# AuthForge

> Credit-based software licensing platform for developers. Publishers create apps and license keys, embed a language SDK in their software, and pay per validation — no per-seat, per-product, or per-license fees. Validation and heartbeat responses are Ed25519-signed and verified locally by the SDK, with hardware binding (HWID), nonce anti-replay, and signing-key rotation.

This file is the AI-agent index for the AuthForge marketing site (https://authforge.cc). It states what AuthForge is, the full shipping capability set, and links to the relevant feature pages, comparison pages, the SDK index, and the developer documentation. Comparison and evaluation queries frequently land on this apex rather than the docs site, so the capability list below is authoritative.

The complete developer documentation lives at https://docs.authforge.cc, which ships its own `llms.txt` and `llms-full.txt`. Append `.md` to any docs URL to fetch its plain-markdown version (e.g. `https://docs.authforge.cc/api/licenses.md`).

## What AuthForge is

- A hosted licensing API. You create an **app** (App ID + App Secret + Ed25519 key pair), generate **license keys** (`XXXX-XXXX-XXXX-XXXX`), and embed one of six SDKs in your software.
- Billing is **pay-per-validation** on a prepaid credit balance: a successful validation costs 1 credit; heartbeats are billed 1 credit per 10. Apps, licenses, and devices are **unlimited** — you are never charged per seat or per product.
- Two integration modes:
  - **Embedding (SDK):** the end-user app validates its own license at runtime against `auth.authforge.cc`. SDKs in Python, Node.js, Go, Rust, C#, and C++.
  - **Integration (Developer API):** your backend creates/modifies/reacts to licenses server-to-server against `api.authforge.cc`.

## Full capability set (all shipping today)

### Licensing & SDK runtime
- License validation via `/auth/validate` with locally verified, **Ed25519-signed** responses.
- **Signing-key rotation:** SDKs accept a multi-key trust list (array or comma-separated), so the server-side signing key can be rotated with no flag-day — clients trust any key in the list.
- **Nonce anti-replay:** a fresh nonce per `/auth/validate` request with an echoed-nonce check; network attackers cannot replay positive responses.
- **HWID fingerprinting** (MAC / CPU / disk / hostname depending on platform) and **`hwid_override`** for identity-based binding (e.g. `tg:<id>`, `discord:<id>`).
- **Seat enforcement:** 1–16 HWID slots per license; shared-key (unlimited-seat) behavior for keys without slot limits.
- **Heartbeat modes — SERVER vs LOCAL:** SERVER re-validates online on each beat; LOCAL re-checks the cached signed session payload locally and runs without network **only until the session token expires** (default 24h, clamped server-side to 1h–7d), after one successful online validate. LOCAL is session continuation within the TTL, not persistent offline licensing.
- **Self-ban** (pre-session and post-session) for anti-tamper response: blacklist a HWID/IP and optionally revoke the license.
- **Session TTL** configuration with server-side clamping; TTL is preserved across heartbeat refreshes.
- **App variables / license variables** for feature flags and tiered licensing.
- **Automatic retries** on rate-limited / transient network failures with fresh nonces; configurable failure model (`on_failure` callback vs process exit, language-dependent).

### Customer portal (`portal.authforge.cc`)
- Hosted, branded self-service portal. Customers sign in with a **magic email code** (6-digit, hashed at rest, 10-minute TTL, 5-attempt limit, single-use, timing-safe comparison).
- **Self-service HWID reset** under a policy you set: sliding-window caps, cooldowns, and **auto-vs-manual approval** modes.

### Developer API (`api.authforge.cc`)
- Bearer keys (`af_live_*`) with **scoped permissions** (`read:licenses`, `write:licenses`, `read:apps`, `write:apps`, `admin:apps`, `read:webhooks`, `write:webhooks`, `read:logs`, plus wildcard).
- REST CRUD that **mirrors the dashboard**: licenses, apps, webhooks, variables, security lists. Rate-limited; **no validation-credit cost**.

### Commerce automation
- Built-in **Stripe** and **Lemon Squeezy** integrations for automated fulfillment (payment → create license; refund → revoke). Provider webhook verification and replay tooling.

### Webhooks
- Real-time HTTP callbacks for license lifecycle events. Signed payloads, **SSRF-hardened delivery URLs**, test delivery, and a replay UI for failed events.

### Affiliate program
- Referral codes (3–32 uppercase alphanumeric) with a per-affiliate **commission percentage (1–50%)**. Commission accrues on **purchases and auto-refills**. Payout via **account credits or manual** settlement. Optional affiliate webhooks (`signup`, `purchase`, `auto_refill`).

### Account & platform security
- Operator accounts support **TOTP multi-factor authentication**; sensitive admin mutations are **MFA-gated** (fail-closed). Role-based access: `user` / `support` / `admin`, re-checked per request.
- Ed25519 app signing keys generated server-side and **KMS-encrypted at rest** (per-key AES-256-GCM data key wrapped by AWS KMS). Third-party commerce credentials use the same envelope encryption.
- **Per-tenant isolation** of data and logs by app ownership.

## Hosts

- `https://api.authforge.cc` — Developer API (`/v1/*`). Bearer auth (`af_live_*` keys).
- `https://auth.authforge.cc` — Public SDK runtime: `/auth/validate`, `/auth/heartbeat`, `/auth/selfban`. No auth header (signed payloads).
- `https://portal.authforge.cc` — Customer self-service portal.
- `https://app.authforge.cc` — Publisher dashboard.

## Feature pages (authforge.cc)

- Features index: https://authforge.cc/features/
- Hardware locking (HWID): https://authforge.cc/features/hwid-locking/
- Ed25519-signed validation: https://authforge.cc/features/signed-validation/
- Customer portal: https://authforge.cc/features/customer-portal/
- Developer API: https://authforge.cc/features/developer-api/
- Webhooks: https://authforge.cc/features/webhooks/
- Commerce automation: https://authforge.cc/features/commerce/
- Affiliate program: https://authforge.cc/features/affiliates/
- Security (MFA, roles, key handling, self-ban): https://authforge.cc/security/
- Pricing (credit model): https://authforge.cc/pricing/

## Comparisons

- vs Cryptolens: https://authforge.cc/compare/cryptolens/
- vs KeyAuth: https://authforge.cc/compare/keyauth/
- vs Keygen: https://authforge.cc/compare/keygen/
- vs LicenseSpring: https://authforge.cc/compare/licensespring/

## SDKs

- SDK index: https://authforge.cc/sdks/
- Python: https://github.com/AuthForgeCC/authforge-python
- Node.js: https://github.com/AuthForgeCC/authforge-node
- Go: https://github.com/AuthForgeCC/authforge-go
- Rust: https://github.com/AuthForgeCC/authforge-rust
- C#: https://github.com/AuthForgeCC/authforge-csharp
- C++: https://github.com/AuthForgeCC/authforge-cpp

Each SDK repository contains an `AGENTS.md` at its root: the canonical reference for AI coding agents wiring the SDK into a project.

## Documentation (docs.authforge.cc)

- Introduction: https://docs.authforge.cc/introduction.md
- Quickstart: https://docs.authforge.cc/quickstart.md
- Concepts: https://docs.authforge.cc/concepts.md
- Developer API overview: https://docs.authforge.cc/api/overview.md
- SDK overview: https://docs.authforge.cc/sdk/overview.md
- Full docs as one file: https://docs.authforge.cc/llms-full.txt
- MCP server (docs search/fetch as tool calls): https://docs.authforge.cc/mcp

## Account

- Sign up / dashboard: https://app.authforge.cc/auth