LicenseSeat

What is a software licensing API?

A software licensing API lets your application validate licenses, activate devices, and manage entitlements through simple HTTP calls. Here's how these APIs work, what to look for, and how to integrate one.

What is a software licensing API?

A software licensing API is a web service that lets your application verify licenses, manage device activations, and control feature access through HTTP requests. Instead of building license validation logic from scratch, your software calls an API that handles the heavy lifting.

When a customer enters their license key into your app, your code makes an API call. The server checks whether the key is valid, records the activation, and returns the result. Your app reads the response and either unlocks or stays locked. That's the core loop.

For developers selling desktop apps, games, plugins, or any software that needs license protection, a licensing API is the infrastructure layer that makes software licensing work. It's the server-side brain behind every key validation, every device fingerprint check, and every entitlement lookup.

How a software licensing API works

A licensing API exposes a set of HTTP endpoints that your application calls at specific moments in the user journey. The API follows standard REST conventions; you send JSON requests and get JSON responses back.

Here are the core operations that every licensing API needs to support.

License validation

Validation is the most frequent API call your software will make. It checks whether a license key is legitimate and returns the current status.

POST /products/{slug}/licenses/{key}/validate

Your app sends the license key (and optionally a device fingerprint), and the server responds with whether the license is valid, what plan it belongs to, how many seats are active, and what entitlements the customer has access to. This call typically happens on app launch and periodically in the background.

A good validation response gives you everything you need to make access decisions in a single call: license status, active seat count, feature entitlements, and expiration dates. You shouldn't need multiple round-trips to figure out what the customer is allowed to do.

License activation

Activation ties a license key to a specific device. It's what prevents a single key from being shared with hundreds of people.

POST /products/{slug}/licenses/{key}/activate

Your app sends the license key along with a device fingerprint and an optional device name. The server checks whether the key has available activation slots, records the device, and returns the activation details. From this point on, the server knows this key is running on this specific machine.

Good APIs make activation idempotent; if a device is already activated, calling activate again just returns the existing activation instead of throwing an error. This prevents edge cases where a customer restarts your app and triggers duplicate activation attempts.

License deactivation

Deactivation releases a seat so the customer can move their license to a different device.

POST /products/{slug}/licenses/{key}/deactivate

This is essential for node-locked licenses where each key has a limited number of device slots. Without a deactivation endpoint, every customer who buys a new computer becomes a support ticket. With it, they can transfer their license themselves.

Offline licensing

Not every environment has reliable internet access. Some customers work in air-gapped facilities, behind strict firewalls, or in remote locations. A licensing API needs to support these use cases.

The preferred offline approach is to request a device-bound machine file while the app has connectivity:

POST /products/{slug}/licenses/{key}/machine-file

The server generates an encrypted machine file containing the license details, entitlements, and expiry information, then signs it with a private key. Your app stores this file locally. On subsequent launches without internet, the SDK verifies the signature, decrypts the payload locally, and checks that the current device fingerprint matches the one the file was issued for. If everything checks out, the license is valid. No server contact needed.

For legacy compatibility, the API also supports signed offline tokens:

POST /products/{slug}/licenses/{key}/offline_token

Offline tokens remain available for older integrations, but machine files are the preferred design because they are signed, encrypted, activation-bound, and cryptographically tied to a specific fingerprint.

This is how LicenseSeat handles offline licensing. Ed25519 signatures are fast, produce compact proofs, and provide 128-bit security against classical cryptographic attacks. The signed payload can't be tampered with; if someone modifies any detail (expiration, entitlements, device binding), the signature breaks.

API authentication and security

Licensing APIs use API keys for authentication. There are typically two types:

Publishable keys (like pk_live_xxxxxxxx) are safe to embed in client-side applications. They can validate licenses, manage activations, and fetch offline machine files. They can also fetch legacy offline tokens when needed for backwards compatibility, but they can't create or delete licenses. This is the key your shipped software uses.

Secret keys (like sk_live_xxxxxxxx) have full administrative access; creating licenses, revoking keys, updating entitlements. These stay on your server and are never shipped with your application.

Authentication is straightforward. You include the API key in the request header:

Authorization: Bearer pk_live_xxxxxxxx

Rate limiting

Any public-facing API needs rate limiting to prevent abuse. A well-designed licensing API provides tiered limits based on your plan and returns standard rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) so your app can handle throttling gracefully.

For most software, the rate limits are more than sufficient. License validation doesn't need to happen every second; once on launch and then periodically (hourly is typical) is enough.

Error handling

A licensing API should return structured, machine-readable error codes alongside human-readable messages. When your app gets back seat_limit_exceeded, it knows exactly what happened and can show the customer a helpful message. When it gets license_expired, it can prompt for renewal.

Common error codes you'll work with:

  • license_not_found -- the key doesn't exist
  • license_expired -- the license has passed its expiration date
  • license_revoked -- you've manually revoked this key
  • seat_limit_exceeded -- all activation slots are in use
  • device_not_activated -- trying to validate on an unactivated device
  • rate_limited -- too many requests, slow down

The difference between a frustrating integration and a smooth one often comes down to error handling quality. Vague errors like "request failed" make debugging miserable. Specific error codes with contextual details make it manageable.

SDKs vs raw API calls

You can integrate a licensing API by making HTTP requests directly, but that means writing boilerplate for every platform: HTTP clients, JSON parsing, error handling, retry logic, caching, machine-file or offline-token verification, device fingerprinting. It adds up fast.

This is where SDKs come in. A good licensing service provides native SDKs for the platforms developers actually use, so you can add licensing with a few lines of code instead of a few hundred.

For example, validating a license with a raw API call means setting up an HTTP client, constructing the request, parsing the response, handling errors, and caching the result. With an SDK, it looks more like:

JavaScript:

import LicenseSeat from '@licenseseat/js';
const sdk = new LicenseSeat({ apiKey: 'your-api-key' });
await sdk.activate('XXXX-XXXX-XXXX-XXXX');
if (sdk.hasEntitlement('pro')) { enableProFeatures(); }

C#:

using LicenseSeat;
var client = new LicenseSeatClient(new LicenseSeatClientOptions {
    ApiKey = "your-api-key"
});
await client.ActivateAsync("XXXX-XXXX-XXXX-XXXX");
if (client.HasEntitlement("pro")) { EnableProFeatures(); }

Swift:

import LicenseSeat
LicenseSeat.configure(apiKey: "your-api-key")
try await LicenseSeat.activate("XXXX-XXXX-XXXX-XXXX")
if LicenseSeat.shared.hasEntitlement("pro") { enableProFeatures() }

C++:

#include <licenseseat/licenseseat.hpp>
licenseseat::Config config;
config.api_key = "your-api-key";
licenseseat::Client client(config);
auto result = client.activate("XXXX-XXXX-XXXX-XXXX");
if (client.has_entitlement("pro")) { enable_pro_features(); }

Beyond saving code, SDKs handle things that are genuinely hard to get right: Ed25519 signature verification, machine-file decryption, platform-specific device fingerprinting (IOKit UUIDs on macOS, registry GUIDs on Windows, machine-id on Linux), automatic retry with exponential backoff, background re-validation, and clock tamper detection for offline artifacts.

The SDK vs raw API question has a clear answer for most developers: use the SDK when one exists for your platform, fall back to raw API calls when it doesn't.

What to look for in a software licensing API

Not all licensing APIs are equal. Here's what matters when evaluating your options.

Multi-platform SDK support

If you're building a desktop app, you need native SDKs for the platforms you ship on. A licensing API with only a REST endpoint and no SDKs means you're implementing device fingerprinting, offline verification, and caching yourself on every platform. That's weeks of work per platform.

Look for SDKs that cover your target platforms natively. If you're building a game, you want Unity or Unreal Engine integration. If you're building an audio plugin, you want JUCE support. If you're building a macOS app, you want a Swift SDK with SwiftUI property wrappers. Generic REST isn't enough.

Offline support

If your software can run without internet (and most desktop software should), your licensing API needs to support offline validation. The strongest modern approach is a cryptographically signed offline artifact that your app can verify locally, ideally with encryption and explicit device binding on top of signatures alone.

The implementation matters here. Ed25519 is the current standard for signing; it's fast, the signatures are compact, and it's approved in FIPS 186-5. The offline artifact should include the full license state (entitlements, expiration, device binding) so your app can make all access decisions locally. Newer designs go one step further and encrypt the artifact for the target fingerprint, which is what LicenseSeat machine files do.

Entitlements

Basic licensing APIs give you a binary answer: valid or invalid. Better APIs give you entitlements; a list of features or capabilities that the license grants access to, each with its own expiration date.

Entitlements let you implement tiered pricing (free, pro, enterprise), feature flags tied to license plans, time-limited beta access, and add-on purchases. All without changing your API integration. Your code just checks hasEntitlement('feature-key') and the server decides what each customer gets based on their plan.

Hardware fingerprinting

For node-locked licensing, the API (or SDK) needs to generate reliable hardware fingerprints. In practice, good systems either use a strong stable primary identifier or a carefully chosen set of platform-specific signals. The important part is not “more signals at all costs”; it’s having a predictable device identity, explicit activation tracking, and a clean reactivation story when hardware changes.

This is one of those things that's deceptively hard to implement well. Each operating system exposes different hardware identifiers through different APIs. A good SDK abstracts this away completely.

Event system

Modern SDKs should provide an event system so your application can react to license state changes. Events like activation:success, validation:failed, network:offline, and machineFile:verified (or offlineToken:verified on older SDKs) let you build responsive UIs and handle edge cases cleanly.

This is especially important for desktop apps with long-running sessions. If a subscription license expires while the app is open, your event handler can show a renewal prompt instead of abruptly locking the user out.

Build vs buy

You can build a licensing API yourself. The question is whether you should.

What building yourself involves

A minimal licensing server needs: a database to store licenses and activations, API endpoints for validation/activation/deactivation, authentication and rate limiting, a key generation system, and HTTPS everywhere. This gets you basic online licensing.

If you also need offline support, add Ed25519 key management, offline-artifact issuance, local verification, and eventually encrypted machine-file style flows if you want tighter device binding. If you need hardware fingerprinting, add platform-specific device identification code for every OS you support. If you need a customer portal, add a self-service web interface. If you need payment integration, add webhook handlers for Stripe, Gumroad, or whichever provider you use.

Then you maintain all of it forever. Security patches, uptime monitoring, database backups, API versioning, SDK updates across every platform.

When building makes sense

If licensing is your core business (you're building a licensing platform), building makes obvious sense. If you have extremely custom requirements that no existing service supports, building might be necessary. If you're a large organization with a dedicated infrastructure team and want full control, building is reasonable.

When buying makes sense

For most developers, especially indie developers, small studios, and plugin creators, buying a licensing service is the rational choice. The cost of a managed solution is trivial compared to the engineering time you'd spend building and maintaining one. And the licensing service will be more battle-tested, more secure, and more reliable than a custom solution built as a side project to your actual product.

The revenue you're protecting by having proper licensing far exceeds the cost of the service that provides it.

Implementing a licensing API with LicenseSeat

LicenseSeat provides a complete licensing API with native SDKs, so you can add licensing to your software without building infrastructure.

REST API. A clean, documented API following Stripe-style conventions. Endpoints for validation, activation, deactivation, machine files, signing keys, release management, and legacy offline-token compatibility. Publishable keys for client-side use, standard rate limiting, and structured error responses.

Native SDKs. Official SDKs for JavaScript/TypeScript, Swift, C#, and C++. Each SDK handles license validation, hardware fingerprinting, offline verification, automatic background re-validation, and event-driven state management, while continuing to converge on the same machine-file-first offline model over time.

Platform integrations. Beyond the core SDKs: Unity and Godot packages for game developers, an Unreal Engine plugin with Blueprint support, a JUCE standalone header for VST/AU/AAX audio plugin developers, React hooks for web apps, SwiftUI property wrappers for macOS/iOS apps, and ASP.NET Core dependency injection for server-side .NET.

Offline licensing. Machine files are the preferred offline artifact: encrypted, signed, activation-bound, and fingerprint-bound. Older SDKs may still use signed offline tokens until they migrate. Offline grace periods, local verification, and clock-tamper detection remain part of the model either way.

Entitlements. Feature-flag style access control tied to license plans. Check hasEntitlement('pro') in your code; the server decides what each customer gets based on their plan. Per-feature expiration dates for time-limited access.

Payment integration. Connect Stripe, Gumroad, or LemonSqueezy so licenses are generated and delivered automatically when a purchase happens. No manual key management.

Customer self-service. A whitelabeled portal where your customers manage activations, deactivate old devices, and recover lost keys without contacting your support team.

Setup takes about 15 minutes. No revenue share. You integrate the SDK, configure your license plans, connect your payment provider, and your licensing infrastructure is live.

Common questions about software licensing APIs

What is a software licensing API?

A software licensing API is a web service that your application calls to validate license keys, manage device activations, check entitlements, and handle offline licensing. It's the server-side infrastructure that makes software licensing work without you building the backend yourself.

How does a software license API work?

Your application sends HTTP requests to the API at key moments: on launch (to validate the license), during first setup (to activate the device), and periodically in the background (to refresh the license state). The API responds with JSON containing the license status, entitlements, and any relevant metadata. SDKs wrap these HTTP calls so you don't deal with the raw requests.

Do I need an SDK, or can I use the API directly?

You can use any licensing API directly with HTTP requests. But SDKs save significant work by handling device fingerprinting, machine-file or offline-token verification, caching, retry logic, and platform-specific details. For most developers, the SDK is the right choice.

Can a licensing API work offline?

Yes, through cryptographically signed offline artifacts. The preferred flow is to fetch an encrypted machine file from the API while the app is online. For legacy compatibility, you can also fetch a signed offline token. In both cases, the SDK verifies the proof locally; machine files add encryption and tighter device binding on top of signatures alone. If the proof is valid and still within its validity window, the license is honored without any server contact.

What's the difference between a licensing API and a licensing SDK?

The API is the server-side service; the HTTP endpoints your software communicates with. The SDK is a client-side library that wraps the API calls and adds platform-specific functionality like hardware fingerprinting, offline verification, and caching. The SDK talks to the API; they're complementary, not alternatives.

How do entitlements work in a licensing API?

Entitlements are feature flags attached to a license. When you validate a license, the API returns a list of entitlements (like pro, beta-access, export-pdf) along with their expiration dates. Your code checks these entitlements to decide which features to enable. This lets you implement tiered pricing and feature gating without changing your API integration.

Is a software licensing API secure enough for commercial software?

Yes, when implemented correctly. Modern licensing APIs use Ed25519 cryptographic signatures (which can't be forged without the private key), hardware fingerprinting (which ties licenses to specific devices), and publishable/secret key separation (so your shipped application can't be used to create or revoke licenses). No client-side protection is unbreakable, but a well-designed licensing API makes casual piracy impractical.

The bottom line

A software licensing API is the backend infrastructure that powers your license key validation, device activation, and entitlement management. It's what turns a static license key into a dynamic, enforceable credential.

For most developers, the right approach is to use a licensing service with native SDKs rather than building the API yourself. The integration is faster, the security is stronger, and you avoid maintaining licensing infrastructure alongside your actual product.

If you're looking for a licensing API for your software, LicenseSeat provides the complete stack: REST API, native SDKs for JavaScript, Swift, C#, and C++, platform integrations for Unity, Unreal, Godot, and JUCE, plus offline support, entitlements, and payment integration. Set up in 15 minutes, no revenue share. Focus on building your software while LicenseSeat handles the licensing infrastructure.

For a broader overview of licensing options, see our complete guide to software licensing. To learn about license keys and how they relate to the API, see our guide to license keys. For details on the activation process, check out software activation. For managing licenses at scale, see software license management.