← Back to blog

July 9, 2026 · 8 min read

Feature Entitlements vs a Plain License Key

A license key answers one question — is this valid? A feature entitlement answers the one that actually runs your business — what is this customer allowed to do? A plain key is a yes/no gate; entitlements encode the features, limits, seats, and quotas a plan grants. Most products outgrow the plain key the moment they have more than one plan. This is the difference between the two, why it matters, and how to store and enforce entitlements.

What a plain license key does — and doesn't

A license key like VLDX-7F3A-9C21-B8E4 is an identifier. Validating it tells you the key exists, belongs to this customer, and is active. That is genuinely useful — it is authentication for your software. But a bare key says nothing about which plan the customer is on, which features they have paid for, or how much they are allowed to use. Encode those in the key format itself ("PRO-5SEATS-...") and you have invented a fragile, unversioned data format you now have to parse everywhere.

What entitlements are

An entitlement is a structured claim attached to a license that describes what it grants. Instead of a bare "valid: true", a validation response carries the commercial reality:

→ 200 {
  "valid": true,
  "status": "active",
  "plan": "pro",
  "entitlements": {
    "features": ["export", "api_access", "sso"],
    "seats": 5,
    "api_calls_per_month": 100000,
    "expires_at": "2027-01-01"
  }
}

Now your software has everything it needs to decide behaviour: turn the export button on, allow up to five seats, enforce the monthly call quota, and stop at expiry — all from data, not from a special-cased key string.

Why the difference matters

  • Multiple plans. The moment you have Free, Pro, and Enterprise, a yes/no key can't tell them apart. Entitlements carry the plan and its limits.
  • Feature gating and upsell. Lock premium features behind an entitlement and you can offer, meter, and upsell them without shipping a new build.
  • Change packaging without a release. Repackage a feature from Enterprise into Pro by changing the entitlement mapping, not by editing checks scattered through your app.
  • Enforce real limits. Seats, activation counts, and usage quotas are numbers in the entitlement, checked at runtime — not tribal knowledge in a spreadsheet.

This is exactly where a payment tool that "also does license keys" stops and dedicated licensing begins: issuing a key on checkout is easy; resolving and enforcing entitlements across plans is the part that actually gates revenue.

Entitlements vs feature flags

They look similar and are easy to conflate. A feature flag is an internal toggle for rollout, experiments, or a kill-switch — its source of truth is your config. An entitlement is a commercial grant — its source of truth is the customer's license and plan. You often implement an entitlement as a flag, but confusing the two is how paid features leak to free users, or how a customer who paid for a capability finds it switched off. Keep the commercial decision (what did they buy?) separate from the rollout decision (is this feature live?).

Where entitlements live

There are two common patterns, and good platforms support both:

  • In the license (signed claims). Encode entitlements as claims in an Ed25519-signed JWT. The software reads and verifies them offline against a public key, with a short TTL so a stale or revoked license expires on its own — ideal for offline or edge software.
  • Resolved server-side (opaque key). Keep a random opaque key and look up its entitlements on each validation call. Nothing is baked into the key, so you can change entitlements instantly and revoke centrally — ideal for always-online software.

The trade-off is the usual one between offline verification and instant revocation; see JWT vs opaque license keys for the full comparison. Either way, the entitlements are structured data you resolve — not characters you parse out of a key.

Enforcing entitlements

Resolve the caller's entitlements on each request and check the specific capability or limit before allowing the action: is the feature in their grant, are they under their seat count, is this call within the monthly quota? Limits can be hard (block at the ceiling) or soft (allow overage and notify, which is friendlier for usage-based plans). Because the entitlement lives in the license and plan, changing what a tier unlocks is a config change, not a redeploy — keep the mapping as data rather than hard-coded checks (see entitlements as data, not code). For metered entitlements, record usage idempotently so retries are not double-counted — the same discipline described in licensing and metering for AI agents.

Build vs. buy

Entitlement resolution, feature gating, seat and quota enforcement, and both signed-claim and server-resolved storage are all buildable — and each is a place a homegrown "check the key" system quietly grows into a tangle of special cases. ValidonX treats entitlements as a first-class part of the license: every validation returns the plan and its entitlements, you gate features and enforce seats and quotas from that data, and you get both opaque keys and Ed25519-signed JWT licenses out of the box. It is the same model described in licensing as a service, and the reason a plain license key API is only the first step.

Frequently asked questions

What is the difference between a license key and an entitlement?

A license key is an identifier that answers one question — is this valid? An entitlement is a structured claim attached to that license that answers what the customer is allowed to do: which features are unlocked, how many seats or activations they get, what usage quota applies, and which plan they are on. The key proves who; the entitlements decide what.

What are feature entitlements?

Feature entitlements are the capabilities and limits a license grants — feature flags (is the export feature on?), numeric limits (5 seats, 10,000 API calls), a plan tier, and expiry. They travel with the license and are checked at runtime to decide what a customer’s software may do, so you can gate features and enforce limits by plan rather than hard-coding them.

Are entitlements the same as feature flags?

They overlap but differ in purpose. A feature flag is an internal toggle for rollout, experiments, or kill-switches. An entitlement is a commercial grant tied to what a customer paid for. You often implement an entitlement as a flag, but its source of truth is the license and plan, not an internal rollout config — and getting it wrong means giving away paid features or blocking ones a customer bought.

Where should entitlements be stored — in the key or on the server?

Both patterns work. Encode them as signed claims inside a JWT license and the software can read and verify them offline against a public key, with a short TTL to bound staleness. Or keep an opaque key and resolve entitlements server-side on each validation call, which lets you change them instantly. Many platforms offer both so you can pick per deployment.

How do you enforce entitlements?

Resolve the caller’s entitlements on each request and check the specific capability or limit before allowing the action — allow or block a feature, and compare usage against the quota. Limits can be hard (block at the ceiling) or soft (allow overage and notify). Because entitlements live in the license and plan rather than in your code, you can change what a plan unlocks without shipping a release.

Need entitlements, not just keys? Start free — issue a license, attach plan entitlements, and gate a feature in minutes, no credit card.

We use essential cookies for authentication and session management. Privacy Policy