Skip to main content
RMZ provides a complete software licensing system. Customers buy a license key from your store, and your software verifies it with a single API call. This guide covers setup, implementation, and best practices.

How It Works

1

Create a license product

In your store dashboard, create a product with type Software License. Configure the lock type, max activations, and pricing plans.
2

Customer purchases

When a customer buys the product, a license key is automatically generated and delivered (e.g., MYAPP-XXXX-XXXX-XXXX-XXXX).
3

Your software verifies

Your application calls the RMZ license verification API with the key. The API validates the key and auto-activates the device.
4

API responds

You receive the license status, plan details, activation count, and expiry information.

Reference Repository

Full working examples in Python, PHP, JavaScript, and Lua (FiveM) are available at:

Step 1: Create a License Product

In your store dashboard, go to Products > New Product and configure:

Lock Types

none

Key-only verification. No device binding. Any device can use the key. Best for simple products.

hwid

Locks to a hardware ID (machine fingerprint). Each unique HWID uses an activation slot. Best for desktop software.

ip

Locks to the caller’s IP address. Each unique IP uses a slot. Best for server-side applications.

Step 2: Implement Verification

The verification endpoint validates the key and auto-activates the device in a single call.

Request

Implementation Examples

Success Response

Error Codes


Step 3: Generate Hardware IDs

For hwid lock type, generate a consistent machine fingerprint by combining hardware-specific values:
Choose hardware components that are stable across reboots but unique per machine. Avoid components that change frequently (like available memory or uptime).

Step 4: Handle E2EE (Optional)

When E2EE is enabled on your license product, all API responses are encrypted with AES-256-GCM. This prevents response tampering and man-in-the-middle spoofing.

Encrypted Response Format

Decryption

Never hardcode the encryption key as a plain string in your source code. Derive it at runtime from multiple values or use an obfuscation layer.

Best Practices

Verification Frequency

  • Verify the license once on application startup
  • Optionally re-verify periodically (e.g., every 24 hours) for subscription products
  • Cache the verification result locally to handle temporary network outages
  • Rate limit: The API allows 60 requests per minute per IP

Security Recommendations

  1. Use HWID lock type for desktop applications to prevent key sharing
  2. Enable E2EE to prevent response tampering (someone injecting "success": true via a local proxy)
  3. Obfuscate your code to make it harder to find and bypass the verification logic
  4. Embed verification deep in your application flow, not in a single easily-patchable function
  5. Combine with integrity checks to detect binary modification
  6. Do not store the encryption key as a visible string literal

Graceful Degradation

Handle network failures gracefully:

Managing Licenses in the Dashboard

From your store dashboard under License Keys, you can:
  • View all issued licenses with search and filters
  • Create manual licenses (for testing, promotional use)
  • Revoke, suspend, or reactivate individual licenses
  • Reset device activations (frees all slots)
  • View activation history and verification logs

License Lifecycle

For complete API reference details, see the Licensing documentation.