Desktop app developers leave serious money on the table every month. Not because their product isn’t good — but because their license key setup is either nonexistent, broken, or built on a provider that takes 10% of every sale. This guide cuts through the noise and shows you exactly how to sell software with license keys in 2026: which platforms handle everything end-to-end, when to build your own stack, and how to avoid the chargebacks and piracy traps that kill indie dev revenue.
The short version: if you’re an indie developer selling a desktop app or one-time-purchase SaaS, you have two real choices. Use a Merchant of Record (MoR) with built-in license management — like Dodo Payments or Paddle — and skip PCI compliance headaches entirely. Or pair a dedicated license server (Keygen or Cryptolens) with a payment processor and own the stack completely. Everything else is a compromise.
What Is Software License Key Management — and Why It Matters for Developers
A software license key is a unique token your app validates to confirm a purchase is legitimate. The mechanics are simple: customer pays → payment webhook fires → key gets generated → app calls activate API on first run → app calls validate API on every subsequent run. What’s not simple is choosing the right infrastructure to make all of that work reliably across timezones, devices, and edge cases.
Get it wrong and you’re dealing with:
- Pirated copies circulating on cracking forums within weeks of launch
- Chargebacks where the customer keeps the activated software
- No way to revoke access when someone disputes a payment
- Multi-device abuse where one license gets shared across a team
Get it right and you have a clean, automated system that handles thousands of activations without manual intervention — and lets you revoke or transfer licenses in two API calls.
License Key Management Platforms Compared in 2026
Here’s the full breakdown of every major option. The table includes pricing, what they’re actually good at, and whether they handle payments natively or require a separate provider.
| Platform | Pricing | Best For | License + Payments? | Offline Support | On-Premise Option |
|---|---|---|---|---|---|
| Dodo Payments | 4% + $0.40/txn (US domestic) | Indie SaaS, desktop apps, turnkey MoR | ✅ Yes (built-in) | Limited | No |
| Keygen.sh | From $99/mo (API tiers) + $995/yr whitelabel add-on | Programmable license APIs, enterprise SLA | ❌ Payments separate | ✅ Yes (SDKs) | Enterprise (custom) |
| Cryptolens | €0.40/active license/mo (1–1,000 licenses) | Per-seat billing, ISVs | ❌ Payments separate | ✅ Yes | ✅ Yes (paid add-on) |
| Paddle | 5% + $0.50/txn (MoR) | SaaS with compliance needs, Mac/Windows apps | ✅ Yes (via webhooks) | Limited | No |
| Gumroad | 10% flat fee | Simple storefronts, creators | ✅ Yes | No | No |
| Payhip | Free plan: 5%/txn; Plus: $29/mo + 2%; Pro: $99/mo + 0% | Digital creators, low volume | ✅ Yes | No | No |
| SendOwl | From $18/mo + transaction fees | Mid-tier license delivery layer | Partial (Stripe/PayPal) | No | No |
| Fungies.io | From 2.9% + $0.30/txn | SaaS + digital products, full MoR | ✅ Yes | No | No |
Option 1: Use an All-in-One MoR (Fastest Path to Market)
If you want to launch in a weekend and never think about tax compliance again, a Merchant of Record is the move. An MoR becomes the legal seller on record for your product — they handle VAT, sales tax across 50+ US states, EU OSS, and disputes. You just get paid.
Dodo Payments is the standout option for indie developers in 2026. Their license key system is genuinely integrated — not bolted on:
- Automatically generates and emails unique keys on purchase
- Exposes
/activateand/validateAPIs your app calls directly - Enforces per-device activation limits you configure in the dashboard
- Ties keys to subscriptions — key expires when subscription lapses
- Lets you disable keys instantly from the dashboard (refund protection)
The fee is 4% + $0.40 per domestic US transaction, with additional fees for international, BNPL, and PayPal flows. That’s higher than raw Stripe, but you’re buying yourself out of PCI scope, global tax compliance, and building a license server from scratch. For most indie devs, that trade is worth it.
Paddle covers similar ground — 5% + $0.50 — with SOC 2 compliance, mature SDKs, and 240 req/min API rate limits. It integrates license delivery via webhooks and list fulfillment. Worth noting: Paddle explicitly restricts mixing its Mac SDK with third-party license SDKs, so check compatibility with your stack before committing.
Fungies.io is worth a look too — lower fees starting at 2.9% + $0.30, full MoR coverage, with digital product and license support built in.
Option 2: Dedicated License Servers (Maximum Control)
When you need offline activation, on-premise deployment, or enterprise SLAs, you leave the MoR world and plug in a dedicated license server. Two platforms dominate this space.
Keygen.sh
Keygen is built for developers who want to own every inch of the activation flow. Open-source SDKs cover Go, Rust, Node (with electron-builder and Tauri integrations), plus an OpenAPI spec you can code against directly. The activation model is fully programmable: create, activate, deactivate, validate, revoke — all via clean HTTP endpoints.
Pricing starts at $99+/month for API tiers, with paid add-ons:
- $995/year for whitelabel per domain
- $995/month for Premium Support SLA (99.99% uptime guarantee)
Rate limits are enforced at 60 requests/30 seconds and 500 requests/5 minutes per client — worth knowing before you build a validation flow that pings the server on every function call.
Cryptolens
Cryptolens takes a different pricing angle: per active license per month. At €0.40/license/month for 1–1,000 active licenses, costs scale naturally with your user base. Volume discounts kick in above 1,000 licenses.
What makes Cryptolens stand out is offline mode and the optional on-premise license server — critical for enterprise customers in regulated industries who can’t allow their apps to phone home. API rate limits scale by plan from 600 req/min on entry tiers to 6,000 req/min at the top.
Payments stay separate — wire it up to Stripe or Paddle via webhooks and call the Cryptolens API to issue or activate licenses on successful payment events.
How the License Activation Flow Actually Works
The core flow is identical whether you’re using Dodo Payments, Keygen, or Cryptolens. What changes is the API calls and who holds the license record.
| Step | What Happens | Who Does It |
|---|---|---|
| 1. Payment | Customer completes checkout | Payment processor (Stripe/Dodo/Paddle) |
| 2. Webhook fires | payment.succeeded event sent to your server |
Payment processor → your webhook endpoint |
| 3. Key generated | License record created with key string + activation limits | MoR platform or your server calling Keygen/Cryptolens API |
| 4. Key delivered | Key sent in confirmation email and success page | Platform email or your transactional email provider |
| 5. First activation | App calls POST /activate with key + device ID on first launch |
Your app → license API |
| 6. Ongoing validation | App calls GET /validate on each launch (or periodic check) |
Your app → license API |
| 7. Revocation | Admin disables key on refund or chargeback | You → admin dashboard or API call |
One important note: never call validate endpoints directly from client-side code without server-side verification. SendOwl explicitly warns against this. The right pattern is either: (a) call the license API server-side and pass a short-lived token to the client, or (b) sign your license validation responses so the client can verify them without a round-trip.
License Models: Which Type Do You Actually Need?
Before picking a platform, know which license model fits your product.
| License Type | Best For | How It Works | Revocation Trigger |
|---|---|---|---|
| Perpetual | One-time purchase desktop apps | Key never expires; activations limited by device count | Chargeback / dispute |
| Subscription-tied | SaaS, recurring revenue | Key active while subscription is paid; deactivated on cancellation | Payment failure / cancellation |
| Time-limited | Trials, annual plans | Expiry date set on license record | Expiry or early cancellation |
| Floating/concurrent | Team licenses, enterprise | N simultaneous activations allowed; heartbeat required | Seat count exceeded or subscription ends |
| Usage-based | API tools, AI SaaS | Credits decremented per use; top-up or subscription | Credits exhausted |
For floating licenses, the implementation requires a short TTL heartbeat — your app pings the server every N minutes to confirm it’s still active, and the server counts concurrent sessions. When the app closes (or the heartbeat stops), the seat frees up. Don’t try to implement this in the client — enforce the count server-side.
Handling Chargebacks and Refunds Without Getting Burned
This is where most indie devs get hurt. A customer buys, activates, downloads the full app — then disputes the charge 29 days later. You eat the $30 dispute fee (Dodo Payments charges exactly $30 per dispute; Stripe is similar) and the customer keeps a working copy of your software.
The fix: automate license revocation via webhooks. Every platform fires a refund or dispute event. Map those events to a revocation call:
payment.refunded→ callDELETE /licenses/{id}or disable the key in your dashboarddispute.created→ immediately disable the key and queue evidence collectionsubscription.canceled→ start a grace period (7–14 days), then deactivate onsubscription.expired
Dodo Payments and Paddle both document webhook flows for these events. Gumroad’s chargeback handling is more opaque — they “assist” but you bear the dispute cost. Payhip has a notably strict “no refunds” policy that shifts legal risk, but that’s a business decision, not a technical one.
Indie vs Scale: Which Stack Should You Choose?
Here’s the decision framework:
Choose an MoR (Dodo Payments, Paddle, Fungies.io) if:
- You’re launching a first product and want to move fast
- You’re selling to global customers and don’t want to deal with VAT/sales tax
- Your activation logic is straightforward (device-count limits, subscription-tied keys)
- Engineering time is your bottleneck — not license server customization
Choose Keygen or Cryptolens if:
- You need offline activation (regulated industries, air-gapped environments)
- You sell to enterprises who require on-premise license server deployment
- You have complex licensing models (floating seats, hardware-locked, per-module)
- You want programmable APIs and open SDKs for Electron, Tauri, or native apps
- You’re already processing payments elsewhere and just need the license layer
Choose Gumroad or Payhip if:
- You’re a solo creator selling occasional scripts, plugins, or templates
- Volume is low (<$5k/month) and simplicity beats cost optimization
- You don’t need device-level activation enforcement
Migration: Switching License Providers Without Burning Customers
If you’re moving from one license system to another — say, off Gumroad onto Dodo Payments — the migration checklist matters:
- Export license records from your old provider (check their export API first — not all support it)
- Map old key IDs to new license records in the target system
- Update webhook mappings — verify event names are equivalent across providers
- Ship an app update that points to the new activation/validation endpoint
- Keep old provider in read-only mode for a 30–60 day overlap period
- Email all existing customers with new license keys if key format changed
The hardest part is customers who activate on the old system during migration. Build an overlap window — run both validate endpoints in parallel and accept either key format for 60 days. Clunky, but it prevents customer support explosions.
Key Takeaways
- Pick MoR (Dodo, Paddle, Fungies) to move fast — they handle tax compliance, license generation, and delivery out of the box. Worth the slightly higher fee versus raw Stripe.
- Pick Keygen or Cryptolens for control — open SDKs, offline activation, on-premise options, and enterprise SLAs. Pair with Stripe or Paddle for payments.
- Always automate revocation — map refund and dispute webhooks to license deactivation calls. Never rely on manual intervention.
- Don’t call validate endpoints from client code directly — validate server-side or use signed tokens. Client-side license checks are bypassable.
- Plan your migration strategy before you launch — switching providers later is painful. Picking the right platform now saves weeks of engineering time in year two.
FAQ
What’s the best platform to sell software with license keys in 2026?
For indie developers and small teams, Dodo Payments offers the best balance of built-in license management and Merchant of Record compliance at 4% + $0.40/transaction. For enterprise or complex licensing needs, Keygen.sh (programmable APIs) or Cryptolens (per-seat pricing) paired with Paddle or Stripe for payments gives you the most control.
How do I prevent software piracy with license keys?
Enforce activation limits per device server-side (not client-side), validate the license on every app launch with a server call, and automate revocation on refunds and chargebacks via webhooks. For high-value software, add a heartbeat check every 24–48 hours. No system is 100% piracy-proof, but server-side enforcement with device fingerprinting covers 95%+ of casual piracy.
What’s the difference between a Merchant of Record and a payment processor for license key selling?
A payment processor (Stripe, PayPal) moves money — you handle tax compliance, disputes, and all legal obligations. A Merchant of Record (Dodo Payments, Paddle, Fungies.io) becomes the legal seller — they handle VAT, US sales tax, chargebacks, and PCI scope. For global software sales, MoR reduces your legal exposure significantly and is usually worth the higher per-transaction fee.
Can I sell desktop apps with license keys without a US LLC?
Yes — and this is a key advantage of using a Merchant of Record. Platforms like Dodo Payments, Paddle, and Fungies.io sell on your behalf globally, meaning customers in the US, EU, and elsewhere buy from the MoR entity, not from you directly. You receive payouts as a contractor. No US LLC, no US tax registration required. This is why non-US founders in Poland, India, Brazil, and Southeast Asia increasingly prefer MoR platforms.
Conclusion
Selling software with license keys doesn’t have to be a weekend-destroying engineering project. In 2026, the infrastructure is mature. For most indie developers, Dodo Payments or Fungies.io gets you from idea to revenue with license management included — no PCI compliance, no tax headaches, no custom activation server to maintain. For enterprise-grade control and offline deployments, Keygen or Cryptolens paired with a solid payment layer gives you every capability you need.
The mistakes to avoid: calling validate endpoints from client code, not automating refund-triggered revocation, and underestimating the complexity of migrating license providers after launch.
Ready to set up license key selling for your desktop app or SaaS? Get started with Fungies.io — full MoR coverage, license management included, lower fees than Paddle.
