Expand description
§Keylight
Open-source Rust SDK for Keylight — license your Rust apps, CLIs, daemons, and Tauri desktop apps with online activation and offline Ed25519 license verification.
The API is synchronous and runtime-free: blocking HTTP (ureq), no async, and no
background threads. You drive re-validation on launch and on app events with
Keylight::check_on_launch / Keylight::refresh_if_needed.
§Quickstart
use keylight::{Keylight, KeylightConfig};
// Build a config and fetch the tenant's trusted Ed25519 keyset so leases can be
// verified offline (or pin keys with `.trusted_key(kid, pub_b64)`).
let mut cfg = KeylightConfig::builder("your-tenant", "your-product", "sdk_live_…")
.max_offline_days(7)
.build();
if let Some((_, keys)) = keylight::keyset::fetch_keyset(
&keylight::http::ureq_transport::UreqTransport::default(),
&cfg.base_url,
&cfg.tenant_id,
) {
cfg.trusted_keys.extend(keys);
}
let kl = Keylight::new(cfg)?;
let result = kl.activate("USER-LICENSE-KEY")?;
if result.activated && kl.has_entitlement("pro") {
println!("Pro features unlocked");
}§How it works
- Activation (
Keylight::activate) exchanges a license key for a signedv3Lease. The lease is Ed25519-verified (verify_lease) against the trusted keyset before anything is persisted. - Offline, the cached lease is the single source of truth:
Keylight::has_entitlementandKeylight::stateresolve from it with aSKEW_SECONDS-second clock-skew tolerance and an optionalmax_offline_daysgrace window. - Storage is device-bound and encrypted with ChaCha20-Poly1305
(
EncryptedFileStore); both the store (LicenseStore) and the HTTP transport (http::Transport) are swappable traits for tests or custom platforms.
§Feature map
| Area | Entry points |
|---|---|
| Lifecycle | Keylight::activate, Keylight::validate, Keylight::deactivate |
| Offline refresh | Keylight::refresh_if_needed, Keylight::check_on_launch |
| State & entitlements | Keylight::state, LicenseState, Keylight::has_entitlement |
| Trials & free tier | Keylight::start_trial, Keylight::check_trial, Keylight::report_keyless_state |
| Events | Keylight::with_event_handler, LicenseLifecycleEvent |
| Offline verification | verify_lease, Lease, SKEW_SECONDS |
The lease verifier is gated by Keylight’s frozen SP-0 conformance vectors, keeping offline verification behavior identical across the Keylight SDK family.
Re-exports§
pub use error::KeylightError;pub use error::Result;pub use config::KeylightConfig;pub use config::KeylightConfigBuilder;pub use keyset::parse_keyset;pub use lease::Lease;pub use verifier::verify_lease;pub use verifier::VerifyResult;pub use verifier::SKEW_SECONDS;pub use store::device::DeviceIdentity;pub use store::device::FixedDeviceIdentity;pub use store::device::SystemDeviceIdentity;pub use store::encrypted_file::EncryptedFileStore;pub use store::LicenseStore;pub use client::ActivationResult;pub use client::Keylight;pub use client::ValidationResult;pub use state::lifecycle_event;pub use state::resolve_state;pub use state::KeylessState;pub use state::LicenseLifecycleEvent;pub use state::LicenseState;pub use state::TrialStatus;pub use clock::clock_manipulated;
Modules§
- client
- The
Keylightclient: activation, validation, deactivation, offline state resolution, trials, the keyless beacon, refresh timing, and lifecycle events. - clock
- Heuristic detection of system-clock manipulation (backward/forward jumps).
- config
KeylightConfigand its builder, including client-side key-format validation.- error
- The crate error type
KeylightErrorand itsResultalias. - http
- keyset
- Fetch and parse a tenant’s trusted Ed25519 keyset from
/.well-known/keylight-keys. - lease
- The signed
v3Lease— the offline artifact — and reconstruction of its canonical signed payload. - state
- License state, trial/keyless status, lifecycle events, and the pure state resolver.
- store
- License storage: the
LicenseStoretrait, stable account keys, per-OS device identity, and the default device-bound encrypted file store. - telemetry
- SDK/platform/app-version telemetry fields attached to API requests.
- verifier
- Ed25519 lease verification with a fixed clock-skew tolerance (
SKEW_SECONDS). This module is gated by the SP-0 conformance vectors.