A practical guide to building a license server on Cloudflare Workers — no backend, no VPS, and it runs on the free tier.
So you’ve shipped a small desktop app, a plugin, or a private tool. Sales are coming in. At some point someone asks: “Can I install this on my other computer too?”
And you realize you have no way to answer that question programmatically.
You could ignore it. You could do it manually. Or you could spend a weekend building a tiny license server that handles it for you — and not have to pay anything to run it.
That last option is what this post is about.
What We’re Building
A license API with five endpoints:
| Endpoint | What it does | Admin only? |
|---|---|---|
/register-license | Creates a license key for an email | Yes |
/license-info | Looks up license details | Yes |
/activate | Activates a license on a machine | No |
/validate | Checks if this machine is activated | No |
/deactivate | Removes a machine from the license | No |
Each license can be activated on up to three machines. You can change that number.
The whole thing runs on:
- Cloudflare Workers — handles the API logic
- Cloudflare KV — stores license data
- Wrangler CLI — deploys everything
How the Data Is Stored
When you create a license, two records go into KV.
One maps the customer’s email to their key:
email:customer@example.com -> ABCD-EFGH-2345-JKLMThe other stores the actual license object:
license:ABCD-EFGH-2345-JKLM -> license dataThe license object itself is JSON:
{
"key": "ABCD-EFGH-2345-JKLM",
"email": "customer@example.com",
"createdAt": 1719000000000,
"maxMachines": 3,
"disabled": false,
"machines": [
{
"machineId": "machine-001",
"activatedAt": 1719000000000
}
]
}Simple. No fancy schema, no migrations, nothing to maintain.
Before You Start
You’ll need:
- A Cloudflare account (free)
- Node.js installed
- Wrangler CLI
Install Wrangler if you haven’t already:
npm install -g wranglerLog in:
wrangler loginYour browser opens and asks you to authorize. Click through, come back to the terminal.
Step 1: Create the Worker Project
npm create cloudflare@latest license-serverWhen it asks what to create, go with Hello World Worker, JavaScript, no framework.
Then:
cd license-serverYou’ll have something like:
license-server/
src/
index.js
wrangler.toml
package.jsonStep 2: Create a KV Namespace
KV is where we store the license data. Run:
wrangler kv namespace create APP_DATACloudflare will print something like this:
[[kv_namespaces]]
binding = "APP_DATA"
id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Copy that block and paste it into your wrangler.toml. Your config should end up looking like:
name = "license-server"
main = "src/index.js"
compatibility_date = "2024-06-01"
[[kv_namespaces]]
binding = "APP_DATA"
id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"The binding name APP_DATA is what the Worker code uses to access KV. Keep it matching.
Step 3: Add an Admin Secret
You don’t want just anyone creating licenses. The admin endpoints are protected by a secret header.
wrangler secret put ADMIN_SECRETEnter something long and random when prompted. Something like:
my-super-secret-admin-key-do-not-shareA few things to be clear about here: do not put this secret in your app binary, your Electron renderer, your frontend JavaScript, or anywhere a user could extract it. It’s only for your own scripts, your backend, or your terminal.
Step 4: Write the Worker
Open src/index.js and replace the contents with the license server code.
The Worker handles routing, KV reads and writes, admin authorization, and JSON responses. Here’s the full code:
const MAX_MACHINES = 3;
const ALPHABET = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
function generateKey() {
const segment = () =>
Array.from({ length: 4 }, () =>
ALPHABET[Math.floor(Math.random() * ALPHABET.length)]
).join("");
return `${segment()}-${segment()}-${segment()}-${segment()}`;
}
function isAdmin(request, env) {
const auth = request.headers.get("Authorization") || "";
return auth === `Bearer ${env.ADMIN_SECRET}`;
}
function json(data, status = 200) {
return new Response(JSON.stringify(data), {
status,
headers: { "Content-Type": "application/json" },
});
}
export default {
async fetch(request, env) {
const url = new URL(request.url);
const path = url.pathname;
if (request.method === "OPTIONS") {
return new Response(null, {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "POST, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type, Authorization",
},
});
}
if (request.method !== "POST") {
return json({ success: false, message: "Method not allowed" }, 405);
}
let body = {};
try {
body = await request.json();
} catch {
return json({ success: false, message: "Invalid JSON" }, 400);
}
// Admin: register a new license
if (path === "/register-license") {
if (!isAdmin(request, env)) return json({ success: false, message: "Unauthorized" }, 401);
const { email } = body;
if (!email) return json({ success: false, message: "Email required" }, 400);
const existing = await env.APP_DATA.get(`email:${email}`);
if (existing) {
return json({ success: false, message: "Email already registered", key: existing });
}
const key = generateKey();
const license = {
key,
email,
createdAt: Date.now(),
maxMachines: MAX_MACHINES,
disabled: false,
machines: [],
};
await env.APP_DATA.put(`license:${key}`, JSON.stringify(license));
await env.APP_DATA.put(`email:${email}`, key);
return json({ success: true, key, email });
}
// Admin: look up license info
if (path === "/license-info") {
if (!isAdmin(request, env)) return json({ success: false, message: "Unauthorized" }, 401);
const { email, key } = body;
let licenseKey = key;
if (!licenseKey && email) {
licenseKey = await env.APP_DATA.get(`email:${email}`);
}
if (!licenseKey) return json({ success: false, message: "License not found" }, 404);
const raw = await env.APP_DATA.get(`license:${licenseKey.toUpperCase()}`);
if (!raw) return json({ success: false, message: "License not found" }, 404);
return json({ success: true, license: JSON.parse(raw) });
}
// Public: activate a machine
if (path === "/activate") {
const { key, machineId } = body;
if (!key || !machineId) return json({ success: false, message: "key and machineId required" }, 400);
const raw = await env.APP_DATA.get(`license:${key.toUpperCase()}`);
if (!raw) return json({ success: false, message: "License not found" }, 404);
const license = JSON.parse(raw);
if (license.disabled) return json({ success: false, message: "License disabled" }, 403);
const already = license.machines.find((m) => m.machineId === machineId);
if (already) {
return json({ success: true, premium: true, remainingSlots: license.maxMachines - license.machines.length });
}
if (license.machines.length >= license.maxMachines) {
return json({ success: false, message: "Activation limit exceeded" }, 403);
}
license.machines.push({ machineId, activatedAt: Date.now() });
await env.APP_DATA.put(`license:${key.toUpperCase()}`, JSON.stringify(license));
return json({ success: true, premium: true, remainingSlots: license.maxMachines - license.machines.length });
}
// Public: validate a machine
if (path === "/validate") {
const { key, machineId } = body;
if (!key || !machineId) return json({ success: false, premium: false });
const raw = await env.APP_DATA.get(`license:${key.toUpperCase()}`);
if (!raw) return json({ success: false, premium: false });
const license = JSON.parse(raw);
if (license.disabled) return json({ success: false, premium: false });
const activated = license.machines.some((m) => m.machineId === machineId);
return json({ success: activated, premium: activated });
}
// Public: deactivate a machine
if (path === "/deactivate") {
const { key, machineId } = body;
if (!key || !machineId) return json({ success: false, message: "key and machineId required" }, 400);
const raw = await env.APP_DATA.get(`license:${key.toUpperCase()}`);
if (!raw) return json({ success: false, message: "License not found" }, 404);
const license = JSON.parse(raw);
license.machines = license.machines.filter((m) => m.machineId !== machineId);
await env.APP_DATA.put(`license:${key.toUpperCase()}`, JSON.stringify(license));
return json({ success: true });
}
return json({ success: false, message: "Not found" }, 404);
},
};A few things worth noting:
- License keys use a custom alphabet that removes
I,O,0, and1— the characters people always confuse when typing. - Keys are stored and looked up in uppercase so
k7fh-wp3a...andK7FH-WP3A...are the same thing. - If a machine that’s already activated calls
/activateagain, it just returns success without consuming another slot. This matters for reinstalls.
Step 5: Deploy
wrangler deployYou’ll get a URL like:
https://license-server.your-name.workers.devThat’s your API. Save it.
Testing It
Set up two shell variables so the commands are less verbose:
API_URL="https://license-server.your-name.workers.dev"
ADMIN_SECRET="my-super-secret-admin-key-do-not-share"Register a License
curl -X POST "$API_URL/register-license" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ADMIN_SECRET" \
-d '{"email":"customer@example.com"}'Response:
{
"success": true,
"key": "K7FH-WP3A-M9QZ-B2CD",
"email": "customer@example.com"
}Send that key to your customer however you want — email, your payment platform’s fulfillment flow, a manual Slack message, whatever works.
Register the Same Email Again
curl -X POST "$API_URL/register-license" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ADMIN_SECRET" \
-d '{"email":"customer@example.com"}'{
"success": false,
"message": "Email already registered",
"key": "K7FH-WP3A-M9QZ-B2CD"
}It won’t create a duplicate. Handy if your webhook fires twice or you accidentally run the command again.
Look Up License Info
By email:
curl -X POST "$API_URL/license-info" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ADMIN_SECRET" \
-d '{"email":"customer@example.com"}'Or by key:
curl -X POST "$API_URL/license-info" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ADMIN_SECRET" \
-d '{"key":"K7FH-WP3A-M9QZ-B2CD"}'Response:
{
"success": true,
"license": {
"key": "K7FH-WP3A-M9QZ-B2CD",
"email": "customer@example.com",
"createdAt": 1719000000000,
"maxMachines": 3,
"disabled": false,
"machines": []
}
}No machines activated yet — the customer just got the key.
Activation
Your app calls /activate when the customer enters their key for the first time.
curl -X POST "$API_URL/activate" \
-H "Content-Type: application/json" \
-d '{"key":"K7FH-WP3A-M9QZ-B2CD","machineId":"machine-001"}'{
"success": true,
"premium": true,
"remainingSlots": 2
}Two slots left. The customer can still activate on two more machines.
If they’ve already used all three:
{
"success": false,
"message": "Activation limit exceeded"
}Your app should show something friendly here, like:
This license has been activated on the maximum number of devices.
Deactivate another device, or contact support if you need help.Validation
Your app calls /validate on every startup.
curl -X POST "$API_URL/validate" \
-H "Content-Type: application/json" \
-d '{"key":"K7FH-WP3A-M9QZ-B2CD","machineId":"machine-001"}'If the machine is activated:
{
"success": true,
"premium": true
}If not — wrong key, disabled license, or the machine was never activated:
{
"success": false,
"premium": false
}Deactivation
When a customer wants to move to a new computer:
curl -X POST "$API_URL/deactivate" \
-H "Content-Type: application/json" \
-d '{"key":"K7FH-WP3A-M9QZ-B2CD","machineId":"machine-001"}'{
"success": true
}The machine is removed. The slot is freed. The customer can activate on their new machine.
You can expose this through your app’s settings screen, or just handle it manually through support emails. Either works.
Choosing a Machine ID
Your app needs a stable, unique ID per machine. The important thing is: don’t send raw hardware identifiers like MAC addresses or CPU serial numbers to a third-party server. It’s unnecessary and feels invasive.
The simplest approach that works fine for most apps:
- On first launch, generate a random UUID.
- Save it to local app settings (or wherever makes sense for your platform).
- Use that UUID as the machine ID forever.
machineId = random UUID saved in app configIf you want a bit more anonymization:
machineId = SHA256(local install UUID)It’s stable, unique, and you’re not shipping anything identifiable off the device.
The App Flow
First time a customer enters their key
- App generates (or loads) a local machine ID.
- User types in their key.
- App calls
/activate. - If successful, save the key locally and unlock premium features.
Every time the app starts after that
- Load saved key and machine ID.
- Call
/validate. - If valid, premium stays on.
- If not valid, drop back to free mode and prompt the user.
Simple JavaScript Client
Your app doesn’t need much. Two functions cover the main cases:
const API_URL = "https://license-server.your-name.workers.dev";
async function activateLicense(key, machineId) {
const res = await fetch(`${API_URL}/activate`, {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ key, machineId }),
});
return res.json();
}
async function validateLicense(key, machineId) {
const res = await fetch(`${API_URL}/validate`, {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ key, machineId }),
});
return res.json();
}Using them:
const result = await activateLicense("K7FH-WP3A-M9QZ-B2CD", "machine-001");
if (result.success && result.premium) {
console.log("Unlocked");
} else {
console.log("Not valid");
}What About CORS?
Desktop apps and backend scripts don’t need it. If you’re calling the Worker from a browser (for a web app), add this to your Worker’s response headers:
Access-Control-Allow-Origin: https://yourdomain.com
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Allow-Headers: Content-Type, AuthorizationThe OPTIONS handler in the code above already returns those headers. You just need to tighten the Allow-Origin value if you don’t want to allow all origins.
Connecting to Your Payment Flow
This server doesn’t process payments — that’s intentional. It’s just the license layer.
A simple integration could look like this:
- Customer pays through Stripe, Lemon Squeezy, Gumroad, Paddle, etc.
- Your backend (or a webhook) receives the purchase event.
- It calls
/register-licensewith the customer’s email. - The generated key gets emailed to the customer.
If you’re doing manual sales right now, just run the curl command yourself and copy-paste the key into an email. That’s genuinely fine when you’re starting out.
The disabled Field
The license JSON includes a disabled flag:
{
"disabled": false
}Both /activate and /validate check this. If it’s true, both endpoints return failure.
There’s no built-in admin endpoint to flip this yet — but you can edit the KV record manually from the Cloudflare dashboard. Just navigate to Workers & Pages → KV → your namespace, find the license key, and edit the JSON.
Useful for: refunds, chargebacks, test keys you want to expire, suspicious accounts.
Limitations Worth Knowing
Client-side checks can be bypassed
If your app runs locally, a determined person can patch it. That’s true for basically every client-side licensing system.
The goal here isn’t to make cracking impossible. It’s to keep honest customers honest and discourage casual sharing. That’s usually enough for small indie products.
Cloudflare KV is eventually consistent
For normal usage this doesn’t matter. But if two activation requests come in at the exact same millisecond, it’s theoretically possible to exceed the machine limit by one. In practice, for an indie product, you’ll probably never hit this.
If you need stronger guarantees, look at Cloudflare Durable Objects or D1.
The admin secret is the one thing you must protect
If someone gets it, they can create unlimited licenses. Keep it only on your server, your local machine, and inside your webhook handler. Never in your app bundle.
Things to Add When You’re Ready
Once the basics are working:
- An admin endpoint to disable a license (instead of editing KV manually)
- Expiration dates
- Endpoints to reset or increase machine limits for a customer
- A small internal dashboard for managing licenses
- Webhook integration with your payment provider
- Signed offline tokens (for apps that can’t call home)
But don’t build any of that yet. Ship the simple version first and see if you actually need it.
Troubleshooting
Unauthorized
Your request is missing or has a wrong Authorization header. It should be:
Authorization: Bearer YOUR_ADMIN_SECRETDouble-check the secret you set with wrangler secret put ADMIN_SECRET. Redeploy after changing secrets if needed.
License not found
Make sure the key is correct. The server normalizes to uppercase, so lowercase input is fine — but extra spaces or wrong characters will cause a miss.
Also confirm you’re hitting the right Worker URL.
Activation limit exceeded
All machine slots are used. Call /license-info to see which machines are activated. Deactivate one to free a slot.
KV binding error
Your wrangler.toml needs:
[[kv_namespaces]]
binding = "APP_DATA"
id = "your-kv-namespace-id"The binding name in the TOML (APP_DATA) must match what the code references. If you rename one, rename both.
That’s It
For a lot of indie projects, this is genuinely all you need. No VPS, no database, no monthly bill until you’re doing real volume.
You’ve got:
- license key generation
- email-to-key mapping
- machine activation with a configurable limit
- machine validation on startup
- deactivation when customers need to move devices
- admin-only endpoints for creating and viewing licenses
Start here. Add the fancier stuff only if you actually run into the limits.
If you find this post helpful
