HomeDocumentation

CMSX Documentation

Protect your software with cryptographic license validation in minutes. No SDKs required — just simple REST API calls with Ed25519 signed responses.

SDK Reference

@cmsx-dev/sdk & @cmsx-dev/next

Quick Start

Follow these five steps to add license validation to your application.

Create an account

Create a product

Navigate to Products and create your first software product. This generates your Ed25519 signing keypair automatically.

Get your API key

Go to API Keys and create a key. This key authenticates your app with CMSX.

Issue a license

Create a license from your product page. Set activation limits, expiry, and features.

Validate in your app

Call the /api/v1/validate endpoint from your application — see the API Reference below.

Authentication

All API requests require an API key sent via the X-Api-Key header.

bash

curl -H "X-Api-Key: xk_your_api_key" https://api.cmsx.dev/health

Keep your API key secret

Never expose your API key in client-side code. Use it only from your server or backend.

API Reference

All endpoints use the following base URL:

text

https://api.cmsx.dev

POST/api/v1/validate

Validate a license key and optionally activate a machine. If the machine is new and the license has available activations, it will be activated automatically.

Request Headers

text

X-Api-Key: xk_your_api_key
Content-Type: application/json

Request Body

json

{
  "license_key": "XCR-xxxx-xxxx-xxxx",
  "machine_id": "unique-device-fingerprint",
  "app_version": "1.0.0"
}

Response — 200 OK

json

{
  "valid": true,
  "license_id": "6c9885fc-1478-45dc-8115-84a3e25920ce",
  "product_id": "e51cd7a3-78c9-4f8c-b95f-7b48068fb274",
  "status": "active",
  "config": {},
  "signature": "648a28cfd782ef380afda0a55be2fdc2...",
  "validated_at": "2026-02-27T01:41:10.044Z"
}

POST/api/v1/deactivate

Deactivate a machine from a license, freeing up an activation slot.

Request Body

json

{
  "license_key": "XCR-xxxx-xxxx-xxxx",
  "machine_id": "unique-device-fingerprint"
}

Response — 200 OK

json

{
  "success": true,
  "message": "Machine deactivated successfully"
}

Core Concepts

License Keys

Licenses follow the format XCR-xxxx-xxxx-xxxx. Each license is bound to a single product and can be configured with:

Maximum number of machine activations
Expiration date
Custom configuration metadata (feature flags, tiers, etc.)

Ed25519 Signatures

Every validation response includes a cryptographic signature generated with your product's Ed25519 private key. Use the corresponding public key (available in your dashboard) to verify the response was not tampered with.

This enables offline validation — cache the signed response and verify it locally without hitting the API.

Machine Fingerprinting

Bind licenses to specific devices using unique machine identifiers. The machine_id field in the validation request should be a stable device fingerprint. This lets you control how many devices can use a single license simultaneously.

Kill Switch

Instantly revoke all active licenses for a product with a single toggle in the dashboard. When activated, every validation request returns status: "killed" and valid: false.

Offline Validation

Cache the validation response locally and use the Ed25519 signature to verify authenticity without network access. This ensures your application works even when the user has no internet connectivity.

License Statuses

Status	Description	valid
`active`	License is valid and machine is activated	true
`expired`	License has passed its expiry date	false
`revoked`	License was manually revoked	false
`killed`	Product kill switch is active	false
`limit_reached`	Maximum activations exceeded	false
`not_found`	License key does not exist	false

Error Codes

Code	Description
`401`	API key is invalid or missing
`404`	License key not found
`422`	Invalid request body
`429`	Rate limit exceeded

Rate Limits

Endpoint	Limit
`/api/v1/validate`	No limit (high-throughput)
`/api/v1/deactivate`	No limit
`/login`	5 requests/min per IP