Skip to main content

🔌 API Settings

Configure the license authentication API that handles all license validation requests from your applications.

Configuration Overview​

ApiSettings:
  Port: 3090
  APIKey: "SOME KEY"
  Ratelimit:
    Enabled: true
    Max: 100
  RequireHWID: true

Setting Details​

Port​

Type: number | Required: Yes | Default: 3000

The port number where the TKI Auth API server will listen for incoming requests.

Port: 3090

Important Considerations:

  • Choose a port that's not already in use on your system
  • Common ports: 3000, 3090, 8080, 8000
  • For production, consider using ports 80 (HTTP) or 443 (HTTPS) with reverse proxy
  • Ensure your firewall allows traffic on the chosen port

APIKey​

Type: string | Required: Yes

The authentication key required for all API requests. This acts as a security barrier for your license system.

APIKey: "32qdYW4KBKRrRPotH6RbuuCbdGbcqCN4IGwwPc"
Security Critical
  • Use a strong, unique API key (recommended 32+ characters)
  • Never use backslashes (\) in the API key
  • Keep this key secret - anyone with this key can access your license system

Generating Strong API Keys:

# Using password generators
openssl rand -base64 32
# Or online password generators (ensure 32+ characters, no backslashes)

Rate Limiting​

Enabled​

Type: boolean | Required: Yes | Default: true

Controls whether rate limiting is applied to API requests to prevent abuse.

Ratelimit:
  Enabled: true  # Enables rate limiting
  Enabled: false # Disables rate limiting (not recommended)
Security Recommendation

Always keep rate limiting enabled in production to prevent API abuse and DDoS attacks.

Max​

Type: number | Required: Yes | Default: 100

Maximum number of requests allowed per IP address per minute when rate limiting is enabled.

Ratelimit:
  Enabled: true
  Max: 100  # 100 requests per minute per IP

Recommended Values:

  • Light usage: 50-100 requests/minute
  • Medium usage: 100-300 requests/minute
  • Heavy usage: 300-1000 requests/minute
  • Enterprise: 1000+ requests/minute

RequireHWID​

Type: boolean | Required: Yes | Default: true

Whether Hardware ID (HWID) is required in API authentication requests.

RequireHWID: true  # HWID required for all requests
RequireHWID: false # HWID optional

When to use true:

  • Higher security requirements
  • Need to limit licenses to specific devices
  • Want to track hardware changes
  • Prevent license sharing

When to use false:

  • Simpler integration requirements
  • Users frequently change hardware
  • Virtual environments or containers
  • Legacy applications without HWID support

Example Configurations​

High Security Setup​

ApiSettings:
  Port: 8443
  APIKey: "EXAMPLE_KEY"
  Ratelimit:
    Enabled: true
    Max: 50
  RequireHWID: true

Development Setup​

ApiSettings:
  Port: 3000
  APIKey: "dev_test_key_not_for_production_use_only"
  Ratelimit:
    Enabled: true
    Max: 200
  RequireHWID: false

High Traffic Setup​

ApiSettings:
  Port: 80
  APIKey: "prod_api_key_very_long_and_secure_string_here"
  Ratelimit:
    Enabled: true
    Max: 1000
  RequireHWID: true

Minimal Rate Limiting​

ApiSettings:
  Port: 3090
  APIKey: "your_secure_api_key_here"
  Ratelimit:
    Enabled: true
    Max: 10
  RequireHWID: true

API Usage​

Once configured, your API will be available at:

http://your-server-ip:port/api/license/auth

Example API Request​

const response = await fetch('http://localhost:3090/api/license/auth', {
  method: 'POST',
  headers: {
    'Authorization': 'your-api-key-here',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: {
      product: 'MyProduct',
      version: '1.0.0',
      licensekey: 'TKI-XXXXX-XXXXX',
      ip: '192.168.1.1',
      hwid: 'unique-hardware-id' // Optional if RequireHWID is false
    }
  })
});

Security Best Practices​

API Key Security​

  1. Generate strong keys - Use random, long strings
  2. Monitor usage - Watch for suspicious activity
  3. Never log keys - Avoid putting keys in logs or error messages

Network Security​

  1. Use HTTPS - Always encrypt API traffic in production
  2. Firewall rules - Restrict access to authorized IPs only
  3. Reverse proxy - Use nginx/Apache for additional security layers
  4. VPN access - Consider VPN for administrative access

Rate Limiting Strategy​

  1. Monitor patterns - Track normal vs suspicious request patterns
  2. Adjust limits - Fine-tune based on legitimate usage
  3. Whitelist IPs - Consider IP whitelisting for trusted sources
  4. Alert system - Set up alerts for rate limit violations

Reverse Proxy (Nginx)​

server {
    listen 443 ssl;
    server_name your-domain.com;
    
    location /api/ {
        proxy_pass http://localhost:3090;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Troubleshooting​

Common Issues​

API won't start:

  • Check if the port is already in use
  • Verify firewall settings
  • Ensure proper permissions

Rate limiting too strict:

  • Increase the Max value
  • Monitor legitimate usage patterns
  • Consider IP whitelisting

HWID validation failing:

  • Check if RequireHWID matches your application setup
  • Verify HWID generation consistency
  • Consider disabling for testing

Testing Your API​

# Test API availability
curl -X POST http://localhost:3090/api/license/auth \
  -H "Authorization: your-api-key" \
  -H "Content-Type: application/json" \
  -d '{"data":{"product":"test","version":"1.0.0","licensekey":"test","ip":"127.0.0.1"}}'