If you sell desktop or self-hosted software, you need answers to the same questions: How do paying customers unlock features? How do you revoke access when subscriptions lapse? How do you slow down casual piracy without treating every user like a criminal?
This guide walks through the moving parts—keys, servers, fingerprints, and policy—so you can design something proportionate to your product.
1. License Keys: Format and Generation
Keys are not magic—they are signed or encoded payloads. Common approaches:
- Random + database lookup — Store each key in your backend; fast to revoke, requires network for validation.
- Offline-capable signed tokens — Embed expiry and tier in the key, verify with a public key in the app (good for air-gapped installs).
- Hybrid — Short-lived activation after first online check, then cached credentials.
Whatever you choose, never embed private signing material in distributed binaries.
2. The Activation Server
Your server is the source of truth for: who owns what, how many seats are in use, and whether a subscription is current.
| Endpoint responsibility | Why it matters |
|---|---|
| Issue / refresh tokens | Maps Stripe (or other) payments to entitlements |
| Heartbeat / check-in | Optional telemetry; detect obvious key sharing |
| Revocation | Chargebacks, refunds, policy violations |
Rate-limit activation endpoints and log anomalies (same key, many IPs in minutes). That data helps support and fraud review—not “phone home” for its own sake.
3. Hardware Fingerprinting (Carefully)
Fingerprinting ties a license to a machine. Typical signals include disk serial, board UUID, and stable OS identifiers. Combine a few hashed inputs—never raw hardware details in logs—and allow a small number of controlled reactivations so paying users aren’t punished when they replace a drive.
Privacy and UX
Document what you collect, why activation needs it, and how users can deactivate old devices. Transparency reduces chargebacks and support tickets.
4. Piracy: Realistic Goals
You cannot stop determined reverse engineers. You can raise the cost of mass redistribution: online verification for updates, server-side features, and tamper detection in critical paths. Align effort with revenue—indie tools rarely need kernel drivers or aggressive DRM.
5. When to Buy vs Build
Building from scratch makes sense if licensing is your core competency or you have unusual compliance needs. For most product teams, a maintained stack—self-hosted or integrated with Admin Pro—gets you Stripe webhooks, customer portal links, and audit trails without reinventing operations.
For a deeper build-vs-SaaS breakdown, see Keygen.sh vs building your own.