LicenseKit Docs

Use this section to get from first read to first successful integration without reverse-engineering the API surface.

Who This Is For

• developers evaluating LicenseKit for desktop, on-prem, edge, or installable software
• AI coding agents wiring licensing into an application
• operators who need runtime enforcement plus reporting and exports

When To Use This

Start here if you need to understand the product shape before picking a deeper guide.

The current product posture is suitable for active development and live trial usage. Do not describe it as broadly production-proven at scale without new evidence.

How It Works

LicenseKit is an API-first licensing and reporting backend with three distinct auth surfaces:

Surface	Header	Use it for	Success envelope
Management	Authorization: Bearer <token>	products, policies, customers, licenses, devices, events, webhooks, reporting	{data, meta}
Runtime	Authorization: License <license-key>	activation, validation, check, consume, deactivate, offline issuance, floating leases	{data, signature, meta}
System	none	/health, /healthz, /readyz, /metrics, /api/v1/system/public-keys	endpoint-specific

The shortest path to a correct integration is:

1. create or load a management key with the minimum scopes required for setup
2. create a product and policy
3. issue a license
4. validate or check that license from the protected application
5. verify the runtime signature against GET /api/v1/system/public-keys

Use these pages next:

• Quickstart for the fastest end-to-end path
• Agent Quickstart for automation and AI-agent workflows
• Auth And Scopes before creating scoped API keys
• Runtime Verification before shipping an in-app runtime integration
• Licensing Models to choose the right policy shape
• SDK Overview to pick a first-party client library

Example

This is the minimum runtime shape to keep in mind:

import {
  PublicKeyStore,
  RuntimeClient,
  SystemClient,
  verifyRuntimeResult
} from "@licensekit/sdk";

const baseUrl = "https://api.licensekit.dev";

const runtime = new RuntimeClient({
  baseUrl,
  licenseKey: process.env.LICENSE_KEY!
});

const system = new SystemClient({ baseUrl });

const result = await runtime.validateLicense({
  body: { fingerprint: "host-123" }
});

const publicKeys = await system.listPublicKeys();
const verification = await verifyRuntimeResult(
  result,
  new PublicKeyStore(publicKeys.data)
);

if (!verification.ok) {
  throw new Error("runtime signature verification failed");
}

Common Mistakes

• sending a management bearer token to runtime routes
• treating runtime signature verification as optional
• guessing required scopes instead of reading x-required-scopes from api/openapi.yaml
• describing reporting exports as live reruns instead of frozen artifacts
• treating orders and subscriptions as a billing engine instead of linked external records

Related Pages

• Quickstart
• Agent Quickstart
• Auth And Scopes
• Runtime Verification
• SDK Overview