License Key API

All license key endpoints use POST. The key string and parameters are always sent as a JSON body — never in the URL or query string.

Check whether a license key is valid and optionally bind or verify a hardware ID. On first call with an HWID the key is permanently bound to that device. Subsequent calls with the same HWID succeed; calls with a different HWID fail.

{
  "key": "GLD-ABCD-EF23-GH45-JK67",
  "hwid": "your-machine-id"
}

{
  "valid": true,
  "status": "ACTIVE",
  "reason": null,
  "key": "GLD-ABCD-EF23-GH45-JK67",
  "activationCount": 1,
  "maxActivations": null,
  "hwid": "your-machine-id",
  "hwidResetCount": 0,
  "expiresAt": null,
  "product": {
    "name": "My Software",
    "slug": "my-software",
    "image": null
  }
}

{
  "valid": false,
  "status": "REVOKED",
  "reason": "Key has been revoked",
  "key": "GLD-ABCD-EF23-GH45-JK67"
}

{ "valid": false, "error": "License key not found" }

• Always returns HTTP 200 for found keys — check the valid field in your code.
• If hwid is omitted or empty, hardware binding is skipped without error.
• Subscription-linked keys also verify the membership is still active.
• If the key's expiry date has passed, status is automatically updated to EXPIRED.

Generate a new key string for the buyer. This is a full reset: the old key string becomes invalid, the hardware binding is cleared, and activation counts reset to zero. Useful when a buyer suspects their key has been leaked.

{ "key": "GLD-ABCD-EF23-GH45-JK67" }

{ "key": "GLD-ZYXW-VUTS-RQPO-NMLK" }

{ "error": "Unauthorized" }                                          // 401
{ "error": "Key regeneration is disabled for this product. Contact the seller." } // 403
{ "error": "Forbidden" }                                             // 403
{ "error": "License key not found" }                                 // 404

• The old key string is immediately invalidated — update your stored key after this call.
• Complete reset: HWID, activation count, and reset count all go back to zero.
• Sellers can disable shuffle per-product in License Key app settings (allowBuyerShuffle).
• Only the buyer who owns the key can shuffle it.

Clear the hardware ID binding so the key can be activated on a new device. The key string stays the same. Use this when a buyer switches machines and their key is locked to the old hardware.

{ "key": "GLD-ABCD-EF23-GH45-JK67" }

{ "success": true }

{ "error": "Unauthorized" }                                                     // 401
{ "error": "Device reset is disabled for this product. Contact the seller." }  // 403
{ "error": "Forbidden" }                                                        // 403
{ "error": "License key not found" }                                            // 404

• Only clears the hwid field — key string, activation count, and expiry are unchanged.
• After resetting, the next POST /validate with a new HWID will re-bind the key.
• Sellers can disable buyer resets per-product (allowBuyerReset).
• Each reset increments hwidResetCount on the key.

Fetch the activity log for a specific license key in reverse-chronological order. Intended for seller dashboards — available under License Keys → Activity.

[
  {
    "id": "evt_abc123",
    "type": "VALIDATED",
    "createdAt": "2026-04-14T10:30:00.000Z",
    "hwid": "device-hwid",
    "ip": "1.2.3.4",
    "userAgent": "MyApp/2.0 Windows"
  },
  {
    "id": "evt_def456",
    "type": "HWID_RESET",
    "createdAt": "2026-04-13T08:00:00.000Z",
    "hwid": null,
    "ip": "1.2.3.4",
    "userAgent": null
  }
]

{ "error": "Unauthorized" }  // 401
{ "error": "Forbidden" }     // 403
{ "error": "Not found" }     // 404

• Event types: VALIDATED, HWID_RESET, SHUFFLED, REVOKED, CREATED.
• ip and userAgent may be null if not captured.
• This endpoint is for seller dashboards, not end-user software.

All errors return JSON with an error or reason field describing what went wrong.

Error messages

HTTP status codes