A self-hostable license server for SaaS products. A Next.js admin UI plus auth and lease HTTP APIs issue Ed25519-signed runtime tokens to remote installs over a 5-minute heartbeat. Licenses are bound to install fingerprints, validated against an enforcement profile, and routed through a 10-state policy engine on every heartbeat. Supports time-boxed offline leases so deployed agents can keep running through network outages.
// features
- Admin dashboard for licenses, installs, profiles, and heartbeat audit log
- HMAC-SHA-256 heartbeat proofs with nonce replay protection and 5-minute timestamp buckets
- Ed25519-signed auth tokens with in-place signing-key rotation
- 10-state policy engine (authorized → grace → degraded → locked, etc.)
- Encrypted offline lease artifacts with admin-configurable max duration
- Install approval, revoke, suspend, reset, and rebind workflows
- AES-256-GCM-encrypted license keys and per-install secrets
// interesting details
- Heartbeat proof binds installId, licenseId, monotonic counter, 5-minute timestamp bucket, nonce, and SHA-256 of the request body into one HMAC. Verification checks both the current and previous bucket to tolerate clock drift.
- Policy engine is a single pure function with 14 numbered rule branches that returns the next heartbeat interval and token TTL alongside the decision — so the agent self-throttles when things drift.
- Schema separates EnforcementProfile (operator policy knobs, versioned) from License (commercial terms), letting one profile govern many licenses without rewriting them.
// tech stack
TypeScript
Next.js 14 (App Router)
React 18
Prisma ORM + PostgreSQL
jose (JWT / Ed25519)
bcryptjs
Tailwind + Radix UI
Recharts
Node crypto (HMAC-SHA-256, AES-256-GCM)
Want to collaborate on qubictether?
The repo is private — drop a note and tell us what brought you here.