SDKey

SDKey

Edge-native license control for your apps

Validate keys on Cloudflare’s edge with HWID lock, sealed sessions, Private account mode, and a tooling API — without running your own license servers.

Built on Cloudflare for uptime and speed

SDKey runs on Cloudflare’s high-performance edge network — so license validation is close to your users instead of a single origin you have to keep online. Your app servers stay out of the critical path; clients authenticate and validate at the edge.

That footprint matters when a game client, desktop tool, or CI job needs a yes/no answer in the same region it is running. You ship the binary; the network absorbs the auth load worldwide.

Hot validates hit a worldwide cache first — cached reads aim for sub-10ms — with durable storage behind every miss.

Uptime rides a global network footprint: no license VM, reverse proxy, or regional failover stack for you to operate.

Cache stays coherent after create, revoke, or bind so HWID lock and status changes show up where clients validate.

Sealed session protocol

Clients do not send bare license keys over the wire. First they open a short-lived session, verify the server’s Ed25519 identity, derive a shared AES key, then seal the validate payload — and they must verify the sealed response signature before trusting any success.

The same byte layouts apply in TypeScript, Python, and native clients: canonical JSON, fixed crypto order, and clock-skew rejection. Skipping verify defeats anti-spoof protection; honest clients never honor success before the signature check.

POST /api/v1/session/init — exchange nonces; verify Ed25519 over canonical JSON (appId, session id, salt, nonces, timestamp); derive a 32-byte AES session key with HKDF-SHA256.

POST /api/v1/licenses/validate — AES-256-GCM seal of licenseKey, hwid, nonce, and timestamp; outer envelope carries IV, ciphertext, and tag.

Client order is mandatory: open the envelope, Ed25519-verify the plaintext with the embedded app public key, check ±60s clock skew and session id match — only then honor success. First success locks HWID; later mismatches return HWID_MISMATCH.

Private account mode respects your inventory

Prefer that plaintext license keys never sit in our database? Switch to Private mode. Keys are minted in your browser, then registered blind — the server stores hashes and a short prefix only. Optional vault notes stay encrypted under a passphrase that never leaves the client.

That threat model is intentional: Private mode hardens developer inventory at rest (database dumps, stolen API-key hashes, encrypted notes). It does not claim to stop a compromised client or a patched binary that skips verify.

Private creates send hashes only — no plaintext licenses in our database, cache, or server logs for those keys.

Vault unlock is browser-local; we keep salt and a check blob, not your passphrase.

Default mode remains available when you want server-minted keys shown once. Switch modes in Settings with password re-auth; existing Private licenses stay hash-only.

Tooling API for scripts and CI

Automate license inventory with Bearer developer API keys — the same account power as the dashboard, without sharing a browser session. Built for indie and studio teams shipping desktop, game, or tooling binaries that need keys, HWID binding, and scriptable create/list/revoke flows.

Mint keys in a release pipeline, revoke a leaked key from a bot, or sync inventory into your store — all over HTTPS with a token that never needs a cookie jar.

Issue sdk_live_… tokens; they are hashed at rest and never stored in plaintext.

Call the API with Authorization: Bearer — dashboard sessions stay cookie-auth and separate.

Wire CI and release scripts to mint, list, and manage licenses without standing up your own auth service.

Client examples on GitHub

Drop-in SDKs and samples for the sealed session + validate path live under SDKeyDev— start from a language you already ship, then wire HWID lock into your binary.

Each client follows the same protocol document: embed the app public key, open a session, seal validate, verify before trust — across scripting, systems, and native desktop or game stacks.

TypeScript — reference client for Node and browser-adjacent tooling.

Python — scripts, bots, and server-side license checks.

PHP — web backends and server-side validation.

Go and Rust — systems and service clients.

C++ and C# — native desktop and game-client samples.

Browse all SDKeyDev repositories →

Start integrating

Follow license control for session init and sealed validate, API keys for Private mode and CI automation, clone an example from SDKeyDev, or use the full reference when you want every endpoint. The dashboard is ready when you are — register an app, mint a key, and hit the edge.