Deploy the PHP Activation Server

You’ve protected your VBA application and now you want to automate the activation process. Instead of manually generating keys and emailing them, you can deploy the VBA Padlock Activation Kit — a complete PHP server that handles everything automatically: activation, deactivation, periodic validation, and even a PayPal-powered storefront.

What you’ll set up:

• A PHP activation server on your web hosting
• Automated online activation, deactivation, and validation
• A web dashboard to manage clients, licenses, and activation logs
• Optional: a PayPal store for self-service license purchases

Time needed: 30–45 minutes

The Activation Kit is a full-featured server application:

1. Open your VBA Padlock project.

2. Go to the Licensing Features tab → Online Activation.

3. Check Enable online activation.

4. Click Get Activation Kit to download the server files.

5. Extract the archive. If you don’t plan to customize the dashboard, delete the dashboard-src/ folder before uploading — it contains React source code not needed in production.

6. Upload the vbapadlock-activkit/ directory to your web server:

   https://yourdomain.com/vbapadlock-activkit/

7. Install PHP dependencies via SSH:

   cd /path/to/vbapadlock-activkit/inc
   composer install

Open inc/config.ini on your server and set your VBA Padlock credentials:

[globals]
vbapadlockmasterkey = "YOUR_MASTER_KEY_HERE"
vbapadlockpkey = "{YOUR-PRIVATE-KEY-GUID-HERE}"
usehardwarelocking = 1

To generate cryptographically-signed full-format keys (Ed25519) instead of compact HMAC keys, add your ECC key pair to config.ini:

ecc_private_key = "a1b2c3d4e5f6...your_64_hex_char_private_key..."
ecc_public_key = "f6e5d4c3b2a1...your_64_hex_char_public_key..."

ecc_private_key_file = "/path/to/project.vbapadlock/ecc_private.key"
ecc_public_key_file = "/path/to/project.vbapadlock/ecc_public.pub"

Export ECC keys from VBA Padlock Studio: Advanced Activation Options → Copy ECC Keys For PHP Key Generator.

The first time you access the dashboard, a setup wizard guides you through three steps.

1. Open your browser and go to:

   https://yourdomain.com/vbapadlock-activkit/dashboard

2. Database Configuration — Enter your MySQL/MariaDB credentials. The wizard tests the connection, creates the required tables, and writes the credentials to config.ini.

3. Admin Account — Create your dashboard login (name, email, password). A JWT secret is auto-generated.

4. Application Settings — Set your application name and the default number of activations per license (e.g., 3).

1. In the Online Activation dialog, set the Base Activation URL:

   https://yourdomain.com/vbapadlock-activkit/getactivation

2. Click Test Connection to verify. The server responds with a health-check JSON.

3. Click Generate next to the Security Private Key if you haven’t already. Copy the GUID and make sure it matches vbapadlockpkey in config.ini.

In the Online Deactivation dialog:

1. Check Enable online deactivation.
2. Set the Base Deactivation URL (e.g., https://yourdomain.com/vbapadlock-activkit/dodeactivation).

In the Online Validation dialog:

1. Check Enable online validation.
2. Set the Base Validation URL (e.g., https://yourdomain.com/vbapadlock-activkit/dovalidation).
3. Choose how often to validate (e.g., every launch, daily).

1. Compile and publish your project.

2. Open the protected Office file on a test machine.

3. The activation dialog appears with an online activation option.

   

4. Enter test user details and click Activate.

5. The server processes the request and returns a license key.

6. Verify the activation succeeded — check the Logs page in the dashboard.

The web dashboard gives you full control over your activation system.

The home page displays four key metrics (total clients, total licenses, blocked licenses, activations this week) and a line chart of daily activations over 7, 30, or 90 days.

Create, edit, search, and delete customers. Each client can have multiple licenses.

Create licenses with custom or auto-generated activation codes, set max activations, and use quick actions:

• Block / Unblock — Prevent or restore activation for a license
• Reset Activations — Restore activation count to maximum (for re-activation on new hardware)
• Edit — View activation details (last system ID, last IP, generated key)

A complete audit trail of every activation, validation, and deactivation event, with filtering by action type, status, system ID, and IP address.

The Activation Kit provides three public endpoints used by VBA Padlock DLLs:

{
    "header": "VBA Padlock Activation",
    "status": 1,
    "key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
    "token": "sha256_token_for_validation",
    "username": "John Doe"
}

{
    "header": "VBA Padlock Activation",
    "status": 2,
    "error": "Maximum number of activations reached"
}

Understanding the full lifecycle helps you support your customers effectively.

1. The user enters their activation code in your protected application.
2. The DLL sends a POST /getactivation request with the code, hardware ID, and a SHA256 security checksum.
3. The server verifies the checksum, looks up the license, checks it’s not blocked, and verifies remaining activations.
4. The server generates an activation key and returns it with a unique token.
5. Each activation from a different machine (different system ID) consumes one activation slot.

If a user re-activates on the same hardware (same system ID), the server recognizes it and does not consume an additional activation slot. This handles cases like Windows reinstalls or application updates gracefully.

The DLL periodically sends POST /dovalidation requests to verify the license is still valid. The server checks the license exists and is not blocked, then returns a challenge-response to authenticate the exchange.

When a user wants to transfer their license to a new machine:

1. They click “Deactivate” in the application (or you provide a button).
2. The DLL sends a POST /dodeactivation request.
3. The server increments the remaining activation count.
4. The user can now activate on a different machine.

If an activation code is not found in the database, the server still generates an activation key. This ensures the API works even before you create licenses in the dashboard. In this mode, there is no activation limit enforcement. To enable full tracking, create a license in the dashboard matching the activation code you distribute to customers.

The kit includes a public store page where customers can purchase licenses via PayPal.

1. In the dashboard, go to Settings → PayPal.

2. Set Mode to sandbox (for testing) or live (for production).

3. Enter your PayPal Client ID and Client Secret (from the PayPal Developer Dashboard).

4. Set the Price and Currency (e.g., 49.99 / USD).

5. Toggle Store Enabled to on.

6. The store is available at:

   https://yourdomain.com/vbapadlock-activkit/store

1. Customer visits the store page and clicks the PayPal button.
2. After payment, a client record is created (or found by email), a license is generated, and the activation code is displayed.
3. Buyer and seller email notifications are sent (if configured in Settings → Email).

The activation process transmits license keys, hardware IDs, and security checksums. Always serve the kit over HTTPS.

The .htaccess file blocks access to sensitive paths:

• /inc/ — PHP source code, config.ini, vendor directory
• /dashboard-src/ — React source code
• *.ini, *.log, *.lock, *.md files

Verify after deployment: try to access https://yourdomain.com/vbapadlock-activkit/inc/config.ini in your browser — it should return 403 Forbidden.

All activation requests are verified with SHA256 checksums using salts unique to VBA Padlock. Validation and deactivation use a challenge-response mechanism that prevents replay attacks.

Your license database is a critical business asset. Losing it means losing all customer activation records. Set up automated daily backups:

# Example cron job: daily backup at 2:00 AM, keep 30 days
0 2 * * * mysqldump -u dbuser -p'password' vbapadlock_db | gzip > /backups/vbapadlock_$(date +\%Y\%m\%d).sql.gz

Also back up inc/config.ini — it contains your JWT secret, ECC keys, and database credentials.

Before going live, verify:

• vbapadlockmasterkey matches VBA Padlock Studio project
• vbapadlockpkey matches VBA Padlock Studio (including braces)
• usehardwarelocking set correctly (0 or 1)
• ECC keys configured (if using long key format)
• DEBUG = 0 in config.ini
• HTTPS enabled
• .htaccess active (test: /inc/config.ini returns 403)
• Setup endpoints locked (test: POST /api/setup/database returns 403)
• config.ini set to read-only
• Database backups scheduled
• Test Connection from VBA Padlock Studio succeeds
• Full activation test completed and visible in dashboard logs

To enable detailed error logging, set DEBUG = 1 in config.ini. Check your PHP error log for:

• Security checksum calculations (computed vs. received)
• ECC key operations
• Database query errors

• Online Activation Feature — Architecture overview and feature description
• Online Activation Settings — Studio configuration reference
• Online Deactivation Settings — Deactivation configuration
• Online Validation Settings — Validation configuration
• Key Generation Guide — Manual and automated key generation (includes PHP SDK reference)
• License Return Codes — Server response codes