Q for programmers or those in the know. How do software keys work?

I think the key generators are owned by the developers and companies and then the stores buy the keys in bulk from them, because they run out of keys frequently and ask the developers for more.

When you activate your key on the steam client it does a check against a database which stores the previously generated keys by the developers.

"When you buy a key from a site and it says it's "retrieving your key now" what exactly is happening?"

What site does this? From most of the sites I buy, the only thing that takes time is usually authenticating payment, I've never noticed a delay for key retrieval, if you mean when you click the Steam button to reveal a key on a site like Humble, they are just grabbing a key from their own database (given to them presumably by the publisher/developer of that game, which was in turn given to that publisher/developer by Valve, I do believe).

"Is it something mathematically generated that adheres to some type of complex algorithm?"

Third-party sites don't create the keys, at least I've never been led to believe that from what I've seen developers say here or there in the past.

"Similarly, when I redeem a key on Steam, what is actually going on? Does Steam have a master list of all unique valid keys for all games?"

I'm not sure the exact details, sorry, but they have to have someway to track every single key ever generated (track whether it's used or unused), whether they actually have to store that data 1:1 or if they have a more clever scheme to do so is beyond me. I would guess the former at any rate.

"Or is there some third party database somewhere that Steam has to cross-reference with to validate validity of key and which game? Or is there some algorithmic relationship between a purchased key and a separate validation key that Steam?"

These are Steam keys, I don't see why they would have to cross-reference another companies database to check them :P

Not sure if this is actually how it works, but for Steam I believe the Publisher requests X amount of keys from Steam for their game, which Steam delivers. They then sell the keys to resellers as they see fit. The resellers buy X amount of codes (which is why they can run out). Everyone is pulling out of their own little key database. Then the consumer activates the key on Steam which they verify against their generated list.

"When you buy a key from a site and it says it's "retrieving your key now" what exactly is happening?

What site does this? "

(edited, thanks for the formatting tip)

I was referring to humble's site where they do that. It has something where you click a button to retrieve your key like you mention.

Steam generates the keys, not the developers.
For security reasons, I highly doubt there is a database sitting somewhere at Valve HQ with a straight list of keys and their corresponding games. At the very least, I am sure the key is transformed with some algorithm first before it can be validated. After all whichever algorithm is used to generate the keys in the first place must necessarily never generate the same key twice, for the same game or different games.

Mostly guesswork here, but should be very close to it:

• Steam has an API for the devs to allow to create arbritray amount of keys -> possibly as part of the steam webpages but might be a standalone app with connection to steam servers
• Those keys are stored in the databases of Steam - along which appid they belong to
• Fetched keys can then be distributed at will (at any cost they like even free)
• When redeemed the account gets the game id added, the key is removed from database
• I believe there is no charge or cost involved for creating, accessing, distributing or redeeming keys neigther there is for downloading game data or using the steam cloud services, essentially keys are plain database entries which are created or removed, accounts get gameid's added or removed too
• if an account has the appid attached he can ask for a download which he'll get - again through some api
• steam keys are absolutely unlike offline keys that were used before the steam & co
• those keys used were generated using algorithms which encoded the name of the licensee or other information
• keygen's reversed that process allowing to create fitting pairs of name & serial - the original dev created one for himself ... but cracker groups often did their own analysis of the serial activation code and wrote their own
• offline keys relied on the intransparency of the algorithm devised to code the information eigther to the correct name or to contain the information "valid license"
• online keys rely on the integrity of the databases, e.g. in their cloud

No magic involved. Actually its pretty boring gruntwork. I hope i didn't bore you :)

if we knew we could make the keys oursefls xd, must be an ecripted key, that once test with the proper decription "key" on the software provider servers give a valid or invalid answer.

TL;DR version

Steam is responsible for key generation. There's no specific algorithm, I mean there is one but it consists of random data to make sure that no other service/user/server can generate the same key using the same way.

Developer of the game can (optionally) generate as much keys as he wants for particular game. Steam is responsible for generating them, so developer can only send a request to generate key(s) for game X and receive them directly from steam through secured connection. Now most of the sites such as humblebundle, IG etc. do not keep unused keys in the database, rather they contact Steam network with key generation request once you click the button. This received key is then saved in the database. But of course, they can also ask for such key at the time of buying the bundle by you, and just "unhide" it later for you when you request. It's up to site implementation.

Related, I've always wondered if it was "safer" somehow to wait to generate the key for a bundle game until you are ready to use it (activate or trade), as opposed to simply getting all of the keys as soon as you buy the bundle. It seems like once the key is generated, it can be stolen (or lost, or I suppose guessed via brute force-- unlikely). But if I wait until I need the key, then they will always generate me a "fresh" key.

Of course, in some cases, they just give you a plateful of keys whether you're ready for them or not. =)

I don't work for Valve nor any major game publisher, but I am a software engineer that has experience working on projects involving web store for software license keys as well as the activation of the software itself.

Generally, even us software engineers don't know how to generate the key itself, the "keygen" is controlled by our senior technical manager. Our key format goes something around 30+ digits alphanuric, with some dashes in between. We don't have a database of keys, because all our keys are generated real-time. That is, the web store will call a web service, passing a number of parameters (including machine ID, current date time, the license type like basic/premium/enterprise, and more), and the web service will return a valid key to the user. The web store don't store the key itself as to not run into the risk of a key leak. The key generated are kinda like a combination of encode/encryption.

We do have a reseller web front too that can bulk-generate keys for resellers to use. These keys have a reseller ID and batch ID tied to one of the parameters in the encryption.These resellers are the one that bulk-generate a list of keys and they will store it somewhere. So in an event of a key leak, most likely are the reseller's database got compromised.

As for license activation, the PC in use must be online. When the user activate a license key, the software itself will try to decrypt the key and match with some of the matchable settings like software version and machine ID. Then it will check the validity of the key online via another web service call to one of our "activation server". This is where we can control leaked keys, so in the event of a leaked keys, we can fail the activation at this step when we detected that a certain reseller ID and batch ID are reported leaked.