29 LicenseVault — Secure Software License Management
Trusted by 2,400+ developers worldwide

License Management
Built for the Future

Issue, validate, and protect your software licenses with RSA-signed keys, device fingerprinting, and a developer-first API. All in one secure vault.

Start Free Trial See Features
2.4K+
Developers
18M+
Licenses Issued
99.9%
Uptime SLA
<50ms
API Response
app.licensevault.io/dashboard
🔐
LicenseVault
📊 Dashboard
🔑 Licenses
📦 Products
👥 Customers
🖥️ Activations
⚙️ Settings
Overview
+ New License
Active Licenses
4,821
↑ 12% this month
Activations
12,304
↑ 8% this month
Products
7
2 new this week
License Key Product Expires Status
LV-XXXX-XXXX-XXXX ProSuite Dec 2026 Active
LV-7H1D-2KXZ-P8QN CoreEngine Mar 2026 Trial
LV-3MV9-Q5NL-T7WR Analytics Jan 2025 Expired
LV-8YZ2-R0CF-A4JS ProSuite Jun 2027 Active
Features

Everything you need to
protect your software

From key generation to offline validation — LicenseVault handles the full licensing lifecycle with enterprise-grade security.

🔒
RSA-2048 License Signing
Every license payload is cryptographically signed with RSA-2048 via phpseclib3. Clients verify authenticity using your public key — no server round-trip needed.
🖥️
Device Fingerprinting & Seat Control
Bind licenses to specific hardware fingerprints. Set max activations per license and track every device in real-time.
💻Laptop
🖥️Desktop
🖥️Server
Slot 4
Developer-First REST API
Full lifecycle in four endpoints. Activate, validate, deactivate, and go offline — with JWT + API key auth and <50ms responses.
1POST /api/v1/license/activate
2{
3  "key": "LV-XXXX-XXXX-XXXX",
4  "fingerprint": "sha256:a3f9..."
5}
6→ 200 { "valid": true, "token": "..." }
📡
Offline License Mode
Generate signed .lic tokens for air-gapped environments. Your software stays activated even without internet access.
📄 license.lic
→ Verified locally
✓ Authorized
🎛️
Feature Entitlements
Assign granular feature flags to each license. Unlock Pro features, limit API calls, or gate beta modules per customer.
analytics_module ✓ enabled
api_rate_limit 10,000 / day
white_label ✗ disabled
🛒
Envato Integration
Built-in support for ThemeForest & CodeCanyon purchase code verification and automatic license synchronization.
🟢 ThemeForest
🟣 CodeCanyon
🔵 PHP SDK
🟡 Node.js SDK
📈
Analytics & Insights
Track activations, monitor license health, and view product-level performance metrics from a clean admin dashboard.
How It Works

Up and running
in minutes

No complex setup. Just connect your product, generate keys, and let your customers activate securely.

01
Create Your Product
Register your software product in the dashboard. Define the key format, max activations per license, expiry rules, and feature entitlements.
02
Generate & Assign Keys
Issue RSA-signed license keys individually or in bulk. Link them to customers, set trial periods, and export for distribution — all in one click.
03
Integrate the API
Call our REST API or use the PHP / Node.js SDK inside your app. Activate on first launch, validate on every startup, and handle offline use automatically.
Pricing

Simple, transparent
pricing

Start free. Scale as you grow. No hidden fees, no per-seat chaos.

Starter
$0
Forever free
Perfect for indie developers and open source projects just getting started with licensing.
1 product
100 licenses
500 activations / mo
REST API access
RSA signing
Offline mode
Envato integration
Get Started Free
Most Popular
Pro
$49
per month, billed annually
Everything a growing software business needs to manage and protect licenses at scale.
Unlimited products
10,000 licenses
100K activations / mo
RSA-2048 signing
Offline mode (.lic)
Envato integration
Priority support
Start Pro Trial
Enterprise
Custom
Contact us for a quote
Dedicated infrastructure, SLA guarantees, and white-glove onboarding for large software teams.
Everything in Pro
Unlimited licenses
Custom key formats
On-premise option
99.99% SLA
Dedicated manager
SSO / SAML
Contact Sales
Testimonials

Loved by
developers

Thousands of indie devs and software teams trust LicenseVault to protect their work.

"
★★★★★
LicenseVault cut our piracy rate by over 60% in the first month. The RSA signing and device fingerprinting actually works — unlike every other solution we tried.
AK
Alex Kowalski
Founder, DevToolsPro
"
★★★★★
The Envato integration was a game changer. Our CodeCanyon customers now get licenses instantly on purchase — zero manual work on our end.
SR
Sara Reyes
CTO, Pixelify Labs
"
★★★★★
Setting up the PHP SDK took 20 minutes. The offline mode saved us when a major client needed air-gapped deployment. Absolutely worth every cent.
MN
Mika Nakamura
Lead Engineer, Synapse AI
Documentation

Everything you need to
get started fast

Complete reference for LicenseVault — from quick start to advanced API usage, SDK integration, and security best practices.

⚡ Quick Start

Get LicenseVault up and running in under 10 minutes. Follow these steps to issue your first license and validate it via the API.

Step-by-step Setup
1
Create a Product
Go to Products → New Product. Enter a name, set the key format (e.g. LV-XXXX-XXXX-XXXX-XXXX), maximum activations per license, and expiry rules.
2
Add a Customer
Go to Customers → New Customer. Add the customer's name and email. Customers are linked to licenses for tracking and support.
3
Generate a License Key
Go to Generate, select your product and customer, set the expiry date, and click Generate. A signed license key is created instantly.
4
Get Your API Key
Go to Products → your product → API Keys. Copy the product API key — this is required to authenticate all license API calls for this product.
5
Call the Activate Endpoint
From your software, call POST /api/v1/license/activate with the license key, device fingerprint, and your product API key.
# Activate a license key curl -X POST https://your-domain.com/api/v1/license/activate \ -H "X-API-Key: pk_your_product_api_key" \ -H "Content-Type: application/json" \ -d '{ "license_key": "LV-XXXX-XXXX-XXXX", "fingerprint": "sha256:a3f9b1c2d4e5...", "hostname": "workstation-01" }' # Response { "status": "success", "valid": true, "token": "eyJ0eXAiOiJKV1QiLCJhbGci...", "expires_at": "2027-01-01T00:00:00Z" }
💡 The returned JWT token should be stored locally in your application and sent as Authorization: Bearer <token> on subsequent validate calls to avoid extra server round-trips.
✅ Requirements

LicenseVault is a self-hosted PHP application. Make sure your server meets the following requirements before installation.

Server Requirements

The following software must be installed and available on your server:

PHP 8.1+ MySQL 5.7+ / 8.0 Nginx / Apache Composer 2.x
PHP Extensions

The following PHP extensions must be enabled:

openssl pdo_mysql mbstring json curl gd intl
Installation Steps
# 1. Clone / upload the application files to your server git clone https://github.com/your-org/licensevault.git cd licensevault # 2. Install PHP dependencies composer install --no-dev --optimize-autoloader # 3. Copy environment file and configure cp .env.example .env # Edit .env: set database credentials, base URL, app key # 4. Run database migrations php spark migrate # 5. Seed default admin account php spark db:seed LicenseVaultSeeder # 6. Set folder permissions chmod -R 775 writable/
⚠️ Point your web server's document root to the public/ directory. Never expose the application root directly.
📊 Dashboard Overview

The LicenseVault dashboard gives you a real-time overview of your entire licensing operation from a single screen.

Dashboard Metrics

The main dashboard displays key metrics at a glance:

MetricDescription
Total LicensesTotal number of license keys issued across all products.
Active LicensesLicenses that are currently active and have been activated at least once.
Total ActivationsCumulative count of all device activations across all licenses.
Total ProductsNumber of software products registered in the system.
Total CustomersNumber of customer records linked to at least one license.
Recent ActivityLive feed of the latest API calls, activations, and system events.
Navigation Structure

The left sidebar provides access to all major sections:

DashboardOverview metrics and recent activity log
ProductsManage software products and API keys
LicensesIssue, search, filter and manage license keys
CustomersCustomer directory linked to licenses
ActivationsDetailed log of every device activation
GenerateManually create new license keys
DownloadsSoftware release management
EnvatoEnvato purchase code redemption logs
SettingsSMTP, security, Envato API configuration
📦 Products

Products represent your software applications. Each product has its own key format, activation rules, and API key for license operations.

Creating a Product

Navigate to Products → New Product and fill in the following fields:

FieldDescription
NameDisplay name for your software product (e.g. "DataSync Pro").
SlugURL-safe identifier. Auto-generated from name. Used in API calls.
Key FormatPattern for generated keys. Use X for random chars (e.g. LV-XXXX-XXXX-XXXX).
Max ActivationsMaximum number of devices a single license can be activated on.
Expiry DaysDefault license duration in days. Leave blank for lifetime licenses.
FeaturesJSON object of feature flags/entitlements for all licenses of this product.
Product API Keys

Each product has one or more API keys used to authenticate license API requests. Keys are scoped to a single product — they cannot be used to access other products' licenses.

ℹ️ API keys are prefixed with pk_. Rotate keys immediately if compromised. Old keys are instantly invalidated upon rotation.
🔑 Licenses

Licenses are cryptographically signed keys that authorize a customer to use your software. Each license is tied to a product and optionally a customer.

License Statuses
StatusDescription
activeLicense is valid and can be activated/validated. Default status after generation.
suspendedTemporarily disabled. Validation fails. Can be re-activated by an admin.
revokedPermanently disabled. Cannot be re-activated. Validation always fails.
expiredExpiry date has passed. Validation returns an expired error.
trialTime-limited trial license with restricted features or activations.
License Fields
FieldDescription
license_keyThe unique signed key string delivered to the customer.
product_idThe product this license belongs to.
customer_idOptional — the customer this license is assigned to.
max_activationsMaximum concurrent device activations allowed.
expires_atOptional expiry date. Null means lifetime license.
featuresJSON overrides for product-level feature flags.
notesInternal admin notes. Not visible to customers.
💡 Use bulk generate from the Generate page to issue hundreds of licenses at once for distribution campaigns or reseller batches.
👥 Customers

Customers represent the end-users or organizations that own licenses. Linking licenses to customers enables support lookups, usage tracking, and renewal management.

Customer Fields
FieldDescription
NameFull name or company name of the customer.
EmailPrimary contact email. Used for license delivery and renewal notifications.
CompanyOptional company/organization name.
NotesInternal notes visible only to admins.
LicensesAll licenses linked to this customer, visible from the customer detail page.
Customer Actions

From the customer detail page you can:

View all licenses
See every license assigned to this customer, including status and activation count.
Generate a new license
Issue a new license key directly from the customer profile with one click.
View activation history
See all devices that have activated licenses belonging to this customer.
📡 Activations

Every time a license is activated on a device, an activation record is created. These records contain device fingerprint, hostname, IP, and timestamps.

Activation Record Fields
FieldDescription
fingerprintSHA-256 device fingerprint provided by the client application.
hostnameMachine hostname reported at activation time.
ip_addressIP address of the activating machine.
activated_atTimestamp of the activation event.
last_seen_atTimestamp of the most recent validation from this device.
is_activeWhether this activation slot is currently in use.
Managing Activations

Admins can deactivate individual activation slots from the Activations page. This frees up a slot so the customer can activate on a new device. Useful when a customer replaces a machine.

⚠️ Once max activations are reached, new activation attempts return a max_activations_reached error. Deactivate an existing slot to free space.
⬇️ Downloads & Releases

Manage versioned software releases and control download access. Only customers with an active license can download protected releases.

Creating a Release

Go to Downloads → New Release and fill in:

FieldDescription
ProductWhich product this release belongs to.
VersionSemantic version string (e.g. 2.4.1).
Release NotesChangelog or description of what's new in this version.
File / URLUpload the binary or point to an external download URL.
VisibilityPublic (anyone can see) or Private (requires active license).
Minimum License TypeOnly licenses of this type or higher can download the release.
ℹ️ The Auto Update API endpoint (/api/v1/license/latest-release) allows your app to check for updates automatically using the customer's license key.
⚡ API Overview

LicenseVault provides a RESTful JSON API for all license operations. All endpoints require an X-API-Key header with your product API key.

Base URL & Authentication
# Base URL https://your-domain.com/api/v1 # Authentication header (required on all requests) X-API-Key: pk_your_product_api_key # Content type Content-Type: application/json
Available Endpoints
MethodEndpointDescription
POST/license/activateActivate a license on a device
POST/license/validateValidate a license or JWT token
POST/license/deactivateRemove a device activation slot
POST/license/offline-tokenGenerate a signed offline token
GET/license/public-keyRetrieve the RSA public key
Error Response Format
{ "status": "error", "error": "license_not_found", // machine-readable code "message": "The provided license key was not found." }

Common error codes:

license_not_found license_expired license_suspended license_revoked max_activations_reached invalid_api_key activation_not_found
🔓 Activate License

Activates a license key on a specific device. On success, returns a signed JWT token for subsequent validate calls.

POST /api/v1/license/activate

Request body parameters:

ParameterTypeRequiredDescription
license_keystringRequiredThe license key to activate (e.g. LV-XXXX-XXXX-XXXX).
fingerprintstringRequiredUnique device identifier (SHA-256 hash recommended).
hostnamestringOptionalMachine hostname for activation records.
metadataobjectOptionalAdditional JSON metadata stored with the activation.
// Request POST /api/v1/license/activate X-API-Key: pk_your_product_api_key { "license_key": "LV-XXXX-XXXX-XXXX", "fingerprint": "sha256:a3f9b1c2d4e5f67890abcdef", "hostname": "dev-workstation-01" } // Success Response (200) { "status": "success", "valid": true, "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...", "license": { "key": "LV-XXXX-XXXX-XXXX", "product": "DataSync Pro", "expires_at": "2027-01-01T00:00:00Z", "features": { "analytics": true, "export": true } } }
✅ Validate License

Validates an active license or JWT token. Call this on every application startup to ensure the license is still valid.

POST /api/v1/license/validate
ParameterTypeRequiredDescription
license_keystringRequired*License key to validate. Required if token not provided.
tokenstringRequired*JWT token from a previous activation. Required if license_key not provided.
fingerprintstringOptionalDevice fingerprint to verify the token was issued for this machine.
// Validate by license key { "license_key": "LV-XXXX-XXXX-XXXX", "fingerprint": "sha256:a3f9b1c2..." } // Validate by JWT token (faster, no DB lookup) { "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." } // Response { "status": "success", "valid": true, "expires_at": "2027-01-01T00:00:00Z", "features": { "analytics": true } }
💡 For best performance, validate using the JWT token field. This uses RSA signature verification locally and avoids a database query — response time is typically under 5ms.
🚫 Deactivate License

Removes the activation for a specific device fingerprint. Use this when a user uninstalls your software to free up their activation slot.

POST /api/v1/license/deactivate
ParameterTypeRequiredDescription
license_keystringRequiredThe license key to deactivate a device from.
fingerprintstringRequiredThe device fingerprint of the activation to remove.
// Request { "license_key": "LV-XXXX-XXXX-XXXX", "fingerprint": "sha256:a3f9b1c2d4e5f67890abcdef" } // Response (200) { "status": "success", "message": "License deactivated successfully." }
📡 Offline Token

Generate a signed offline token for air-gapped or intermittently connected environments. The token is cryptographically signed and can be verified locally without a server call.

POST /api/v1/license/offline-token
ParameterTypeRequiredDescription
license_keystringRequiredActive license key to generate token for.
fingerprintstringRequiredDevice fingerprint that the token is bound to.
valid_daysintegerOptionalHow many days the offline token remains valid (default: 30).
// Request { "license_key": "LV-XXXX-XXXX-XXXX", "fingerprint": "sha256:a3f9b1c2...", "valid_days": 90 } // Response — save this token to a local .lic file { "status": "success", "offline_token": "LVOFF.eyJrZXkiOiJMVi00...", "expires_at": "2026-08-16T00:00:00Z" }
Verifying Offline Tokens Locally (PHP)
use LicenseVault\SDK\OfflineVerifier; // Load the public key once at startup $verifier = new OfflineVerifier('/path/to/public.pem'); $result = $verifier->verify( $offlineToken, $deviceFingerprint ); if ($result->valid) { // Grant access }
⚠️ Offline tokens are bound to the device fingerprint provided at generation. They will fail verification if used on a different machine.
📚 PHP SDK

The official LicenseVault PHP SDK simplifies integration into any PHP application. Download it from the dashboard under Developer Tools → SDK.

Installation
# Via Composer (recommended) composer require licensevault/php-sdk # Or manually — copy LicenseVaultSDK.php into your project require_once 'LicenseVaultSDK.php';
Basic Usage
use LicenseVault\SDK\LicenseVaultSDK; $sdk = new LicenseVaultSDK([ 'api_key' => 'pk_your_product_api_key', 'server_url' => 'https://your-domain.com', ]); // Activate $result = $sdk->activate( 'LV-XXXX-XXXX-XXXX', $sdk->getFingerprint() ); // Validate on startup $valid = $sdk->validate( $storedToken, $sdk->getFingerprint() ); if (!$valid->valid) { exit('License invalid or expired.'); } // Deactivate on uninstall $sdk->deactivate('LV-XXXX-XXXX-XXXX', $sdk->getFingerprint());
SDK Methods Reference
MethodDescription
activate($key, $fp)Activate a license. Returns token + license data.
validate($token, $fp)Validate a JWT token. Returns validity + expiry.
deactivate($key, $fp)Remove activation for this device.
getOfflineToken($key, $fp)Request a signed offline token.
getFingerprint()Auto-generate a device fingerprint from system info.
getPublicKey()Fetch the RSA public key for local verification.
checkForUpdates($key)Check for newer software releases.
🛒 Envato Integration

LicenseVault has built-in support for Envato marketplace. Customers can redeem their ThemeForest or CodeCanyon purchase codes for a LicenseVault license automatically.

Setup
1
Get your Envato API Token
Log in to your Envato account, go to Account → My Apps → Create Token. Enable "View and search Envato sites" and "View the user's items' purchase data" scopes.
2
Configure LicenseVault
Go to Settings → Envato. Enter your Envato API token and your Item ID (the numeric ID from your marketplace listing URL).
3
Link to a Product
In the Envato settings, select which LicenseVault product purchase code redemptions should generate licenses for.
4
Share the Redemption URL
Provide customers with your redemption page URL. They enter their purchase code and receive a LicenseVault key instantly.
Redemption API Endpoint
POST /api/v1/envato/redeem { "purchase_code": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "email": "customer@example.com" } // Success Response { "status": "success", "license_key": "LV-8YZ2-R0CF-A4JS", "message": "License created and sent to your email." }
⚠️ Each Envato purchase code can only be redeemed once. Subsequent attempts return a purchase_code_already_used error to prevent license cloning.
⚙️ Settings

Configure LicenseVault's core behaviour from the Settings panel. Changes take effect immediately without requiring a restart.

General Settings
SettingDescription
App NameName displayed in emails and the UI.
Base URLYour application's public URL.
TimezoneUsed for expiry dates and logs.
Default Expiry DaysFallback expiry for new licenses without a set expiry.
Email / SMTP
SettingDescription
SMTP HostYour SMTP server hostname.
SMTP PortUsually 587 (TLS) or 465 (SSL).
SMTP UsernameSMTP authentication username.
SMTP PasswordSMTP authentication password.
From EmailSender address for all outbound emails.
Security Settings
SettingDescription
Rate Limit (per minute)Max API requests per IP per minute. Requests over the limit return HTTP 429.
JWT Expiry HoursHow long issued JWT tokens remain valid before requiring re-validation.
RSA Key PairGenerate or rotate the RSA-2048 key pair used for license signing. Keep the private key secret.
IP WhitelistOptional — restrict Admin API access to specific IP addresses.
🔒 Security

LicenseVault uses multiple layers of security to protect your licenses from tampering, cloning, and replay attacks.

🔐 RSA-2048 Signing

Every license token is signed using your private RSA-2048 key. Clients verify authenticity using only the public key — the private key never leaves your server.

🖥️ Device Binding

Licenses are bound to device fingerprints at activation time. Tokens issued for one machine will fail verification on another, preventing license sharing.

⚡ Rate Limiting

All API endpoints are protected by per-IP rate limiting. Brute-force attempts against license keys are throttled automatically with HTTP 429 responses.

🛡️ API Key Scoping

Product API keys are scoped to a single product. A compromised key for one product cannot be used to access or modify licenses for other products.

Security Best Practices
Store API keys server-side
Never embed product API keys in client-side or distributed application code. Keep them in server-side configuration only.
Use HTTPS exclusively
Always serve LicenseVault over HTTPS. TLS prevents man-in-the-middle attacks on license key transmission.
Rotate RSA keys periodically
Regenerate your RSA key pair every 12–24 months. After rotation, re-issue tokens to active customers — old tokens will be invalidated.
Validate on every startup
Call the validate endpoint on every application launch, not just once. This ensures suspended or revoked licenses are blocked promptly.
Use strong device fingerprints
Combine multiple hardware identifiers (CPU ID, MAC address, disk serial) before hashing. Single-attribute fingerprints are easier to spoof.
Ready to secure
your software?
Join thousands of developers who trust LicenseVault. Start free, upgrade when you're ready.
Start Free Trial Read the Docs