KeyPort LogoKeyPort
Get started
Back to all guides
Security• April 2026

How to Prevent Software Piracy Without DRM — The API Approach

DRM is brittle and hurts legitimate users. Here's how a license validation API gives you real software protection without the headaches.

AK
Alex KimAuthor • 5 min read

Traditional DRM sounds good in theory and fails in practice. It's been cracked for everything from Blu-ray to AAA games within days of release. For independent software, it's usually worse: DRM hurts your paying customers while barely slowing down determined pirates.

There's a better approach: server-side license validation via API.

Why DRM Fails for Independent Software

DRM for indie software typically relies on:

  • Local key checks — easily patched with a hex editor or debugger
  • Certificate pinning — bypassed by proxy tools
  • Obfuscation — buys days, not years

The asymmetry is brutal: a pirate only has to break it once and the crack spreads everywhere. Meanwhile, legitimate users are getting false "invalid license" errors.

The API Approach

Instead of local cryptographic checks, your app delegates validation to a server:

  1. App starts up
  2. App calls POST /api/v1/validate with the license key
  3. Server checks: does this key exist? Is it expired? Is this IP allowed?
  4. Server returns valid: true/false with a reason
  5. App shows full UI or blocks accordingly
Traditional DRM Local key checks Embedded secrets Easy to crack locally Broken once, cracked everywhere Server-Side API HTTP request validation No local secrets Instant revocation Can't patch out of binary

The check is server-side and can't be patched out of the binary without losing internet access. IP limits ensure a key can only be used from a limited number of addresses.

Why This Works Better

No local secrets to extract. There's no cryptographic key embedded in the binary — the app just makes an HTTP request and trusts the response.

Revocation works instantly. If a cracked key appears in a forum, revoke it in your dashboard. It stops working globally within seconds, no update required.

Real-time visibility. You see validation activity: which keys are being used, from where, how often. A key being validated from 50 different IPs is a clear signal.

Implementing the Offline Grace Period

async function checkLicenseOnStartup(): Promise<boolean> {
  try {
    const response = await fetch('https://api.keyport.sbs/api/v1/validate', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${PRODUCT_API_KEY}`
      },
      body: JSON.stringify({ license_key: userLicenseKey }),
      signal: AbortSignal.timeout(8000)
    });

    const result = await response.json();

    if (result.valid) {
      cacheValidResult(result); // store with timestamp
      return true;
    }

    showBlockedUI(result.status);
    return false;

  } catch (error) {
    // Network error: use cached result with grace period
    return handleOfflineFallback();
  }
}

The Trade-offs

This approach requires internet connectivity. For fully offline software, cache the last successful validation with a TTL (7 days is standard). If offline for longer, require one online validation before continuing.

Determined pirates can still reverse-engineer the validation call and point it at a mock server — but that requires real effort. It's not a one-click crack. And you can add signature verification (KeyPort Enterprise) to make even this harder.

API validation stops ~95%+ of casual piracy — users who shared a key, grabbed a crack without checking, or just forgot to pay. That's most of your loss.

Scale your product with KeyPort

Free tier available for launch and small production workloads. No credit card required.

Get started freeRead the docs