Get started · Integration guide

Integration guide

Wire Keysat licenses into your software in under an afternoon. The verifier is pure-function, offline, and ships in five lines.

Prerequisites

Before you start, you should have:

A Keysat installation running on your Start9 — see Installation.
BTCPay Server connected — see Connect BTCPay.
At least one product defined in the admin UI.

Install the SDK

Pick the SDK for your language. All three are wire-compatible — a license issued by your Keysat verifies identically in any of them.

# TypeScript
npm install @keysat/licensing-client

# Rust
cargo add licensing-client

# Python
pip install keysat-licensing-client

Embed your public key

Copy your issuer public key from Settings → Issuer key in the admin UI. Paste it into your application's source code as a compile-time constant.

const ISSUER_PEM = `-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAmz7q8r4t1v…h3k2pXq9wL
-----END PUBLIC KEY-----`;

Embed it. Don't fetch it. The whole point of offline verification is that your software can't be tricked by a network-level attacker. If you fetch the public key at runtime, you're back to trusting a server.

Verify a license

Read the user's license key from wherever you store it (a file, the keychain, an env var) and verify it at startup.

import { Verifier, PublicKey } from '@keysat/licensing-client'

const verifier = new Verifier(PublicKey.fromPem(ISSUER_PEM))
const ok = verifier.verify(licenseKeyFromUser)

if (!ok.valid) exitUnlicensed()
if (!ok.entitlements.has('export')) disableExport()

Renewals & revocation

Keysat licenses are signed at issue time and do not phone home. If a license is revoked in the admin UI, the existing key continues to verify — that's the trade-off for offline. To support revocation, ship a thin online check that runs on a cadence (e.g. once a week) against your Keysat's public revocation feed.

You decide the policy. Many indie developers don't ship revocation at all — once a key is sold, it stays valid. That's perfectly reasonable.