Offline Licensing
Use this page to issue encrypted offline license envelopes for environments that cannot call the runtime API continuously.
Who This Is For
- teams supporting air-gapped or intermittently connected deployments
- desktop and edge application developers
- operators distributing periodic offline entitlement refreshes
When To Use This
Use offline licensing when the protected client cannot rely on live runtime API access.
Offline issuance is still tied to a runtime binding and still requires signature verification after decryption.
How It Works
POST /api/v1/license/offline:
- uses
Authorization: License <license-key> - accepts the same binding payload family as activation and validation
- returns an encrypted envelope, not a signed runtime envelope directly
The offline flow is:
- issue the offline envelope while online
- store the encrypted envelope locally
- decrypt it with the license-derived key
- verify the inner signed payload against
GET /api/v1/system/public-keys - trust the decrypted
dataonly after verification
Example
Issue an offline envelope:
bash
curl -X POST https://api.licensekit.dev/api/v1/license/offline \
-H "Authorization: License $LICENSE_KEY" \
-H "Content-Type: application/json" \
-d '{
"fingerprint": "factory-node-07",
"app_version": "1.4.0"
}'Envelope shape:
json
{
"data": {
"kid": "key_abc123",
"salt": "base64...",
"nonce": "base64...",
"ciphertext": "base64..."
},
"meta": {
"request_id": "req_123"
}
}Common Mistakes
- treating decryption as equivalent to verification
- failing to cache or refresh public keys for offline verification
- assuming offline issuance works when the policy disallows offline activation
- forgetting that offline artifacts still expire and need refresh