Blog
Engineering insights, product updates, and the story behind ValidonX.
Licensing API Recipes: Copy-Paste Code for 4 Common Jobs
You do not need a licensing framework to add licensing — you need four requests. Here are copy-paste recipes for the jobs almost every app needs: validate a key before unlocking, gate a paid feature on an entitlement, activate a device to enforce seat limits, and release a seat on uninstall. Each is a single API call shown as a plain HTTP request, with the response you get back and the gotcha to watch.
Migrating From DIY Licensing to a Licensing API
You already built licensing — a keys table, a random-string generator, and plan checks scattered through the code. It works, but it is a system you now have to run and secure forever, and it is not your product. Here is how to migrate off a home-rolled licensing system onto an API incrementally, without downtime and without re-issuing every customer a new key overnight: map your model, backfill keys, shadow-validate, cut over, then decommission.
How to Add Licensing to Your SaaS or App (2026)
You have a product and you have plans — now you need to actually enforce them: check who is allowed to use what, cut off a cancelled customer, gate a paid feature. Here is how to add licensing to an application with an API, where to put the check, how to read and enforce entitlements, and how to do it without building a licensing system from scratch.
How to Verify Licenses Offline (Signed JWTs + JWKS)
Some software cannot phone home on every launch — air-gapped installs, CLIs, high call volumes, latency-sensitive checks. The answer is a signed license token the client verifies locally against a public key, with no per-check network call. Here is how offline verification works with Ed25519-signed JWTs and a JWKS endpoint, what it can honestly promise, and where its limits are.
GDPR Article 32: Security of Processing for SaaS
GDPR Article 32 is the one that says "secure the data" — appropriate technical and organisational measures proportionate to the risk. It names encryption and pseudonymisation, but prescribes no checklist, which is exactly what makes it hard. Here is what Article 32 actually asks for, how it maps to a SaaS platform, and how to demonstrate it.
Audit Trails for a Licensing System
Who issued this license, who revoked it, when did that entitlement change — and can you prove it six months later? An audit trail answers those questions, and it is what enterprise procurement, security reviews, and chargeback disputes all quietly depend on. Here is what a licensing audit log should record, what each entry needs, and how it coexists with GDPR.
How to Revoke a License Key (2026)
Refunds, chargebacks, fraud, leaked keys, contract endings — every licensing system eventually has to turn a license off after issuing it. The hard part is not flipping a flag; it is making "off" actually stick, fast, even for software that verifies offline. Here is how revocation works for opaque and signed licenses, and what revoked should really do.
Entitlements as Data, Not Code
Most teams start by hard-coding plan logic — if the plan is Pro, show this — scattered through the app. It rots: every pricing change becomes a deploy, and no one can say what a plan includes without grepping the codebase. Entitlements as data moves that decision out of code into a declarative payload you resolve at runtime. Here is what that buys you.
Per-Seat vs Per-Agent Licensing (2026)
Per-seat pricing counts humans at keyboards. AI agents are headless, ephemeral, and fan out from one to fifty under a single customer — so the seat stops meaning anything. Here is how per-seat and per-agent (usage-based) licensing differ, why seats break for agents, and what to meter instead.
Feature Entitlements vs a Plain License Key
A license key answers one question — is this valid? An entitlement answers the one that runs your business — what is this customer allowed to do? Here is the difference between a plain key and feature entitlements, why it matters the moment you have more than one plan, and how to store and enforce them.
How to License and Monetize an MCP Server (2026)
The Model Context Protocol lets an MCP server expose tools to AI clients — but says nothing about who may call them or how much. Licensing an MCP server means putting identity, entitlements, and idempotent metering in front of your tools. Here is how to monetize one without building the plumbing.
Should You Build Your Own Licensing System? (2026)
Building a license system looks like a weekend of key generation — until you add activation, entitlements, metering, offline verification, revocation, and the maintenance that never ends. A 2026 build-vs-buy guide: the real surface area, the hidden costs, and when each path is right.
GDPR Right to Erasure for SaaS: How to Handle Deletion Requests
How to handle GDPR right-to-erasure (right to be forgotten) requests in a SaaS: what Article 17 requires, when you can refuse and retain, delete vs anonymise, the deletion workflow, backups, and sub-processors.
The Indie & Startup GDPR Checklist for SaaS (2026)
The lean GDPR checklist for founders and small SaaS teams: the foundations, the paperwork enterprise buyers check, user rights, the Article 32 security basics, and the myths that waste founder time.
GDPR Data Residency and International Transfers for SaaS
How GDPR data residency and international transfers work for a SaaS: residency vs transfer, when a transfer is happening (often invisibly), the Article 44–49 mechanisms, SCCs and the post-Schrems II transfer impact assessment, and how to map your data flows.
Licensing and Metering for AI Agents: A Practical Guide
AI agents break seat-based licensing: they act autonomously, spin up and tear down, and consume usage in bursts. Here is how to license and meter agentic software — agent identity, entitlements, per-call metering, and rate limiting — without building it from scratch.
GDPR Compliance for SaaS: A Practical Guide (2026)
A practical, vendor-neutral guide to GDPR for SaaS: what personal data you process, your lawful basis, the data-subject rights you must honour, security under Article 32, DPAs and sub-processors, international transfers, and breach notification — with a 10-point checklist.
What Is Licensing as a Service (LaaS)?
Licensing as a Service moves license issuance, activation, and entitlement enforcement out of your codebase and into a hosted API. Here is what LaaS is, how it works, and when to buy instead of build.
How to Add a License Key API to Your App
A practical guide to generating, validating, and activating license keys over an API — the request flow, offline verification, device limits, and how to choose between building it and using a platform.
JWT vs Opaque License Keys: Which Should You Use?
Opaque keys are simple and instantly revocable; signed JWT licenses verify offline without a network call. Here is how the two models differ, the trade-offs, and why a platform can offer both.
Why Your SaaS Needs API-First Licensing
Hardcoded license checks don't scale. Here's why decoupling your licensing logic into an external API transforms how you ship, iterate, and govern your product.
Per-Tenant Rate Limiting in Multi-Tenant SaaS: A 6-Layer Approach
One tenant shouldn't be able to degrade the platform for everyone else. Here's how we enforce per-tenant rate limits across 6 layers — what each one does and why you need all of them.
How ValidonX Multi-Tenancy Works
A deep dive into our database-per-tenant architecture, the 12-stage provisioning pipeline, and how we guarantee complete data isolation between customers.
Building a License Key System for SaaS
How we designed ValidonX's license validation, activation tracking, and entitlement enforcement from scratch — and what we learned along the way.