Crate gatewarden

Crate gatewarden 

Source
Expand description

§Gatewarden

Hardened Keygen.sh license validation for Rust.

Gatewarden validates licenses via Keygen’s validate-key API and cryptographically verifies every response using Ed25519 signatures, preventing MITM attacks and spoofed validation responses.

§Features

  • Ed25519 signature verification — responses are signed by Keygen’s private key
  • Response freshness — 5-minute replay window prevents old response reuse
  • SHA-256 digest verification — detects body tampering (when header present)
  • Authenticated offline cache — validated responses cached with integrity checks
  • Fail-closed security — missing signatures/headers cause rejection, not bypass

§Quickstart

use gatewarden::{GatewardenConfig, LicenseManager};
use std::time::Duration;

fn main() -> Result<(), gatewarden::GatewardenError> {
    let config = GatewardenConfig {
        app_name: "myapp",
        feature_name: "pro",
        account_id: "your-keygen-account-id",
        public_key_hex: "your-keygen-ed25519-public-key-hex",
        required_entitlements: &["PRO_FEATURE"],
        user_agent_product: "myapp-pro",
        cache_namespace: "myapp-pro",
        offline_grace: Duration::from_secs(24 * 60 * 60), // 24 hours
    };

    let manager = LicenseManager::new(config)?;
    let result = manager.validate_key("LICENSE-KEY-HERE")?;

    if result.valid {
        println!("License valid! (cached: {})", result.from_cache);
    }
    Ok(())
}

§Threat Model

Gatewarden protects against:

  • MITM attacks — spoofed Keygen responses are rejected (signature mismatch)
  • Replay attacks — old responses rejected after 5-minute freshness window
  • Cache tampering — cached records are signature-verified on load

Gatewarden does not prevent binary patching or code modification. Client-side licensing can always be bypassed by a determined attacker with access to the binary.

§Configuration

  • account_id — Your Keygen account ID (UUID)
  • public_key_hex — Keygen’s Ed25519 verify key (64 hex chars)
  • required_entitlements — Entitlement codes the license must have
  • offline_grace — How long cached validations remain valid offline

See GatewardenConfig for full documentation.

Re-exports§

pub use clock::Clock;
pub use clock::SystemClock;
pub use config::GatewardenConfig;
pub use errors::GatewardenError;
pub use manager::LicenseManager;
pub use manager::ValidationResult;
pub use policy::access::UsageCaps;
pub use protocol::models::LicenseState;

Modules§

cache
Authenticated license cache.
client
HTTP client for Keygen API.
clock
Deterministic clock abstraction for testable time-dependent logic.
config
Gatewarden configuration.
crypto
Cryptographic primitives for response verification.
errors
Gatewarden error types.
integrations
Optional framework integrations.
manager
License Manager - the main public API for Gatewarden.
meter
Usage metering.
policy
Access policy enforcement.
protocol
Keygen protocol models.