Licensing & Auth Platform
A full-stack licensing and subscription management system — REST API, React admin dashboard, Discord bot, and a C++ client SDK. Built to handle HWID-bound licenses, multi-tier resellers, and role sync across Discord guilds.
This started as a simple license checker and grew into a full platform. I needed a way to manage licenses, customers, and subscriptions for a private software project — and decided to build the whole thing properly rather than patch something together.
The end result is four components that work together: an ASP.NET Core API as the backbone, a React dashboard for administration, a Discord bot for user-facing interactions, and a C++ example app that shows how a client integrates with the auth system.
Overview
The platform handles the full lifecycle of a software license — creation, activation, HWID binding, renewal, and revocation. On top of that it supports a reseller tier, meaning other people can sell licenses at their own prices with their own approval workflows. Everything is tracked through audit logs, and a Discord bot lets end users reset their HWID or request username changes without touching the dashboard.
The API
Built on ASP.NET Core 8 with Entity Framework Core 9 and SQL Server. The API handles everything — auth, license management, customer records, proxy assignment, reseller billing, and background maintenance tasks.
Authentication uses short-lived JWT access tokens (15 minutes) stored in httpOnly cookies alongside a 7-day refresh token. CSRF is handled with double-submit cookies — a pattern from the header must match the cookie on all state-changing requests. Rate limiting sits on the auth endpoints (10 req/min) and license endpoints to prevent brute-force.
The role system covers several levels:
- Admin — full access
- Moderator — customer and license management
- Sales Manager — approval workflows and direct sales
- Reseller — self-service portal for their own customers
- Discord Bot — scoped API key access for bot operations
Background services run on a timer to clean up expired tokens, purge soft-deleted records past retention, poll FX rates for currency conversion in the reseller billing system, and deliver security event webhooks.
The Web UI
The admin dashboard is a React 18 SPA written in TypeScript, built with Vite and styled with Tailwind CSS and Radix UI components. It's served as static files from the API's wwwroot/, so there's no separate hosting — one deployment covers both.
The dashboard covers every part of the system: license CRUD, user management, customer profiles, subscription types, reseller accounts, sales approval queues, Discord bot configuration per guild, and a full audit log viewer with filtering.
The Discord Bot
A .NET 8 Worker Service running as a Windows Service, using Discord.NET. The bot communicates with the API via a scoped API key and supports multiple guild instances from a single process.
It exposes two slash commands to end users:
/reset— resets the HWID binding on a license, letting the user move to a new machine/change-username— submits a username change request that goes to a staff approval queue
On the backend it also handles role sync — periodically checking subscription statuses and updating Discord roles to match, so a customer whose subscription lapses automatically loses their access role without any manual intervention.
The C++ Client SDK
A reference implementation in C++17 that shows how a desktop application integrates with the license system. It handles HWID fingerprinting, sends activation requests to the API, manages the session token, and can pull down asset updates (builds, config files) that the API serves per subscription tier.
The client uses WinHTTP for requests, BCrypt and CryptoAPI for the crypto side (RSA, AES-GCM, HMAC, SHA256), and optionally integrates VMProtect SDK for build obfuscation. String literals are encrypted at compile time with skCrypter to make static analysis harder.
Tech stack
ASP.NET Core 8— API frameworkEntity Framework Core 9— ORM with SQL ServerReact 18 + TypeScript— admin dashboardVite + Tailwind CSS + Radix UI— frontend build and componentsDiscord.NET 3.17— bot frameworkC++17— client SDKJWT Bearer + BCrypt— authentication and password hashingOpenTelemetry + Prometheus— metrics and observabilityGitHub Actions— CI pipeline, publishes to IIS on push
What I learned
This was the first project where I had to think seriously about the security model end to end — not just "does the API require a token" but things like what happens if a refresh token leaks, how to prevent timing attacks on license lookups, and how to make the audit trail tamper-evident. The double-submit CSRF pattern was new to me and took a few iterations to get right across the React frontend and the API middleware.
The reseller billing system was also more complex than expected. Supporting multiple currency tiers with live FX rates, approval workflows, and per-reseller pricing without letting the data model become a mess took several rounds of redesign. EF Core's owned types and table splitting helped keep the schema clean.
Building the C++ client alongside the API forced me to think about the protocol more carefully than I would have otherwise — every field in the request/response had to be intentional because changing it later meant updating both sides.
Private project — closed source, not publicly available.