If you trust the client to say "yes, validate via the keygen.sh API", then without loss of generality you can probably trust it to validate using a public key and a timestamp.
If you trust the client to say "yes, validate via the keygen.sh API", then without loss of generality you can probably trust it to validate using a public key and a timestamp.