Security
How Aegis protects applications, licenses, and client communications.
Cryptographic Signing
Every API response from Aegis is signed using Ed25519. The server holds the private key; client applications embed only the public key. The SDK verifies each response signature before trusting any data, preventing man-in-the-middle attacks and response tampering.
Even if an attacker intercepts traffic between the client and server, they cannot forge a valid response without the private key. Any modification to the response payload invalidates the signature, and the SDK rejects it.
Asymmetric Key Design
Each application receives its own Ed25519 keypair upon creation. The public key is safe to distribute with client builds — it can only verify signatures, never create them. This means extracting the key from a compiled binary does not compromise the system.
If a key is suspected to be compromised, key rotation is available from the application settings in the dashboard. Rotating the key invalidates the previous public key, requiring a client update.
Hardware Binding
Licenses are bound to hardware identifiers (HWID) to prevent key sharing. The client application computes a composite fingerprint from multiple hardware components, hashes it with SHA-256, and sends it during authentication.
Aegis tracks bound devices per license and enforces configurable device limits. Once a license reaches its device cap, authentication from new hardware is rejected until an existing binding is released.
Rate Limiting
All client API endpoints are rate-limited per IP address to prevent abuse and brute-force attempts.
| Endpoint | Limit |
|---|---|
| Authentication | 10 requests / minute |
| Heartbeat | 60 requests / hour |
| File / Init | 5 requests / minute |
Exceeding the limit returns HTTP 429 Too Many Requests with a Retry-After header indicating how long to wait before retrying.
Anomaly Detection
Aegis performs behavioral analysis on authentication patterns to detect suspicious activity. The following signals are monitored:
- Velocity spikes — unusually high authentication frequency from a single license
- Hardware fingerprint changes — rapid HWID switching indicating key sharing
- Clock manipulation — timestamp anomalies suggesting tampered system clocks
Each detection type supports configurable responses: logging only, automatic suspension, or automatic banning. Alerts can be delivered in real time via Discord or Telegram webhooks, configured per application in the dashboard.
POST-Only API
The client API accepts only POST requests. This prevents authentication data — license keys, hardware identifiers, session tokens — from appearing in URL query strings, browser history, server access logs, or CDN caches.
Note
All request and response bodies use JSON. The SDK handles serialization, signature verification, and error handling automatically.