Announcing: License Key Authentication

Tuesday, January 25th 2022

We heard you loud and clear! Activation tokens were not the most convenient way to authenticate with Keygen's API. Tokens had to be created after a license itself was created, which required multiple subsequent API requests. And then figuring out which values to send to an end-user was honestly kind of a headache…

Should you send the license key?

The activation token?

Both?

(Typically, the answer was both.)

A lot of you emailed us asking for an easier way, and we wanted to provide one.

Starting today, you can configure your policies to have a license key authentication strategy. Doing so will allow you to authenticate with our API using a license key instead of an API token. Simply update your policy's authentication strategy to LICENSE and start passing a license key into any API request's Authorization header using a new License scheme:

Authorization: License C1B6DE-39A6E3-DE1529-8559A0-4AF593-V3

It's that simple! No activation token required.

Instead of figuring out which values to send to your end-users during fulfillment — all you have to do is send them a license key. No additional tokens required! You can then perform any API request that you could do with an activation token, for example, activate a machine, download a release upgrade, or send a heartbeat ping.

You can, of course, continue to use activation tokens! Nothing has changed there. And pretty soon, you'll be able to adjust permissions on a per-token basis. So activation tokens will still have a place — where more fine-grained access control is needed. But for the majority of use cases, switching to license key authentication will likely simplify your integration, as well as your software's end-user experience, which we think is a win-win.

Note on backwards compatibility: there are no breaking changes. For existing policies, and any new policies created with defaults — nothing has changed. This is an opt-in feature only. Policies will default to using a TOKEN authentication strategy, which behaves exactly like it did before we introduced this new authentication scheme.

If you'd like to opt-in, switch your policy's authentication strategy to LICENSE. (You can even accept both types of authentication, using MIXED, which should help during a migration from API tokens to license keys.)

There's a lot more coming up that we're excited to share.

Until next time.