To generate a license key in Python, create a random unique string and sign it with a secret key that only your server holds. The random part makes each key unique; the signature is what makes a key impossible to forge or guess. This guide shows both the quick version and the secure version, with code you can paste in.
What is a license key?
A license key is a unique string you give a customer after they pay. When your software runs, it checks that key to decide whether to unlock the program and which features to turn on. The key itself is not the hard part. Making sure a key is genuine — and cannot be faked — is the part most tutorials skip.
The quick way: a random key
If you just need a unique, hard-to-guess string, the standard library is enough:
import secrets
def generate_key() -> str:
raw = secrets.token_hex(8).upper() # 16 hex characters
return "-".join(raw[i:i+4] for i in range(0, 16, 4))
print(generate_key()) # e.g. 3F9A-1C7E-B204-88DE
This produces keys like 3F9A-1C7E-B204-88DE. They are unique and impossible to guess. There is one big problem: you cannot tell a real one from a fake one. Anyone can generate a string that looks exactly like this, and your program has no way to know the difference.
Why random keys alone are not enough
A random key answers the question "is this unique?" but not the question "did I issue this?" To answer the second question, you need one of two things: a server that remembers which keys are real, or a signature that proves a key came from you. Without either, a user can invent their own key that passes your format check.
The secure way: signed keys
A signed key carries proof that you created it. You sign the random part with a secret that never ships inside your app, and later verify that signature. Here is a compact HMAC version:
import secrets, hmac, hashlib, base64
SECRET = b"keep-this-on-your-server-only"
def issue_key() -> str:
body = secrets.token_hex(8)
sig = hmac.new(SECRET, body.encode(), hashlib.sha256).digest()
tag = base64.urlsafe_b64encode(sig).decode()[:8]
return f"{body}.{tag}".upper()
def is_valid(key: str) -> bool:
try:
body, tag = key.lower().split(".")
except ValueError:
return False
expected = hmac.new(SECRET, body.encode(), hashlib.sha256).digest()
expected_tag = base64.urlsafe_b64encode(expected).decode()[:8]
return hmac.compare_digest(tag, expected_tag)
Now is_valid returns true only for keys you actually issued, because only your server knows SECRET. A user cannot forge a valid tag without it.
There is still a catch. If you verify keys inside the app that you ship to customers, the secret has to be in that app — which means a determined user can extract it. For anything you distribute, the verification (and the secret) belong on a server, and the app should ask the server, not check locally. Better still, use public-key signatures (Ed25519), where the app only holds a public key that cannot be used to forge anything.
Generating keys at scale
Rolling your own is fine for a weekend project. In production you also need to store keys, tie them to customers, set expiry dates, revoke leaked keys, limit devices, and count activations. That is a lot of plumbing. A licensing service handles it: you call an endpoint, it returns a key bound to a customer, and it verifies keys with signed responses so a fake server cannot bypass the check.
# With a licensing service, issuing a key is one call:
# key = api.create_license(product_id, customer="jane@example.com", expires_in_days=365)
Should you build this yourself?
Build it yourself if it is a learning exercise or an internal tool. For a product you sell, the honest answer is usually no — not because the key generation is hard, but because everything around it (signed verification, device binding, revocation, offline support) is easy to get subtly wrong in ways that only show up after someone cracks it. Use a vetted library or a service, and spend your time on your actual product.
Want keys that are signed, bound to devices, and verified so a fake server cannot fake them? Create a free account and generate your first key in a couple of minutes.
Frequently asked questions
What is a software license key?
A software license key is a unique string that unlocks a program for one customer. When the software starts, it checks the key against a server or a signature to confirm the user paid for it and to control which features they can use.
How do I generate a license key in Python?
Generate a random unique string with the secrets module, then sign it with a secret key your server holds using HMAC. The random part makes it unique; the signature makes it impossible to forge or guess a valid key.
Are randomly generated license keys secure?
A random key is unguessable, but on its own it is not secure, because anyone can generate a similar-looking string. Security comes from being able to verify that a key is genuine — which requires a signature or a server lookup, not just randomness.
How long should a license key be?
At least 16 characters of randomness (about 80 bits) is plenty to make guessing impossible. Most keys are formatted in groups, such as XXXX-XXXX-XXXX-XXXX, to make them easier to read and type.
Can I validate a license key offline?
Yes. Issue a signed license file that embeds the key, expiry, and a cryptographic signature. The application verifies the signature locally with a public key, so no internet connection is needed.