SDK Integration

Client SDK setup, signature verification, and best practices for integrating Aegis into a client application.

Available SDKs

Aegis provides client SDKs for the following languages. Each SDK handles license authentication, signature verification, heartbeat management, and endpoint communication.

LanguageHTTP LibraryEd25519 LibraryStatus
PythonrequestscryptographyComing Soon
C++WinHTTPVendored Ed25519 (verify-only)Available
C#HttpClientNSec.CryptographyComing Soon

Getting the C++ SDK

The C++ SDK is distributed as a vendored example project on GitHub. Clone the repository and copy the SDK source into your project:

git clone https://github.com/0xbaksa/Aegis-CPP-Example.git
  1. Copy the include/ and src/ directories into your project.
  2. Add the source files to your build system (CMake: add_subdirectory).
  3. Link against: bcrypt, crypt32, winhttp, iphlpapi, advapi32, ntdll.
  4. Include #include <aegis/aegis.hpp> and you're ready.

Tip

The example repository includes a complete interactive demo (main.cpp) showcasing every SDK feature.

Integration Overview

The following steps outline the standard integration flow for embedding Aegis into a client application.

  1. Copy the application's public key and app ID from the dashboard (SDK tab).
  2. Embed the public key in the client application as a constant.
  3. On startup, call /init to verify connectivity with the Aegis server.
  4. Authenticate with /license (or /login for password-based authentication).
  5. Verify the Ed25519 signature on the response before trusting any data.
  6. Start a background heartbeat timer, sending a heartbeat every 5–15 minutes to maintain the session.
  7. Use the /file and /variable endpoints as needed.
  8. Call /logout when the application closes to release the session.

Signature Verification

Every API response from Aegis contains a payload object and a signature string (a base64-encoded Ed25519 signature). The client must verify this signature before acting on the response data.

Verification Process

  1. Serialize the payload object to a JSON string.
  2. Decode the base64 signature string into raw bytes.
  3. Verify the signature against the serialized payload using the application's Ed25519 public key.
  4. Reject the response entirely if verification fails.

Note

The PEM public key uses PKIX format. The raw 32-byte Ed25519 key starts at byte offset 12 after base64-decoding the key data between the PEM headers.

Python Example

import json
import base64
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey

PUBLIC_KEY_PEM = """-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA... (from dashboard SDK tab)
-----END PUBLIC KEY-----"""

def verify_response(response_json: dict) -> dict:
    """Verify the Ed25519 signature and return the payload."""
    payload = response_json["payload"]
    signature = base64.b64decode(response_json["signature"])

    # Serialize payload to JSON bytes
    message = json.dumps(payload, separators=(",", ":")).encode()

    # Load the public key and verify
    from cryptography.hazmat.primitives.serialization import load_pem_public_key
    public_key = load_pem_public_key(PUBLIC_KEY_PEM.encode())
    public_key.verify(signature, message)  # raises on failure

    return payload

Hardware ID Collection

The client application should build a composite fingerprint from stable hardware identifiers to uniquely identify the machine. This fingerprint is sent as hwid_hash during authentication requests.

Recommended Identifiers

  • CPU model or processor ID
  • Motherboard serial number
  • Primary disk serial number
  • Primary MAC address

Generation Process

Concatenate the collected values into a single string and compute a SHA-256 hash. Send the resulting hex digest as the hwid_hash field in /license or /login requests.

AI-Assisted Integration

The dashboard includes an AI prompt generator on each application's SDK tab. This is especially useful for Python and C# where native SDKs are not yet available — select the target language, copy the generated prompt, and paste it into an AI coding assistant for step-by-step integration guidance. The generated prompt includes the application credentials and the full API specification, providing the AI with complete context to produce working integration code.

Best Practices

  • Never hardcode license keys in source code.
  • Store session tokens in memory only — never persist them to disk.
  • Verify the Ed25519 signature on every API response without exception.
  • Handle HTTP 429 responses with exponential backoff.
  • Run heartbeats on a background thread to avoid blocking the main thread.
  • Consider anti-debug checks and string obfuscation in production builds to hinder reverse engineering.