LicenseSeat

What is a license key?

License keys are the bridge between a purchase and a working product. Here's how they work, how to generate them, and how to build them into your software.

What is a license key?

A license key is a unique string of characters that proves someone has the right to use a piece of software. When a customer buys your app, game, or plugin, you give them a license key. They enter it, your software verifies it, and they're in.

You've probably used one yourself. Every time you've typed a 25-character code like XXXXX-XXXXX-XXXXX-XXXXX-XXXXX into a software installer, that was a license key at work. It's the most common way commercial software verifies that a user actually paid.

For software developers, license keys are the backbone of your monetization. Without them, you're relying on the honor system, and the honor system doesn't scale.

How license keys work

The basic flow is simple:

1. You generate a key. When a customer purchases your software, your system creates a unique license key and delivers it to them, usually by email.

2. The customer enters it. When they launch your software for the first time, your app presents a text field. They paste in their key.

3. Your software validates it. Your app sends the key to your license server (or validates it locally using cryptographic signatures). The server checks: Is this key valid? Is it still active? Has it been used on too many devices?

4. Activation is recorded. If everything checks out, the server records the activation along with a hardware fingerprint of the customer's machine. The software unlocks.

5. Subsequent launches verify locally. After initial activation, your app can store proof of activation locally so the customer doesn't need internet access every time they open your software.

That's the basic pattern. The specifics vary depending on your license model; whether you're doing perpetual, subscription, floating, or node-locked licensing. But the core concept of "key in, software unlocked" is universal.

License key vs product key vs activation code

These terms get used interchangeably, and the differences are mostly about context rather than technology.

License key is the broadest term. It refers to any unique identifier that grants access to software. This is what most developers and licensing systems call them.

Product key is the same thing, but it's the term Microsoft and a few other large software companies popularized. When someone talks about a "Windows product key" or an "Office product key," they mean a license key. The term "product key" tends to show up more in consumer software contexts.

Activation code usually refers to a shorter, sometimes one-time-use code that unlocks software. Some systems use activation codes that are different from the underlying license key; you enter the activation code once, and it ties a permanent license to your account. Other systems use the terms synonymously.

Serial number is an older term from the physical software era. Back when software came in boxes, the serial number was printed on a sticker inside the case. Functionally identical to a license key.

For practical purposes, if you're building a licensing system, you're building a license key system. The other terms are just naming conventions from different eras and vendors.

Types of license keys

Not all license keys are created equal. The type you choose affects security, user experience, and what your licensing system can do.

Simple text keys

The classic approach: a formatted string like ABCD-1234-EFGH-5678. These keys are easy for customers to type and share. They can be verified against a server-side database or validated using a checksum algorithm.

Pros: Easy to handle, familiar to users, simple to implement.

Cons: Easy to share (just copy and paste), limited to encoding basic information, vulnerable to brute-force generation if the algorithm is weak.

Simple text keys work fine for low-risk software where you trust your users and just need basic piracy prevention. They're also a good fit when your software always validates online against a server, since the server handles the real security.

Cryptographically signed keys

Instead of storing keys in a database, you embed license data (customer name, expiration date, features, device limit) directly into the key and sign it with a cryptographic signature. Your software can verify the signature locally without contacting a server.

This is how offline-capable licensing works. The key itself carries its own proof of validity. If someone tampers with the embedded data, the signature breaks and the key is rejected.

LicenseSeat uses Ed25519 signatures for this. Ed25519 is fast, produces compact signatures, and is resistant to all known classical cryptographic attacks.

Pros: Works offline, tamper-proof, carries metadata, no database lookup required.

Cons: Longer key strings, can't be revoked without a server check, slightly more complex to implement.

Hardware-locked keys

These keys are tied to specific hardware. During activation, your software collects a fingerprint of the customer's machine (CPU ID, disk serial, MAC address, or a combination) and sends it alongside the key. The server records this fingerprint, and the key will only validate on that specific machine.

Node-locked licensing uses hardware-locked keys to prevent one person from sharing their key with everyone they know. You typically allow 2-3 activations per key so customers can use the software on their home and work machines.

Pros: Strong piracy prevention, clear usage tracking, controllable device limits.

Cons: Customers need a transfer mechanism when they change computers.

Time-limited keys

These keys expire after a set period. They're used for subscription licenses and trial periods. The expiration can be encoded in the key itself (signed with a cryptographic signature) or enforced server-side through periodic validation checks.

Pros: Natural fit for subscriptions and trials, creates urgency for trial conversions.

Cons: Requires either online validation or a tamper-resistant local clock.

How to generate license keys

There are several approaches to generating license keys, ranging from simple to cryptographically secure.

The naive approach (don't do this)

The simplest method is generating random strings and storing them in a database. When a user enters a key, you look it up. If it exists, valid. If not, invalid.

This works but has problems. Your software must be online to validate. Your database becomes a single point of failure. And if someone gets access to your key database, every key is compromised.

Checksum-based keys

A step up: generate keys using an algorithm that includes a checksum. Your software can verify the key format is valid without contacting a server; it just checks the math. This is how many older software products worked, including early Windows versions.

The problem is that once someone reverse-engineers your algorithm, they can generate unlimited valid keys. This is exactly what "keygens" (key generators) do for pirated software. Checksum-based keys are security through obscurity, and obscurity eventually fails.

Cryptographic signing (the right approach)

The modern approach is asymmetric cryptography. You have a private key (kept secret on your server) and a public key (embedded in your software). When generating a license key:

  1. Create a data payload containing license details (customer ID, expiration, features, device limit)
  2. Sign this payload with your private key
  3. Encode the signature and payload into a string the customer can enter

When validating:

  1. Your software extracts the payload and signature from the license key
  2. It verifies the signature using the embedded public key
  3. If the signature is valid, the license data hasn't been tampered with

This approach is secure because the private key never leaves your server. Even if someone decompiles your software and finds the public key, they can't forge new keys because they don't have the private key used for signing.

Using a licensing service

In practice, most developers don't implement key generation from scratch. A licensing service like LicenseSeat handles the cryptography, key generation, and distribution automatically. When a customer purchases through your payment provider (Stripe, Gumroad, Paddle, etc.), the service generates a signed key and delivers it by email. Your app validates it using a drop-in SDK.

This is the fastest path. You get production-grade key generation without writing or maintaining the infrastructure yourself.

License key validation

Validation is what happens every time your software needs to confirm a license is legitimate. There are two main approaches.

Online validation

Your software sends the key to your license server, which checks its database and returns a response: valid or invalid, along with metadata like expiration dates and feature entitlements.

When to use it: When your software requires internet access anyway (cloud-connected apps, SaaS tools), or when you need real-time control over license status (instant revocation, up-to-date entitlements).

Trade-off: Your software doesn't work if the license server is down or the user is offline. Most systems handle this with grace periods; if the server can't be reached, the software continues working for a set period (24 hours, 7 days) before requiring a successful check.

Offline validation

Your software validates the license key locally using the public key embedded in the application. It verifies the cryptographic signature, checks the expiration date, and confirms the hardware fingerprint matches.

When to use it: Desktop apps, games, plugins, and any software that should work without internet. LicenseSeat uses Ed25519-signed license files for this; customers activate once online, then a signed license file is stored locally for future validations.

Trade-off: You can't instantly revoke a license or change entitlements without a server check. But you can require periodic online revalidation (say, once a month) to balance offline convenience with server-side control.

Hybrid validation

The best approach for most software is a hybrid: validate online when possible, fall back to offline validation when not. This gives you the control benefits of online validation with the reliability of offline support.

License key activation

Activation is the step where a license key gets tied to a specific user, device, or account. It's what prevents a single key from being shared indefinitely.

How activation works

  1. The customer enters their license key in your software
  2. Your app collects a hardware fingerprint (a hash of machine-specific identifiers)
  3. Both the key and the fingerprint are sent to your license server
  4. The server checks if the key is valid and how many activations it has left
  5. If there's room, the server records the activation and returns success
  6. Your app stores proof of activation locally

Managing activation limits

Most developers allow 2-3 activations per key. This accommodates customers who have a desktop at home and a laptop at work, without opening the door to unlimited sharing.

When a customer hits their activation limit, they need to deactivate one device before activating another. A good licensing system provides a self-service portal where customers can manage their own activations, rather than contacting your support team every time they get a new computer.

LicenseSeat includes a whitelabeled customer portal for exactly this. Customers can see their active devices, deactivate old ones, and transfer licenses, all without a support ticket.

Activation for different license models

  • Perpetual licenses: Activate once, use forever. The activation is permanent unless the customer deactivates manually.
  • Subscription licenses: Activation is tied to an active subscription. If the subscription lapses, the activation expires after a grace period.
  • Floating licenses: Activation is temporary. A "heartbeat" system checks in periodically, and if a user stops sending heartbeats (they closed the app), their seat is released for someone else.
  • Node-locked licenses: Activation is permanently tied to specific hardware. The license only works on machines with matching fingerprints.

License key management

Once you have more than a handful of customers, you need a system to manage your license keys at scale. License key management covers everything from key generation and delivery to tracking activations, handling transfers, and revoking compromised keys.

What good license key management looks like

Automated generation and delivery. Keys should be created and sent to customers automatically when a purchase happens. No manual work, no delays. Connect your payment provider (Stripe, Gumroad, Paddle) to your licensing system and let the automation handle it.

Searchable key database. When a customer contacts support, you need to find their license instantly. Search by key, email, customer name, or product. LicenseSeat lets you search across your entire account in seconds.

Activation tracking. Know which devices are activated for each key. See when activations happened, where they're located, and whether anything looks suspicious (like a single key suddenly activating on 50 different machines in 50 different countries).

Self-service portal. Let customers handle routine tasks themselves: recover lost keys, deactivate old devices, transfer to new hardware. This is the single biggest thing you can do to reduce support volume.

Revocation. If a key gets posted publicly or a customer charges back, you need to revoke it immediately. Your licensing system should let you revoke individual keys or entire customer accounts with a click.

Analytics. Understand your licensing data: how many active licenses, activation trends over time, geographic distribution, device breakdowns. This data informs your product and business decisions.

The cost of not managing keys

Without proper license management, things go sideways quickly. Keys get shared on forums. Customers can't recover lost keys and demand refunds. Support tickets pile up from people who changed computers. You have no idea how many people are actually using your software versus how many paid.

A license key management system pays for itself by protecting your revenue and eliminating the support burden. The time you'd spend manually handling keys, answering support emails, and chasing down piracy is time you're not spending on building your product.

Protecting your software with license keys

License keys are a practical middle ground between no protection (anyone can use your software) and heavy-handed DRM (customers hate your software). The goal isn't to make piracy impossible; it's to make paying easier than pirating.

What license keys protect against

Casual sharing. Without any protection, someone can email your installer and license key to everyone they know. Hardware-locked keys prevent this by tying each key to specific devices.

Key generators. Cryptographically signed keys can't be forged without your private key. This eliminates the keygen problem that plagued checksum-based systems.

Expired access. For trials and subscriptions, keys enforce time limits so users can't continue using software they haven't paid for.

Exceeding license terms. If a customer bought a single-user license but installed it on 20 machines, activation limits catch this automatically.

What license keys don't protect against

Determined crackers. Someone with enough skill and motivation can patch your binary to skip the license check entirely. No client-side protection is unbreakable.

Memory patching. Advanced tools can modify your running process to bypass checks in memory without altering the binary on disk.

The good news: these attacks require significant technical skill and effort. Most people won't bother. The vast majority of piracy is casual, and license keys stop casual piracy effectively. Focus on making legitimate use easy and pleasant, rather than trying to make piracy impossible.

Implementing license keys with LicenseSeat

LicenseSeat handles the entire license key lifecycle for your software:

Key generation. Cryptographically signed keys generated automatically when customers purchase through your connected payment provider. Ed25519 signatures, tamper-proof, offline-capable.

Drop-in SDKs. Native SDKs for Unity, Unreal Engine, C#, C++, Swift, JavaScript, and more. Add license key validation to your app with a few lines of code.

Hardware fingerprinting. Tie keys to specific devices with configurable activation limits. Prevent sharing without punishing customers who use multiple machines.

Offline validation. Ed25519-signed license files for air-gapped environments. Your software validates locally after initial activation.

Customer portal. A whitelabeled self-service portal where customers recover keys, manage activations, and transfer licenses. Cuts your support load dramatically.

Analytics. Activation trends, geographic distribution, device breakdowns, usage patterns. Understand how your software is being used.

Setup takes about 15 minutes. No revenue share. You focus on building great software while LicenseSeat handles the key infrastructure.

Common questions about license keys

What's the difference between a license key and a license?

A license is the legal right to use software. A license key is the technical mechanism that enforces that right. The license defines what you're allowed to do; the key proves you're allowed to do it. You can have a license without a key (some software uses account-based licensing), but you can't have a meaningful key without an underlying license.

How long should a license key be?

It depends on what information is encoded. Simple lookup keys can be short (16-25 characters). Cryptographically signed keys are longer because they include the signature data, sometimes 100+ characters. For signed keys, you typically display them as a longer string that gets copy-pasted rather than typed manually.

Can license keys be hacked?

Simple checksum-based keys can be reverse-engineered. Cryptographically signed keys cannot be forged without the private key, which stays on your server. The signature can be stripped out by modifying the application binary, but that's a different attack (binary patching) and is much harder.

Should I validate license keys online or offline?

Both, if possible. Use online validation when the user has internet access for real-time control. Fall back to offline validation using signed license files when they don't. This gives you the best of both worlds.

How do I deliver license keys to customers?

Automatically by email at the time of purchase. Connect your payment provider (Stripe, Gumroad, Paddle) to your licensing service, and keys are generated and emailed without any manual intervention.

What happens when a customer loses their license key?

If you're using a licensing service like LicenseSeat, customers can recover their key through a self-service portal by entering their purchase email. Without a licensing service, you'll be answering support emails manually every time someone loses their key, which happens more often than you'd think.

The bottom line

License keys are the standard way to protect and monetize commercial software. The technology is mature, the patterns are well-established, and the tooling exists to implement them without building everything from scratch.

For most developers, the right approach is: use cryptographically signed keys, validate online with offline fallback, lock to hardware with reasonable device limits, and automate everything through a licensing service.

If you're ready to add license keys to your software, LicenseSeat handles the entire workflow. Signed keys, hardware fingerprinting, offline support, customer self-service, and payment integration. Set up in 15 minutes, protect your revenue, and get back to building your product.

For a broader view of licensing options, see our complete guide to software licensing. For details on managing licenses at scale, check out our guide to software license management.