Practice Now
License Keys
Secure Algorithms
Software Protection
Cryptography
Key Generation

Secure algorithm for creating license keys?

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start PracticingLearn More

Introduction

A secure license key scheme is not just about generating random-looking strings. The real design problem is deciding who verifies the license, what claims the key carries, and how hard it should be for an attacker to forge or reuse a valid key.

Start With The Threat Model

Before picking an algorithm, answer three questions:

  • Does the client verify the key offline?
  • Does a server validate the key online?
  • What should the key encode, such as expiry date, edition, or customer ID?

If validation happens only on your server, a keyed message authentication code is enough. If the software must validate licenses offline, use digital signatures so the private signing key never ships with the product.

That distinction matters more than the exact string format.

Good Architecture For Offline License Keys

For offline verification, the standard design is:

  1. encode the license claims
  2. sign them with a private key
  3. distribute the signed payload as the license key
  4. embed only the public verification key in the application

That way, the application can verify authenticity but cannot mint new valid licenses.

If you put a shared secret inside the client and use HMAC there, attackers who extract the secret can generate unlimited valid keys. That is why symmetric verification is a bad fit for offline desktop licensing.

A Simple Signed License Format

A practical license payload might include:

  • product identifier
  • customer identifier
  • expiry date
  • feature tier
  • nonce or serial number

Serialize the payload in a stable format, sign it, and then base32 or base64 encode the result for transport.

Pseudo-layout:

text
payload.signature

Where payload is structured data and signature proves it came from your issuer.

Runnable Example With HMAC For Server-Side Validation

If validation happens only on your server, the Python standard library is enough for a compact example:

python
1import base64
2import hashlib
3import hmac
4import json
5
6SECRET = b"replace-this-with-a-real-secret"
7
8
9def issue_license(payload):
10    raw = json.dumps(payload, separators=(",", ":"), sort_keys=True).encode()
11    sig = hmac.new(SECRET, raw, hashlib.sha256).digest()
12    return base64.urlsafe_b64encode(raw).decode() + "." + base64.urlsafe_b64encode(sig).decode()
13
14
15def verify_license(token):
16    raw_b64, sig_b64 = token.split(".", 1)
17    raw = base64.urlsafe_b64decode(raw_b64)
18    sig = base64.urlsafe_b64decode(sig_b64)
19    expected = hmac.new(SECRET, raw, hashlib.sha256).digest()
20    if not hmac.compare_digest(sig, expected):
21        return None
22    return json.loads(raw)
23
24
25license_key = issue_license({"customer": "acme", "edition": "pro", "exp": "2027-12-31"})
26print(license_key)
27print(verify_license(license_key))

This is secure only if the secret stays on the server. It is not a safe offline scheme for distributed clients.

What Makes A License Key Hard To Forge

A secure scheme relies on cryptographic authenticity, not obscurity. Attackers should fail because they do not have the signing key, not because the string format is confusing.

Useful properties are:

  • unforgeability through signatures or server-side MAC verification
  • tamper detection for expiry, edition, or customer fields
  • optional replay controls, such as activation records on the server
  • clear versioning so you can rotate formats later

Readable grouping is fine for usability. Security should come from the signature, not from hyphens or custom alphabets.

Things That Help In Real Products

Real systems often combine cryptography with policy:

  • activation limits per license
  • revocation checks when online
  • license version numbers
  • machine binding only when you accept the support cost of hardware changes

Be careful with aggressive machine binding. It reduces casual sharing but increases legitimate support incidents when disks, CPUs, or operating systems change.

Common Pitfalls

The biggest mistake is inventing a custom reversible algorithm and calling it security. If the client can reverse it, attackers can too.

Another mistake is embedding a shared secret in the application and expecting offline HMAC verification to stay secure. Once that secret is extracted, anyone can generate valid licenses.

Developers also overload the license with too much hidden logic. Keep the payload minimal and explicit, then sign it.

Finally, do not confuse random serial numbers with secure licenses. Randomness helps uniqueness, but authenticity comes from cryptographic verification.

Summary

  • Pick the algorithm based on who verifies the license.
  • For offline verification, use digital signatures and keep the private key off the client.
  • For server-side verification, HMAC is a reasonable building block.
  • Security should come from cryptographic authenticity, not a secret string format.
  • Design for key rotation, revocation, and operational support, not just generation.
Course illustration
Course illustration
Codemia
© 2026 Codemia
Resources
Legal
Social
All Rights Reserved.