Sign in through the portal
Portal forms use server-rendered HTML, CSRF tokens, secure session cookies, prepared statements, and generic authentication errors.
License activation and device management
How YAAA validates paid access without putting production secrets, database credentials, or license-pepper material into desktop or browser code.
Secure activation model
YAAA licensing is intentionally server-validated. A customer enters a license key in the portal or desktop app; the server hashes that key with a private deployment pepper, checks license status and device limits, and returns only a minimal authorization result. Raw license keys are not stored in the database.
- Secrets stay server-side: production
LICENSE_PEPPER, database credentials, and administrative license creation tools are deployment-only assets. - Device-scoped access: activations bind to a hashed local device fingerprint so customers can retire old machines without sharing private workflow files.
- Least-data responses: the public JSON endpoint returns validity, product, and expiration state; it does not disclose whether an email, account, or raw key exists.
- Human recovery path: lost-device and procurement exceptions go through support rather than an open public admin panel.
Activate the local machine
Enter a license key and device fingerprint generated by the local app. The server validates format, expiration, active state, and seat count.
Manage active seats
The dashboard lists active device counts and supports deactivation of retired devices. Support can assist with account or procurement changes.
Production operator checklist
Before launch, operators should configure HTTPS, set a strong persistent LICENSE_PEPPER in the server environment, run database migrations with least privilege, verify backups, and review legal text with counsel. Development stubs are safe to inspect, but real licenses should be issued only through a private operational process.
Review security posture → · Read privacy policy → · Read terms →