The License Management add-on provides a complete, provider-based license key management system: create products, generate keys in multiple formats, track activations per domain or machine, verify licenses via REST API, and receive external events through webhooks.
Pricing: This is a paid add-on, available from the Larapen Marketplace.
Key Features
- Product management: Organize license keys under products with translatable names, descriptions, SKU, and version tracking.
- Key generation (4 formats): Generate keys as UUID, alphanumeric (5x5 segments), prefixed (custom prefix + segments), or HMAC-signed (payload + SHA-256 signature). Each format is configurable.
- Bulk generation: Generate up to 1,000 keys at once for a product, choosing format, license type, max activations, and expiry date.
- License types: Standard, Extended, Trial, and Lifetime; each visually distinguished in the admin panel with color-coded badges.
- Status lifecycle: Keys can be Active, Suspended, Expired, or Revoked. Quick actions let you revoke, suspend, or reactivate a key from the admin panel.
- Activation tracking: Track where each key is activated: by domain, machine ID, and IP address. Enforce a configurable maximum number of activations per key (1 to 10,000).
- Idempotent activations: Re-activating the same domain or machine returns the existing activation without creating a duplicate.
- REST API for verification: Clients can verify a license key, activate it on a domain/machine, and deactivate it; all via authenticated API endpoints protected by an API key and rate limiting.
- 3 built-in providers: Manual (admin-created keys), Envato (verify Envato purchase codes via API), and Webhook (receive license events from external systems via HMAC-signed callbacks).
- Envato integration: Verify Envato purchase codes directly, or delegate to the Envato add-on if installed. Automatically maps Envato license names to Standard/Extended types and sets expiry from support dates.
- Webhook support: Receive HMAC-SHA256 signed webhook events (
license.created,license.updated,license.revoked,license.expired) to automatically create, update, or revoke keys from external platforms. - Webhook logs: Every incoming webhook callback is logged with provider, event type, payload, IP address, status (success/failed/ignored), and error message.
- CSV export: Export license keys to CSV with optional product and status filters. Columns include key, product, status, type, provider, dates, max activations, and active count.
- Auto-expiry: Batch process to automatically mark active keys past their expiration date as expired.
- Provider extensibility: Other add-ons can register custom license providers via the Provider Manager, extending the system with additional verification sources.
- Masked key display: Keys are shown with only the first and last 4 characters visible in listings, protecting sensitive data at a glance.
Admin Panel
| Section | Description |
|---|---|
| Dashboard | Overview statistics: total keys, active/suspended/expired/revoked counts, total products, total active activations, recent keys, and recent webhook log entries. |
| Products | Create, edit, and delete products. Each product displays its active key count. Supports translatable names and descriptions, SKU, and version. |
| License Keys | List, search, filter, create, edit, and delete keys. Quick actions to revoke, suspend, or reactivate. Bulk generate up to 1,000 keys. Bulk delete. CSV export. View activations per key. |
| Webhook Logs | Browse all incoming webhook callbacks with provider, event type, payload, status (color-coded), response data, and error messages. |
| Settings | Configure API key, rate limit, default key format, key prefix, default max activations, HMAC key, Envato credentials, and webhook secret. Displays provider status and API endpoint URLs. |
API Endpoints
All verification endpoints require an X-Api-Key header (or ?api_key= query parameter) and are rate-limited.
| Endpoint | Method | Description |
|---|---|---|
/api/licenses/verify | GET | Verify a license key. Optional product parameter to scope the check to a specific product. |
/api/licenses/activate | POST | Activate a key on a domain and/or machine. Returns activation details on success. |
/api/licenses/deactivate | POST | Deactivate a key from a specific domain. |
/api/licenses/callback/{provider} | POST | Webhook callback endpoint. Authenticated by HMAC signature (no API key required). |
Configuration
| Setting | Default | Description |
|---|---|---|
| API key | (empty) | Authentication key for the verification API endpoints. Stored encrypted. |
| API rate limit | 60 req/min | Maximum requests per minute to API endpoints. |
| Default key format | Alphanumeric | Default format for auto-generated keys (UUID, Alphanumeric, Prefixed, HMAC Signed). |
| Key prefix | LIC | Prefix used in the Prefixed key format (max 10 alphabetic characters). |
| Default max activations | 1 | Default number of allowed activations per key. |
| HMAC key | (empty) | Secret key for HMAC-signed key format. Falls back to APP_KEY if empty. |
| Envato API token | (empty) | Envato personal API token for purchase code verification. |
| Envato author username | (empty) | Your Envato marketplace author username. |
| Webhook secret | (empty) | HMAC-SHA256 secret for verifying webhook callback signatures. |
Webhook events
The Webhook provider accepts these HMAC-signed events at /api/licenses/callback/webhook:
license.created: Creates a new license key from the payload (requireskeyandproductslug).license.updated: Updates an existing webhook-provider key (type, expiry, max activations, metadata).license.revoked: Revokes the key and deactivates all its active activations.license.expired: Marks the key as expired.
Usage examples
Verifying a license from your application
// cURL example
curl -X GET "https://yoursite.com/api/licenses/verify?key=A1B2C-D3E4F-G5H6J-K7L8M-N9O0P" \
-H "X-Api-Key: your-api-key"
// Response
{
"valid": true,
"message": "License is valid.",
"status": "active",
"license_type": "standard",
"product": "my-plugin",
"product_name": "My Plugin",
"expires_at": "2027-01-15T00:00:00Z",
"max_activations": 3,
"active_activations": 1
}Activating a license on a domain
curl -X POST "https://yoursite.com/api/licenses/activate" \
-H "X-Api-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"key": "A1B2C-D3E4F-G5H6J-K7L8M-N9O0P", "domain": "client-site.com"}'
// Response
{
"success": true,
"message": "License activated successfully.",
"activation": {
"id": 42,
"domain": "client-site.com",
"machine_id": null,
"activated_at": "2026-02-26T10:30:00Z"
}
}Sending a webhook event
// HMAC-SHA256 signed callback
curl -X POST "https://yoursite.com/api/licenses/callback/webhook" \
-H "Content-Type: application/json" \
-H "X-Webhook-Signature: <hmac-sha256-of-body>" \
-d '{"event": "license.created", "key": "NEW-KEY-12345", "product": "my-plugin", "license_type": "standard", "max_activations": 5}'Dependencies
None: the License Management add-on works independently. Optionally integrates with the Envato add-on for shared purchase code verification credentials.
Ideal for
- Software vendors selling desktop applications, plugins, or themes that require license key activation.
- SaaS businesses issuing license keys for on-premise deployments with domain-based activation limits.
- Envato authors who want to manage and verify purchase codes with activation tracking.
- Developers distributing premium WordPress plugins, Laravel packages, or any downloadable software.
- Businesses needing a self-hosted license server with full control over keys, activations, and providers.