
  • Your product is web-based or SaaS (user accounts handle access control)
  • Piracy isn't a significant concern for your market
  • You're comfortable with honor-system enforcement

But if you're selling software that runs on customer machines, whether that's desktop apps, scripts, plugins, or game mods, you need real licensing. Lemon Squeezy's activation count isn't enough.

The bottom line

Lemon Squeezy is excellent at what it does: handling global payments, VAT compliance, subscriptions, and digital product delivery as a Merchant of Record. Now backed by Stripe, it takes care of all the international tax complexity so you can sell worldwide without becoming a tax expert.

But Lemon Squeezy's license keys are a checkbox feature, not security infrastructure. They're a counter with no device awareness, backed by an API that has no concept of hardware fingerprints or offline validation.

If you sell software that runs on customer machines, you need real software licensing. Device fingerprinting, HWID locking, per-device seat management, offline tokens, entitlements, and a self-service portal. Not an activation counter that pirates can trivially bypass.

LicenseSeat adds all of that to your Lemon Squeezy workflow. You don't migrate payments, you don't rebuild your sales funnel, you don't lose Lemon Squeezy's excellent MoR features. You connect the integration, add the SDK, and your Lemon Squeezy license keys become real licenses.

Start with the free tier (100 devices, no credit card). Your first Lemon Squeezy sale with real protection is an hour away.