← back

Licensing & Auth Platform

A full-stack licensing and subscription management system — REST API, React admin dashboard, Discord bot, and a C++ client SDK. Built to handle HWID-bound licenses, multi-tier resellers, and role sync across Discord guilds.

This started as a simple license checker and grew into a full platform. I needed a way to manage licenses, customers, and subscriptions for a private software project — and decided to build the whole thing properly rather than patch something together.

The end result is four components that work together: an ASP.NET Core API as the backbone, a React dashboard for administration, a Discord bot for user-facing interactions, and a C++ example app that shows how a client integrates with the auth system.

Overview

The platform handles the full lifecycle of a software license — creation, activation, HWID binding, renewal, and revocation. On top of that it supports a reseller tier, meaning other people can sell licenses at their own prices with their own approval workflows. Everything is tracked through audit logs, and a Discord bot lets end users reset their HWID or request username changes without touching the dashboard.

Note · Private This is a closed-source private project. No public repository or live demo — this page covers the architecture and what I built.
Status · Active This project is still actively in development — features, improvements, and fixes go in regularly. What's described here reflects the current state but the platform keeps evolving.

The API

Built on ASP.NET Core 8 with Entity Framework Core 9 and SQL Server. The API handles everything — auth, license management, customer records, proxy assignment, reseller billing, and background maintenance tasks.

Authentication uses short-lived JWT access tokens (15 minutes) stored in httpOnly cookies alongside a 7-day refresh token. CSRF is handled with double-submit cookies — a pattern from the header must match the cookie on all state-changing requests. Rate limiting sits on the auth endpoints (10 req/min) and license endpoints to prevent brute-force.

The role system covers several levels:

  • Admin — full access
  • Moderator — customer and license management
  • Sales Manager — approval workflows and direct sales
  • Reseller — self-service portal for their own customers
  • Discord Bot — scoped API key access for bot operations

Background services run on a timer to clean up expired tokens, purge soft-deleted records past retention, poll FX rates for currency conversion in the reseller billing system, and deliver security event webhooks.

The Web UI

The admin dashboard is a React 18 SPA written in TypeScript, built with Vite and styled with Tailwind CSS and Radix UI components. It's served as static files from the API's wwwroot/, so there's no separate hosting — one deployment covers both.

The dashboard covers every part of the system: license CRUD, user management, customer profiles, subscription types, reseller accounts, sales approval queues, Discord bot configuration per guild, and a full audit log viewer with filtering.

The Discord Bot

A .NET 8 Worker Service running as a Windows Service, using Discord.NET. The bot communicates with the API via a scoped API key and supports multiple guild instances from a single process.

It exposes two slash commands to end users:

  • /reset — resets the HWID binding on a license, letting the user move to a new machine
  • /change-username — submits a username change request that goes to a staff approval queue

On the backend it also handles role sync — periodically checking subscription statuses and updating Discord roles to match, so a customer whose subscription lapses automatically loses their access role without any manual intervention.

The C++ Client SDK

A reference implementation in C++17 that shows how a desktop application integrates with the license system. It handles HWID fingerprinting, sends activation requests to the API, manages the session token, and can pull down asset updates (builds, config files) that the API serves per subscription tier.

The client uses WinHTTP for requests, BCrypt and CryptoAPI for the crypto side (RSA, AES-GCM, HMAC, SHA256), and optionally integrates VMProtect SDK for build obfuscation. String literals are encrypted at compile time with skCrypter to make static analysis harder.

Tech stack

  • ASP.NET Core 8 — API framework
  • Entity Framework Core 9 — ORM with SQL Server
  • React 18 + TypeScript — admin dashboard
  • Vite + Tailwind CSS + Radix UI — frontend build and components
  • Discord.NET 3.17 — bot framework
  • C++17 — client SDK
  • JWT Bearer + BCrypt — authentication and password hashing
  • OpenTelemetry + Prometheus — metrics and observability
  • GitHub Actions — CI pipeline, publishes to IIS on push

What I learned

This was the first project where I had to think seriously about the security model end to end — not just "does the API require a token" but things like what happens if a refresh token leaks, how to prevent timing attacks on license lookups, and how to make the audit trail tamper-evident. The double-submit CSRF pattern was new to me and took a few iterations to get right across the React frontend and the API middleware.

The reseller billing system was also more complex than expected. Supporting multiple currency tiers with live FX rates, approval workflows, and per-reseller pricing without letting the data model become a mess took several rounds of redesign. EF Core's owned types and table splitting helped keep the schema clean.

Building the C++ client alongside the API forced me to think about the protocol more carefully than I would have otherwise — every field in the request/response had to be intentional because changing it later meant updating both sides.

/ / /

Private project — closed source, not publicly available.