Crate gatewarden 

Gatewarden

Hardened Keygen.sh license validation for Rust.

Gatewarden validates licenses via Keygen’s validate-key API and cryptographically verifies every response using Ed25519 signatures, preventing MITM attacks and spoofed validation responses.

Features

• Ed25519 signature verification — responses are signed by Keygen’s private key
• Response freshness — 5-minute replay window prevents old response reuse
• SHA-256 digest verification — detects body tampering (when header present)
• Authenticated offline cache — validated responses cached with integrity checks
• Fail-closed security — missing signatures/headers cause rejection, not bypass

Quickstart

use gatewarden::{GatewardenConfig, LicenseManager};
use std::time::Duration;

fn main() -> Result<(), gatewarden::GatewardenError> {
    let config = GatewardenConfig {
        app_name: "myapp".to_string(),
        feature_name: "pro".to_string(),
        account_id: "your-keygen-account-id".to_string(),
        public_key_hex: "your-ed25519-public-key-64-hex-chars".to_string(),
        required_entitlements: vec!["PRO_FEATURE".to_string()],
        user_agent_product: "myapp-pro".to_string(),
        cache_namespace: "myapp-pro".to_string(),
        offline_grace: Duration::from_secs(24 * 60 * 60), // 24 hours
    };

    let manager = LicenseManager::new(config)?;
    let result = manager.validate_key("LICENSE-KEY-HERE")?;

    if result.valid {
        println!("License valid! (cached: {})", result.from_cache);
    }
    Ok(())
}

Threat Model

Gatewarden protects against:

• MITM attacks — spoofed Keygen responses are rejected (signature mismatch)
• Replay attacks — old responses rejected after 5-minute freshness window
• Cache tampering — cached records are signature-verified on load

Gatewarden does not prevent binary patching or code modification. Client-side licensing can always be bypassed by a determined attacker with access to the binary.

Configuration

• account_id — Your Keygen account ID (UUID)
• public_key_hex — Keygen’s Ed25519 verify key (64 hex chars)
• required_entitlements — Entitlement codes the license must have
• offline_grace — How long cached validations remain valid offline

See GatewardenConfig for full documentation.

Re-exports

pub use clock::Clock;

pub use clock::SystemClock;

pub use config::GatewardenConfig;

pub use errors::GatewardenError;

pub use manager::LicenseManager;

pub use manager::ValidationResult;

pub use policy::access::UsageCaps;

pub use protocol::models::LicenseState;

pub use policy::fse::engine::evaluate_policy;

pub use policy::fse::engine::EvaluationReport;

pub use policy::fse::model::EvalInput as FseEvalInput;

pub use policy::fse::model::Predicate as FsePredicate;

pub use policy::fse::model::Rule as FseRule;

pub use policy::fse::model::RuleDecision as FseRuleDecision;

pub use policy::fse::model::Selector as FseSelector;

pub use policy::fse::model::Value as FseValue;

pub use policy::fse::runtime::RuleOutcome as FseRuleOutcome;

pub use policy::fse::runtime::RuntimeState as FseRuntimeState;

Modules

cache

Authenticated license cache.

client

HTTP client for Keygen API.

clock

Deterministic clock abstraction for testable time-dependent logic.

config

Gatewarden configuration.

crypto

Cryptographic primitives for response verification.

errors

Gatewarden error types.

integrations

Optional framework integrations.

manager

License Manager - the main public API for Gatewarden.

meter

Usage metering.

policy

Access policy enforcement.

protocol

Keygen protocol models.