<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Mithun Kumar</title>
    <description>The latest articles on DEV Community by Mithun Kumar (@creatordev).</description>
    <link>https://dev.to/creatordev</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4033673%2F35c906f3-596c-4309-97cf-2ec4b1bfa35d.png</url>
      <title>DEV Community: Mithun Kumar</title>
      <link>https://dev.to/creatordev</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/creatordev"/>
    <language>en</language>
    <item>
      <title>License Key Validation in Python: The Right Way</title>
      <dc:creator>Mithun Kumar</dc:creator>
      <pubDate>Fri, 17 Jul 2026 11:50:09 +0000</pubDate>
      <link>https://dev.to/creatordev/license-key-validation-in-python-the-right-way-3hm</link>
      <guid>https://dev.to/creatordev/license-key-validation-in-python-the-right-way-3hm</guid>
      <description>&lt;p&gt;The first time I shipped a paid desktop tool, I added a "license check" in about&lt;br&gt;
ten minutes and felt clever. It called my server, asked &lt;em&gt;"is this key valid?"&lt;/em&gt;,&lt;br&gt;
and unlocked the app if the answer was yes.&lt;/p&gt;

&lt;p&gt;It took someone about ten minutes to defeat it.&lt;/p&gt;

&lt;p&gt;They did not guess a key or patch my binary. They pointed my app at a &lt;strong&gt;fake&lt;br&gt;
local server that always says "valid."&lt;/strong&gt; My whole licensing system trusted one&lt;br&gt;
network reply, and that reply was trivially forgeable.&lt;/p&gt;

&lt;p&gt;Here is the trap I fell into, why it fails, and the fix that actually works — with&lt;br&gt;
code you can copy.&lt;/p&gt;
&lt;h2&gt;
  
  
  The naive license check (that everyone writes first)
&lt;/h2&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;requests&lt;/span&gt;

&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;is_licensed&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="nb"&gt;bool&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;requests&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;post&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://api.myapp.com/validate&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;json&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;key&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;})&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;r&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;json&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;valid&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="ow"&gt;is&lt;/span&gt; &lt;span class="bp"&gt;True&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="nf"&gt;is_licensed&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;user_key&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="k"&gt;raise&lt;/span&gt; &lt;span class="nc"&gt;SystemExit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Unlicensed&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Looks fine, right? It is not. Anyone who runs your program can:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Watch that request (it is their machine).&lt;/li&gt;
&lt;li&gt;Run a tiny local server that returns &lt;code&gt;{"valid": true}&lt;/code&gt; for everything.&lt;/li&gt;
&lt;li&gt;Redirect your app to it — a hosts-file line, a proxy, or a one-character patch
to the URL.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Now &lt;code&gt;is_licensed()&lt;/code&gt; returns &lt;code&gt;True&lt;/code&gt; forever, offline, for every key. The check was&lt;br&gt;
never the hard part. &lt;strong&gt;Making the reply impossible to fake is.&lt;/strong&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Why this is really a cryptography problem
&lt;/h2&gt;

&lt;p&gt;The fix is to stop &lt;em&gt;trusting&lt;/em&gt; the reply and start &lt;em&gt;verifying&lt;/em&gt; it. The server&lt;br&gt;
should &lt;strong&gt;sign&lt;/strong&gt; every response with a private key that never leaves the server.&lt;br&gt;
Your app ships only the matching &lt;strong&gt;public key&lt;/strong&gt; and checks the signature locally.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A fake server does not have your private key, so it cannot produce a valid
signature.&lt;/li&gt;
&lt;li&gt;A forged &lt;code&gt;{"valid": true}&lt;/code&gt; fails the signature check instantly.&lt;/li&gt;
&lt;li&gt;Even a real reply cannot be replayed, because the signature covers a one-time
nonce your app generates per request.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is exactly how software updates and TLS certificates are trusted. Licensing&lt;br&gt;
deserves the same bar.&lt;/p&gt;
&lt;h2&gt;
  
  
  Doing it properly in ~5 minutes
&lt;/h2&gt;

&lt;p&gt;You could build the signing, key management, nonce handling, and verification&lt;br&gt;
yourself. I did, and then I turned it into a hosted tool called&lt;br&gt;
&lt;a href="https://licers.com" rel="noopener noreferrer"&gt;Licers&lt;/a&gt; so I would never write it again. (Full disclosure: I&lt;br&gt;
built it. It is free, and you can absolutely roll your own with the same ideas.)&lt;/p&gt;

&lt;p&gt;Here is the whole client with the SDK:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;pylicensify
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;pylicensify&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;LicenseClient&lt;/span&gt;

&lt;span class="c1"&gt;# The PUBLIC key is safe to embed in your distributed app.
&lt;/span&gt;&lt;span class="n"&gt;client&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;LicenseClient&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;public_key&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;YOUR_PUBLIC_KEY&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;validate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;PY-XXXXXXXXXXXXXXXX&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Licensed. Features:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;features&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="nf"&gt;unlock_app&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Not licensed:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;raise&lt;/span&gt; &lt;span class="nc"&gt;SystemExit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;validate()&lt;/code&gt; sends a fresh nonce, then verifies the Ed25519 signature on the&lt;br&gt;
response and rejects anything stale or replayed. Point the app at a fake server&lt;br&gt;
and it raises &lt;code&gt;SignatureError&lt;/code&gt; instead of unlocking. That is the entire&lt;br&gt;
difference between "licensing" and "a suggestion."&lt;/p&gt;
&lt;h2&gt;
  
  
  Bonus: stop one key from running everywhere
&lt;/h2&gt;

&lt;p&gt;Signed validation stops fake servers. To stop &lt;em&gt;sharing&lt;/em&gt;, bind a key to a limited&lt;br&gt;
number of devices:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# The SDK derives a stable device id and registers it against the key.
&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;validate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;PY-XXXX...&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# In the dashboard you set the max devices per key; extra machines get rejected.
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One gotcha if you roll your own: do &lt;strong&gt;not&lt;/strong&gt; use &lt;code&gt;uuid.getnode()&lt;/code&gt; as the device&lt;br&gt;
id. On Android and many VMs the MAC address is not readable, so it returns a&lt;br&gt;
&lt;em&gt;random&lt;/em&gt; value every run — every launch looks like a new device. Persist a device&lt;br&gt;
id to disk instead (the SDK does this for you).&lt;/p&gt;

&lt;h2&gt;
  
  
  The takeaway
&lt;/h2&gt;

&lt;p&gt;If your license check trusts a plain server reply, assume it is already bypassed.&lt;br&gt;
The upgrade is small and worth it:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Sign&lt;/strong&gt; every response server-side with a key that never leaves the server.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Verify&lt;/strong&gt; the signature in your app with an embedded public key.&lt;/li&gt;
&lt;li&gt;Add a &lt;strong&gt;nonce&lt;/strong&gt; so replies cannot be replayed.&lt;/li&gt;
&lt;li&gt;Optionally &lt;strong&gt;bind keys to devices&lt;/strong&gt; to stop sharing.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That is the difference between licensing that stops a determined user and&lt;br&gt;
licensing that a fake local server defeats before lunch.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;I write about shipping and protecting software. If you want the signed-validation&lt;br&gt;
setup without building it yourself, &lt;a href="https://licers.com" rel="noopener noreferrer"&gt;Licers&lt;/a&gt; is free to start&lt;br&gt;
and has a &lt;a href="https://licers.com/docs" rel="noopener noreferrer"&gt;Python SDK&lt;/a&gt;. Happy to answer licensing&lt;br&gt;
questions in the comments.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>python</category>
      <category>security</category>
      <category>tutorial</category>
      <category>programming</category>
    </item>
  </channel>
</rss>
