
Show HN: Keygen – A dead-simple product licensing API built for developers - ezekg
https://keygen.sh/
======
regecks
I think it's odd to offer a service like this with no protection against
cracking.

I mean, sure, I licence one of my own products with a RSAPSS signature on an
environmental constraint .. but if somebody went to the effort they could just
flip a single instruction to bypass it. However, I am pretty sure nobody in my
target market will bother.

However, I don't think that would hold with something like this. What stops
people releasing a bunch of generic bypass/crack tools against your client
SDKs?

~~~
ezekg
To validate a license key requires an active internet connection. This is for
online/web-based apps, with an emphasis on JavaScript apps built on Node,
Electron, etc. Licenses are validated by making an authenticated GET request
to something like
[https://evilcorp.keygen.sh/v1/licenses/3qMEarbK/actions/vali...](https://evilcorp.keygen.sh/v1/licenses/3qMEarbK/actions/validate).
Keygen isn't meant to be used for offline apps, as license validation requires
an authenticated API request.

~~~
ago
Did you reply to the right person? Your reply does not seem to address
anything that was said.

~~~
ezekg
Yes. What prevents cracking is the fact that license keys can only be created
if you are either an authenticated user of the account or authenticated with a
product API token. In order to create a license crack, you would have to
obtain a valid API key for that specific account. Everything with the API is
done over the wire, meaning there are no public/private keys within your app
to crack.

~~~
wyday
I don't think you actually understand cracking if you're claiming your
protection is uncrackable. You're certainly not the first licensing company to
sell that lie, if that is what you're claiming. I can explain why what you
just said is easily crackable if you'd like.

Spoiler alert: nothing can stop cracking (but that's not the point of
licensing):
[https://wyday.com/limelm/features/why/](https://wyday.com/limelm/features/why/)

But I'll just give you the benefit of the doubt and say you didn't actually
understand the question.

(Also, I'm certain I'll be downvoted for commenting on a competitor's product,
but licensing companies that lie to customers is a particular pet peeve of
mine).

~~~
NKCSS
What Ubisoft did a few years ago with Settlers VII was to put required pieces
of code in the DRM; e.g. without an internet connection, the software would
not function at all; it took over a year and a lot of hard work before they
found a way to write their own server to serve up the required bits, and it
was just for that game, not a general solution.

~~~
Nullabillity
Then again, the servers were so poor that, for a long time, the game basically
wouldn't function _with_ a connection either.

~~~
NKCSS
True :) It was also very badly programmed, making your PC die in agony when
you'd play it, even if you had the highest end stuff on the market. Still a
very fun game though.

------
chrismorgan
Firefox’s tracking protection is preventing the “Get Early Access” button from
working, just putting this warning into the console:

> The resource at “[https://mc.us14.list-manage.com/subscribe/form-
> settings?u=0d...](https://mc.us14.list-manage.com/subscribe/form-
> settings?u=0da915687b658ef99fb6b9075&id=8e6c7696a2&u=0da915687b658ef99fb6b9075&id=8e6c7696a2&c=dojo_request_script_callbacks.dojo_request_script0”)
> was blocked because tracking protection is enabled.[Learn More]

~~~
ezekg
Hey, thanks. I'll check out what the deal is. There have been a few other
issues in Firefox.

~~~
sorenjan
Do people not test their sites in Firefox anymore?

~~~
ezekg
I did extensive testing in FF. This seems to be an issue related to privacy
settings: [https://github.com/rydama/mailchimp-ajax-
signup/issues/6](https://github.com/rydama/mailchimp-ajax-signup/issues/6). I
will look into additional ways to allow sign ups that don't have this issue.

~~~
Washuu
The fact that MailChimp got on to Firefox's privacy block list is not too
surprising to me. I deal with many daily spam emails that all originate from
MailChimp. No amount of checking off on their unsubscribe form that the
senders are using MailChimp as a spam service actually gets some sort of
invention to occur. Personally I am glad that they are being flagged since
they do not do much to stop spammers.

------
ezekg
Hey everyone! I'm the creator of Keygen and would love to answer any questions
that you may have about it. I've been developing the API for over 6 months and
figured I'd try and gather feedback on the product through a beta before the
big launch day. I'd appreciate any feedback at all!

~~~
eb0la
First of all, this looks a good idea to me.

"Traditional" license management servers (like FlexLM) are a scary piece of
software for sysadmins: think of it like a black box that will shut down
everything if you mess up.

This license-as-a-service makes operations very easy.

I wonder if you have in mind something about concurrent users. I mean, some
software is licensed on a _concurrent_ user basis, not just per seat.

If a user logs-in twice, usually the LM revokes the license for the session
that was active, and assigns a new one to the user that just logged-in.

Also, license reporting is also a good idea for answering questions like...
how much do I have to pay for next year maintainance?

~~~
ezekg
Hey, I realized that I guess I had misread your post, so my previous reply
doesn't answer your question. Support for detecting/revoking concurrent users
is a great idea and I will be sure to come back to that in the future. As of
now, that will have to be done outside of Keygen.

------
cstuder
Does anyboday have any recommendation for a self hosted licencing system?

~~~
tmikaeld
There is this:

[http://dev.nauck-it.de/projects/license-manager](http://dev.nauck-
it.de/projects/license-manager)

~~~
cstuder
I found Portable.Licensing by Nauck too, but have you any experience with it?

I'm just kinda confused that there are not more self hosted libraries for
this.

~~~
tmikaeld
Haven't tried it unfortunately - back in 2005 when we looked at licensing, we
came to the conclusion that we might as well do it ourselves. But having a
proper open source solution would be better, easier to audit and better
collaboration.

------
codedokode
What happens if the company that hosts a licensing server goes out of
business?

~~~
ezekg
I will have a contingency plan in place that will likely involve open sourcing
the API so that it can be self-hosted.

~~~
pyre
Depending on _how_ the company crashes and burns, couldn't that be prevented
from getting enacted? For example, I can't imagine that investors would be too
happy that the company's "biggest" asset would be given away in that
situation. Same goes for (possibly) filing for bankruptcy. Wouldn't creditors
have a say?

------
domlebo70
Do any services exist that fill the niche of "I have built an API, and I now
want to charge for it"? API tokens, billing, metrics, etc

~~~
rblatz
I know Azure has API Management [https://azure.microsoft.com/en-
us/services/api-management/](https://azure.microsoft.com/en-us/services/api-
management/)

It doesn't look like it has the built in monetization, but it should be fairly
easy to smash a payment provider and API management together.

------
vbsteven
I wonder how you can avoid users from tampering with the licence check in
dynamic languages like javascript and ruby where anyone has access to the
node_modules or rubygems directories.

I know this is not the focus of this particular product but since it has come
up in multiple comments. How could this be solved?

~~~
BillinghamJ
It is also worth noting - how much do those cases really matter anyway? If
they're going to the bother of disabling your licence checks, they probably
aren't going to buy it anyway.

------
natdempk
Is this validation actually performant or secure? It seems like if you
implement this on the client side, you end up using JavaScript and the client
can just run code that patches the call to the server to have it always pass.
Then if you implement this on the server side, then you pay a latency penalty
for every request, as you have to verify the token sent to your server against
the keygen.sh server.

It seems like this is either insecure or you pay an RTT latency penalty on
every authenticated request. Is this correct? Is there something I'm missing
here?

~~~
ezekg
That's assuming that you require license validation with every request though,
when in reality you really only need that information periodically. If you're
using Keygen alongside your own API, then that information can be cached and
requested when needed.

It would be integrated the same way you would integrate something like Stripe;
you request information when required, and keep your own records up to date
via webhook events.

For example, a desktop app would really only need to validate a users license
after they have successfully logged in after booting the app; you likely
wouldn't need to validate the license again for at least 24 hours, and that's
assuming you wanted to perform periodic license validations for long-running
sessions.

~~~
natdempk
This is a good point. I guess it depends on the characteristics of your
application, and the level of control you want over verifying user activity
within your application. Maybe you could only verify very important actions or
something if that is all you need.

------
ezekg
I'm absolutely thrilled by the response so far! I didn't expect to get such a
large amount of interest so fast. I already have hundreds of users interested
in the early access program. I'm going to be hard at work the next couple
weeks writing documentation and developing the rest of the web app (API is
ready) so that we can get this ball rolling!

------
porker
I've been thinking about licensing recently, in the context of package
managers.

How can you allow people to install and update commercial packages, without
the problem that anyone can use any key?

I'm thinking particularly in terms of software which is licensed to run on 1
domain, 3 domains, 5 domains etc - but as soon as you use a CLI package
installer, you don't know the domain being used.

~~~
ezekg
I'll be handling it the same way Stripe handles their libraries:
[https://github.com/stripe/stripe-node#api-
overview](https://github.com/stripe/stripe-node#api-overview). Account tokens
are cryptographically sound enough so that it would take ages to 'find' a
correct token, much less the correct token AND account. Restricting licenses
by domain would need to be handled outside of Keygen; you can track the
allowed machines (via fingerprinting) through the Keygen API, and then act
accordingly.

------
Retr0spectrum
If the API is publicly documented, how will you stop people from just spoofing
the licensing server?

I assume you've addressed this issue, but I'd love to know how.

Edit: From reading a bit more, I understand that this service is mainly aimed
at web/online apps, so piracy is a non-issue.

~~~
ezekg
Yes, this is for online/web-based apps, with an emphasis on JavaScript apps
built on Node, Electron, etc. Licenses are validated by making an
authenticated GET request to something like
`[https://evilcorp.keygen.sh/v1/licenses/3qMEarbK/actions/vali...](https://evilcorp.keygen.sh/v1/licenses/3qMEarbK/actions/validate`).
Depending on how you manage users, you can require them to login (request an
API token) before being able to access your app. Depending on if you're
performing the validation server-side or client-side, you can either use a
product-specific API key (private) or the license owners API token (a signed
in user), respectively.

------
m6w6
Just a quick note yet: not sure "evilcorp" is the best of names for an
example, though.

EDIT: Definitely enjoying the slightly creepy visual haxor effects, though.

~~~
sleepychu
I think it's a reference to Mr. Robot

~~~
onion2k
Without wanting to give away the plot to Mr Robot, Evilcorp is still a pretty
bad choice given what they do regarding security, or lack of such.

------
mappu
How do libraries for PHP work?

You only need a key management service like this when you go from SaaS to on-
prem/equivalent, at which point PHP is in the unenviable position of having
readable source files.

It's possible to patch out license checks from any language, but PHP makes it
pretty easy - what's your approach to solving this? Ioncube-style binary
extensions? If so, PHP7/opcache compatibility?

~~~
ezekg
To validate a license key requires an active internet connection. There is no
compilation or obfuscation because your app never contains any license keys
directly. All of the logic is handled via the API. Validating a license would
require performing a GET request to a users license validation endpoint.

~~~
mappu
OK. Just to clarify, there's no protection against a malicious user with the
ability to remove these API calls from their copy of the app?

~~~
ezekg
Correct. There's really no way around that being a possibility, especially if
you're using web technologies.

