Blog

Engineering insights, product updates, and the story behind ValidonX.

·8 min read

Licensing API Recipes: Copy-Paste Code for 4 Common Jobs

You do not need a licensing framework to add licensing — you need four requests. Here are copy-paste recipes for the jobs almost every app needs: validate a key before unlocking, gate a paid feature on an entitlement, activate a device to enforce seat limits, and release a seat on uninstall. Each is a single API call shown as a plain HTTP request, with the response you get back and the gotcha to watch.

LicensingAPIIntegration
·9 min read

Migrating From DIY Licensing to a Licensing API

You already built licensing — a keys table, a random-string generator, and plan checks scattered through the code. It works, but it is a system you now have to run and secure forever, and it is not your product. Here is how to migrate off a home-rolled licensing system onto an API incrementally, without downtime and without re-issuing every customer a new key overnight: map your model, backfill keys, shadow-validate, cut over, then decommission.

LicensingIntegrationMigration
·9 min read

How to Add Licensing to Your SaaS or App (2026)

You have a product and you have plans — now you need to actually enforce them: check who is allowed to use what, cut off a cancelled customer, gate a paid feature. Here is how to add licensing to an application with an API, where to put the check, how to read and enforce entitlements, and how to do it without building a licensing system from scratch.

LicensingIntegrationAPI
·9 min read

How to Verify Licenses Offline (Signed JWTs + JWKS)

Some software cannot phone home on every launch — air-gapped installs, CLIs, high call volumes, latency-sensitive checks. The answer is a signed license token the client verifies locally against a public key, with no per-check network call. Here is how offline verification works with Ed25519-signed JWTs and a JWKS endpoint, what it can honestly promise, and where its limits are.

LicensingJWTSecurity
·8 min read

GDPR Article 32: Security of Processing for SaaS

GDPR Article 32 is the one that says "secure the data" — appropriate technical and organisational measures proportionate to the risk. It names encryption and pseudonymisation, but prescribes no checklist, which is exactly what makes it hard. Here is what Article 32 actually asks for, how it maps to a SaaS platform, and how to demonstrate it.

GDPRSecurityCompliance
·8 min read

Audit Trails for a Licensing System

Who issued this license, who revoked it, when did that entitlement change — and can you prove it six months later? An audit trail answers those questions, and it is what enterprise procurement, security reviews, and chargeback disputes all quietly depend on. Here is what a licensing audit log should record, what each entry needs, and how it coexists with GDPR.

LicensingSecurityCompliance
·8 min read

How to Revoke a License Key (2026)

Refunds, chargebacks, fraud, leaked keys, contract endings — every licensing system eventually has to turn a license off after issuing it. The hard part is not flipping a flag; it is making "off" actually stick, fast, even for software that verifies offline. Here is how revocation works for opaque and signed licenses, and what revoked should really do.

LicensingSecurityAPI
·8 min read

Entitlements as Data, Not Code

Most teams start by hard-coding plan logic — if the plan is Pro, show this — scattered through the app. It rots: every pricing change becomes a deploy, and no one can say what a plan includes without grepping the codebase. Entitlements as data moves that decision out of code into a declarative payload you resolve at runtime. Here is what that buys you.

LicensingEntitlementsEngineering
·8 min read

Per-Seat vs Per-Agent Licensing (2026)

Per-seat pricing counts humans at keyboards. AI agents are headless, ephemeral, and fan out from one to fifty under a single customer — so the seat stops meaning anything. Here is how per-seat and per-agent (usage-based) licensing differ, why seats break for agents, and what to meter instead.

LicensingAI AgentsPricing
·8 min read

Feature Entitlements vs a Plain License Key

A license key answers one question — is this valid? An entitlement answers the one that runs your business — what is this customer allowed to do? Here is the difference between a plain key and feature entitlements, why it matters the moment you have more than one plan, and how to store and enforce them.

LicensingEntitlementsProduct
·8 min read

How to License and Monetize an MCP Server (2026)

The Model Context Protocol lets an MCP server expose tools to AI clients — but says nothing about who may call them or how much. Licensing an MCP server means putting identity, entitlements, and idempotent metering in front of your tools. Here is how to monetize one without building the plumbing.

LicensingAI AgentsMCP
·9 min read

Should You Build Your Own Licensing System? (2026)

Building a license system looks like a weekend of key generation — until you add activation, entitlements, metering, offline verification, revocation, and the maintenance that never ends. A 2026 build-vs-buy guide: the real surface area, the hidden costs, and when each path is right.

LicensingBuild vs BuyEngineering
·8 min read

GDPR Right to Erasure for SaaS: How to Handle Deletion Requests

How to handle GDPR right-to-erasure (right to be forgotten) requests in a SaaS: what Article 17 requires, when you can refuse and retain, delete vs anonymise, the deletion workflow, backups, and sub-processors.

ComplianceGDPRSaaS
·7 min read

The Indie & Startup GDPR Checklist for SaaS (2026)

The lean GDPR checklist for founders and small SaaS teams: the foundations, the paperwork enterprise buyers check, user rights, the Article 32 security basics, and the myths that waste founder time.

ComplianceGDPRSaaS
·8 min read

GDPR Data Residency and International Transfers for SaaS

How GDPR data residency and international transfers work for a SaaS: residency vs transfer, when a transfer is happening (often invisibly), the Article 44–49 mechanisms, SCCs and the post-Schrems II transfer impact assessment, and how to map your data flows.

ComplianceGDPRSaaS
·9 min read

Licensing and Metering for AI Agents: A Practical Guide

AI agents break seat-based licensing: they act autonomously, spin up and tear down, and consume usage in bursts. Here is how to license and meter agentic software — agent identity, entitlements, per-call metering, and rate limiting — without building it from scratch.

LicensingAI AgentsMetering
·11 min read

GDPR Compliance for SaaS: A Practical Guide (2026)

A practical, vendor-neutral guide to GDPR for SaaS: what personal data you process, your lawful basis, the data-subject rights you must honour, security under Article 32, DPAs and sub-processors, international transfers, and breach notification — with a 10-point checklist.

ComplianceGDPRSaaS
·7 min read

What Is Licensing as a Service (LaaS)?

Licensing as a Service moves license issuance, activation, and entitlement enforcement out of your codebase and into a hosted API. Here is what LaaS is, how it works, and when to buy instead of build.

LicensingLaaSStrategy
·8 min read

How to Add a License Key API to Your App

A practical guide to generating, validating, and activating license keys over an API — the request flow, offline verification, device limits, and how to choose between building it and using a platform.

LicensingAPI DesignTutorial
·7 min read

JWT vs Opaque License Keys: Which Should You Use?

Opaque keys are simple and instantly revocable; signed JWT licenses verify offline without a network call. Here is how the two models differ, the trade-offs, and why a platform can offer both.

LicensingSecurityEngineering
·6 min read

Why Your SaaS Needs API-First Licensing

Hardcoded license checks don't scale. Here's why decoupling your licensing logic into an external API transforms how you ship, iterate, and govern your product.

ProductStrategyAPI Design
·9 min read

Per-Tenant Rate Limiting in Multi-Tenant SaaS: A 6-Layer Approach

One tenant shouldn't be able to degrade the platform for everyone else. Here's how we enforce per-tenant rate limits across 6 layers — what each one does and why you need all of them.

EngineeringSecurityArchitecture
·8 min read

How ValidonX Multi-Tenancy Works

A deep dive into our database-per-tenant architecture, the 12-stage provisioning pipeline, and how we guarantee complete data isolation between customers.

ArchitectureMulti-TenancyEngineering
·10 min read

Building a License Key System for SaaS

How we designed ValidonX's license validation, activation tracking, and entitlement enforcement from scratch — and what we learned along the way.

LicensingProductEngineering

We use essential cookies for authentication and session management. Privacy Policy