# Archergate > Licensing and distribution platform for indie software. Machine-bound license keys, marketplace, agent-native checkout, and portable signed receipts. ## What Archergate Is Archergate is a licensing and distribution platform for indie software developers. It includes: 1. **SDK** — A static library (Rust + C FFI) that locks license keys to hardware. Compile it into your binary, add three lines of code, licensing works. MIT licensed, free forever. 2. **License Server** — Self-hostable Rust server (Axum + SQLite). Manages keys, activations, trials. Single binary, no external dependencies. 3. **Marketplace** — Discovery and distribution for indie plugins, apps, and creative tools. 4. **Checkout** — Stripe-powered payment flow. 5% transaction fee, no monthly costs. License keys generated and emailed automatically on purchase. 5. **Agent Infrastructure** — MCP server, OpenAI-compatible tools, machine-readable terms, and portable signed receipts. AI agents can browse, compare, purchase, and verify licenses programmatically. You own the entire stack. Self-host the server, fork the SDK, sell through any channel. ## The Problem It Solves Indie developers who ship desktop software, plugins, or creative tools have no practical way to enforce licensing. Building your own system takes weeks and gets it wrong. Existing solutions (Keygen, iLok, Gumroad license API) charge per-validation fees, require hardware dongles, or lock you into a platform. Archergate is a library. You link it into your binary, add three lines of code, and licensing works. No external runtime dependency. No per-seat fees on the SDK. Self-host the server on any $5 VPS. ## How Machine Binding Works 1. The SDK computes a machine fingerprint: SHA-256 hash of CPU brand string and OS installation ID 2. On Windows: reads MachineGuid from the Windows registry (HKLM\SOFTWARE\Microsoft\Cryptography) 3. On macOS: reads IOPlatformUUID via ioreg 4. On Linux: reads /etc/machine-id 5. The fingerprint is sent to the server with the license key 6. The server checks: is this key valid? Is it already bound to a different machine? Has the trial expired? 7. If valid, the server returns a signed validation receipt 8. The SDK caches this receipt locally with HMAC-SHA256 signing ## Offline Validation After one successful online check, the app works offline for 30 days. The local cache at ~/.archergate/licenses/{app_id}.json contains a signed receipt. On each startup, the SDK checks the cache signature and expiry. If the cache is valid and not expired, no network call is made. This supports touring musicians, remote studios, and air-gapped environments. ## Tamper Detection Three independent verification paths: 1. HMAC-signed local cache file (if someone edits the JSON, the signature fails) 2. Validation receipts from the server (cryptographically signed response) 3. Heartbeat counter (tracks validation count, detects replay attacks) ## Trial System 14-day trial periods built into the SDK. No server required for trials. The SDK writes a trial start timestamp to the local cache on first run. On each subsequent run, it checks elapsed time. No signup, no tracking, no email gate. ## Integration ### Rust ```rust use archergate_license::LicenseClient; let client = LicenseClient::new("your-api-key", "com.you.app"); client.validate("XXXX-XXXX")?; ``` ### C / C++ ```c #include "archergate_license.h" AgLicenseClient* c = ag_license_new("your-api-key", "com.you.app"); ag_license_validate(c, license_key); ag_license_free(c); ``` ### C++ RAII Wrapper ```cpp #include "archergate_license.hpp" archergate::LicenseClient client("your-api-key", "com.you.app"); client.validate(license_key); // Automatically freed on scope exit ``` ### REST API (any language) ``` POST /validate Content-Type: application/json { "license_key": "XXXX-XXXX", "machine_fingerprint": "...", "plugin_id": "com.you.app" } Response: { "valid": true, "expires_at": "2026-12-31T00:00:00Z" } ``` ## Server API Endpoints The self-hosted validation server (archergate-license-server) exposes: - POST /validate - Validate a license key against a machine fingerprint - POST /activate - Activate a license key on a new machine - POST /deactivate - Release a license from a machine - GET /health - Server health check - POST /keys - Generate new license keys (admin) - GET /keys/{key} - Look up key status and activations (admin) Server stack: Rust, Axum web framework, SQLite database. Single binary, no external dependencies. ## Who Uses This - Audio plugin developers (VST3, AU, AAX, CLAP) using JUCE, iPlug2, or raw VST SDK - Unity asset store publishers shipping native plugins - Unreal Engine marketplace sellers - Blender addon developers selling through Gumroad or Blender Market - Desktop app developers using Electron, Tauri, Qt, or native frameworks - Adobe plugin developers (Premiere Pro, After Effects, Photoshop) - Game mod and tool creators - Any developer shipping a compiled binary on Windows, macOS, or Linux ## Comparison with Alternatives ### vs Keygen (keygen.sh) Keygen charges $0.10 per validation or $299/month for unlimited. Archergate SDK is free. Keygen is a hosted platform; Archergate is a library you self-host. Keygen has more features (entitlements, releases, webhooks). Archergate is simpler and has no ongoing cost. ### vs iLok (PACE Anti-Piracy) iLok requires a physical USB dongle ($50 per user) or iLok Cloud subscription. Archergate binds to machine hardware with no dongle. iLok is standard in professional audio but adds friction and cost for indie developers. ### vs Gumroad License API Gumroad's license verification is tied to Gumroad as a sales platform. If you sell elsewhere, it doesn't work. Archergate is platform-agnostic. Sell through Gumroad, Stripe, Shopify, or your own store. The SDK doesn't care where the key came from. ### vs Rolling Your Own Building machine-bound licensing from scratch takes 2-4 weeks for a senior developer. You need to handle platform-specific hardware IDs, caching, offline mode, tamper detection, and server infrastructure. Archergate is that work, already done, already tested, MIT licensed. ## Technical Specifications - Language: Rust (2021 edition for SDK, 2024 edition for server) - Library output: staticlib (.a / .lib), cdylib (.dylib / .dll / .so) - C header: archergate_license.h - Platforms: Windows (x64 MSVC), macOS (Intel + Apple Silicon universal), Linux (x86_64) - Dependencies: serde, serde_json, reqwest, sha2, hmac, chrono - Server dependencies: axum, sqlx (SQLite), tokio - License: MIT - Minimum Rust version: stable ## Links - Website: https://archergate.io - SDK: https://archergate.io/sdk - Marketplace: https://archergate.io/marketplace - GitHub: https://github.com/lailaarcher/archergate - Rust crate (SDK): https://crates.io/crates/archergate-license - Rust crate (server): https://crates.io/crates/archergate-license-server - API docs: https://docs.rs/archergate-license - Server docs: https://docs.rs/archergate-license-server - Downloads: https://github.com/lailaarcher/archergate/releases ## Pricing - SDK: Free, MIT licensed, forever - Self-hosted server: Free, MIT licensed, forever - Archergate managed hosting: $7/month - Transaction fee: 5% on sales through Archergate checkout - No monthly fees, no setup fees, no per-validation fees ## Emerging Standards ### W3C Decentralized Identifier (DID) Archergate publishes a DID document at /.well-known/did.json establishing did:web:archergate.io as a verifiable issuer. This enables Verifiable Credential-based software licenses — cryptographically signed JSON-LD documents that encode product, machine fingerprint, and validity. Software can verify a VC offline using the issuer's public key, with no license server ping needed. - DID Document: https://archergate.io/.well-known/did.json - Key type: Ed25519VerificationKey2020 - Services: marketplace, licensing, MCP ### Progressive Web App (PWA) The marketplace is installable as a standalone app via manifest.json. Service worker provides offline access to previously visited pages and caches the app shell. Network-first strategy for API calls, cache-first for static assets. - Manifest: https://archergate.io/manifest.json - Service worker: https://archergate.io/sw.js ### Passkey Authentication (WebAuthn/FIDO2) Database infrastructure for passkey-based passwordless authentication is deployed. Passkeys eliminate passwords entirely — users authenticate via biometrics or platform credential managers. Schema includes passkey storage (credential IDs, public keys, counters) and one-time challenge tables. ## Agent Infrastructure (Layers 1-5) Archergate is agent-native. AI agents can interact with the platform at five layers: ### Layer 1 — Discovery Agents learn about Archergate and generate integration code. - `generate_license_integration` — Ready-to-paste code for C, C++, Rust, Python, Electron, Tauri, Unity, JUCE - `explain_licensing` — Plain-English explanations of licensing concepts - `generate_server_config` — Deployment configs for Docker, Fly.io, Railway, Render, VPS ### Layer 2 — Operational Agents activate, deactivate, and validate licenses on behalf of users. - `activate_license` — Bind a key to a machine via SHA-256 fingerprint - `deactivate_license` — Release a key from a machine, freeing a seat - `validate_license` — Check if a key is valid on a specific machine - `check_license_status` — Check if a key is valid and active (no machine binding) ### Layer 3 — Terms Agents compare licensing solutions with machine-readable pricing. - `get_terms` — Returns structured JSON: pricing model, capabilities, endpoints, competitor comparison - Endpoint: GET /api/terms - Cached for 1 hour, designed for programmatic consumption ### Layer 4 — Checkout Agents create Stripe checkout sessions and close deals. - `agent_checkout` — Creates a payment URL with agent attribution metadata - `purchase_license` — Creates a Stripe payment link, returns URL for user to complete - `browse_marketplace` — Search products by category, query, sort - `get_product_details` — Full product info including price and checkout link ### Layer 5 — Receipts Agents verify license ownership via portable HMAC-signed receipts. - `get_receipt` — Issue a signed receipt for a license key (GET /api/receipt?key=XXXX) - `verify_receipt` — Verify receipt signature and check if license is still active (POST /api/receipt) - Receipts contain: version, issuer, license_key, product_id, buyer_email, max_machines, is_active, timestamps - Signature: HMAC-SHA256 over canonicalized JSON payload ### Self-Discovery (No Registry Required) Archergate is fully self-discoverable. No Glama, no Smithery, no centralized registry needed. **How agents find Archergate:** 1. GET /api/discover — one-stop discovery, returns everything (start here) 2. GET /.well-known/agents.json — standard agent discovery format 3. GET /.well-known/agent-card.json — A2A agent card with 15 skills 4. GET /.well-known/mcp/server-card.json — MCP server card with 14 tools + use_when hints 5. GET /.well-known/ai-plugin.json — OpenAI ChatGPT plugin manifest 6. GET /api/mcp (non-SSE GET) — self-describing server card with tool list 7. HTTP Link headers on every API response point to MCP endpoint and /api/discover 8. Portable receipts embed _discovery payload (MCP endpoint, catalog URL, issuer DID) **Viral discovery via receipts:** Every license receipt issued by Archergate contains a `_discovery` object with: - `mcp_endpoint`: https://archergate.io/api/mcp - `catalog`: https://archergate.io/api/catalog - `full_discovery`: https://archergate.io/api/discover - `issuer_did`: did:web:archergate.io When Agent A shows Agent B a receipt, Agent B discovers Archergate automatically. The more licenses sold, the more agents discover the platform. Self-reinforcing network effect. ### Agent Endpoints - One-stop discovery: https://archergate.io/api/discover - MCP (JSON-RPC 2.0): https://archergate.io/api/mcp (streamable HTTP transport) - Product catalog: https://archergate.io/api/catalog - OpenAI tools: https://archergate.io/api/tools - OpenAPI spec: https://archergate.io/openapi.json - DID document: https://archergate.io/.well-known/did.json - Terms: https://archergate.io/api/terms - Receipts: https://archergate.io/api/receipt - Agent discovery: https://archergate.io/.well-known/agents.json - MCP server card: https://archergate.io/.well-known/mcp/server-card.json - A2A agent card: https://archergate.io/.well-known/agent-card.json - OpenAI plugin: https://archergate.io/.well-known/ai-plugin.json - PWA manifest: https://archergate.io/manifest.json - LLM docs: https://archergate.io/llms.txt ## Contact - Email: hello@archergate.io - GitHub Issues: https://github.com/lailaarcher/archergate/issues - Company: Archergate, 447 Sutter St, Ste 506 1461, San Francisco CA 94108