Frequently asked questions
Everything you need to know to integrate and run SourceAuth.
What is SourceAuth?
SourceAuth is a simplified software licensing and authentication platform. You create an "application" for your software, generate license keys, and your software calls a small JSON API to validate users and licenses, with a simple setup flow.
Why is it so cheap?
SourceAuth is a lean, self-serve platform: no sales team, no per-seat licensing, and a simple raw API (no bloated SDKs to maintain) running on efficient infrastructure. Those savings get passed straight to you instead of funding enterprise overhead. Start on the free Starter plan, and only pay when you actually outgrow its limits.
How do I integrate the API into my software?
After creating an application you get an App ID and App Secret. Your software calls POST /api/init with those values plus your app version to receive a short-lived sessionid. Every following call (register, login, license, hwid/reset, logout) is made with that app_id + sessionid. The setup wizard shows a copy-paste example once your first app is created.
How does HWID locking work?
When a user first registers or logs in, the hardware ID (HWID) your software sends is stored against their account (or against the license, in license-only mode). Future logins must send the same HWID or they are rejected. Users get a limited number of self-service HWID resets, configurable per license.
What happens if I lose my App Secret?
You can view your App Secret at any time from your application's Settings tab while logged in as the owner; it is never hashed, only shown to you. If you believe it has leaked, regenerate it from the same tab; every client using the old secret will need updating.
What is the difference between license-only and username/password auth?
Username/password mode (/api/register + /api/login) creates a persistent app_user your customers log into repeatedly. License-only mode (/api/license) skips accounts entirely: the key itself is bound to a HWID on first use and re-checked on every call. Pick whichever fits your software.
How do resellers and credit balances work?
As an owner you can create reseller accounts and grant them access to specific applications. Each application has a configurable cost per key (per day, or a flat price). You top up a reseller's balance; they spend it to generate license keys themselves without needing owner access. Every balance change is recorded in a ledger.
Can I pause or ban a license or user?
Yes. Licenses can be set to unused, used, paused, or banned from the Licenses tab. App users can be individually banned from the Users tab. You can also blacklist specific HWIDs or IP addresses per application; any matching request is rejected at the API level.
What happens when I pause an application?
A paused application immediately rejects all /api/init calls, meaning no client using it can start a new session; existing sessions expire naturally within 30 minutes. Use this if you need to take software offline without deleting any data.
Is two-factor authentication supported?
Yes, for every panel account type (owner, reseller, admin). Enable it from your Profile page: it uses standard TOTP (RFC 6238), so any authenticator app (Google Authenticator, Authy, 1Password, etc.) works by entering the shown secret manually.
How do webhooks and variables work?
Webhooks let you register a URL per application that receives a signed JSON POST when events happen (user registered, license used, user banned). Variables are a simple per-application key/value store your software can fetch via /api/var, handy for remote messages or config, optionally restricted to authenticated sessions only.