License Management

License Keys, Cryptographically Sealed

A complete licensing backend with RSA-256 signed JWT tokens, optional JWE encryption, per-machine activation with seat enforcement, heartbeat-based renewal, hierarchical pricing tiers with feature inheritance, and OpenID-style discovery for consuming applications.

View Architecture Explore Features

license-token.jwt

// RSA-256 Signed JWT License Token

{

"alg": "RS256",

"typ": "JWT",

"kid": "rdn-lic-2025"

}

// Claims

{

"sub": "customer-id",

"aud": "rdn-identity",

"tier": "enterprise",

"features": ["sso", "passkeys", "mfa"],

"max_users": 500,

"max_tenants": 50,

"heartbeat_required": true,

"exp": 1735689600

}

Key Capabilities

Everything you need to issue, activate, enforce, and manage software licenses at scale.

JWT License Tokens

RSA-256 signed JWTs with optional JWE encryption (RSA-OAEP + A256CBC-HS512). Feature flags, tier info, and enforcement policy embedded directly in claims.

Per-Machine Activation

Track activations by machine identifier and IP address. Enforce seat limits with MaxUsers. Sibling key auto-revocation ensures one active key per customer per product.

Heartbeat Renewal

Consuming applications call /heartbeat periodically. The server returns a fresh, short-lived token. No heartbeat means the token expires and the application goes dark.

Pricing Tier Hierarchy

Tiers inherit features from parent tiers via IncludesTierId. Configure monthly/annual pricing, user limits, tenant limits, and billing periods per tier.

Feature Gating

Named feature keys embedded in JWT claims. Consuming applications read these at runtime to gate functionality without a network call. Display-only features for marketing.

Token Discovery

OpenID-style /.well-known/jwks.json and /.well-known/license-configuration endpoints. Consuming apps verify tokens locally using the published RSA public keys.

Full-Stack Architecture

A .NET 10 backend API with CQRS and a Next.js 16 admin dashboard, connected via OIDC.

Backend API

.NET 10 / ASP.NET Core

CQRS with MediatR command/query handlers
Entity Framework Core 10 + Dapper for raw queries
RSA-256 JWT signing with Azure Key Vault support
Dual auth: JWT Bearer + API Key (X-Api-Key)
Data Protection encryption of stored tokens
API versioning with Swagger documentation
Rate limiting and HSTS with preload
Serilog structured logging (console + file + SQL)

Web Dashboard

Next.js 16 / React 19

NextAuth.js v5 with OIDC via Rdn.Identity
Admin dashboard for products, tiers, and keys
User self-service: claim licenses, view active keys
Real-time API health status monitoring
License generation, revocation, and audit views
Sortable lists with drag-and-drop (dnd-kit)
Tailwind CSS 4 responsive design
TypeScript 5.9 with App Router

Cryptographic Token Security

License tokens are built on industry-standard JWT cryptography with multiple layers of protection.

token-security

> Token Signing

Algorithm: RS256

Key Size: RSA 2048-bit

Key Source: Azure Key Vault / Local PEM

Discovery: /.well-known/jwks.json

> Token Encryption (Optional)

Algorithm: RSA-OAEP

Encryption: A256CBC-HS512

Consumer Key: Provided at activation

> Storage Protection

Encryption: ASP.NET Data Protection

Attribute: [Protected]

Scope: LicenseKey.KeyToken

> Key Vault Integration

Provider: Azure Key Vault

Signing: Remote (key never leaves vault)

Rotation: Configurable refresh interval

Fallback: Local PEM for development

Signed Tokens

Every license token is RSA-256 signed. Consuming applications verify signatures against the published JWKS endpoint without contacting the license server.

Encrypted Tokens

When a consumer provides an RSA public key during activation, the server returns a JWE token. Only the consumer can decrypt and read the license claims.

At-Rest Encryption

Stored license tokens are encrypted using ASP.NET Core Data Protection. The [Protected] attribute triggers automatic encryption via a custom EF Core value converter.

Comprehensive REST API

Versioned endpoints for every aspect of license management, from product catalogs to token validation.

api/v1.0

# Products

GET /products

GET /products/catalog

POST /products

PUT /products/:id

# Pricing Tiers

GET /pricing-tiers

GET /pricing-tiers/:id

POST /pricing-tiers

PUT /pricing-tiers/:id

# Product Features

GET /product-features

POST /product-features

PUT /product-features/:id

# Discovery

GET /.well-known/jwks.json

GET /.well-known/license-configuration

# License Keys

GET /license-keys

POST /license-keys

POST /license-keys/validate

POST /license-keys/heartbeat

POST /license-keys/:id/revoke

POST /license-keys/:id/audit

POST /license-keys/:id/regenerate

# Activations

GET /license-activations

POST /license-activations/activate

POST /license-activations/:id/deactivate

# Customers

GET /customers

POST /customers

PUT /customers/:id

# Registration

POST /register

POST /user/claim-license

Dive Deeper

Explore the platform in detail.

Features

Token lifecycle, activation system, heartbeat mechanism, pricing tiers, feature gating, and self-service registration.

Architecture

CQRS layers, project structure, frontend routes, technology stack, and system overview diagram.