← Back to blog

JWT vs Opaque License Keys: Which Should You Use?

An opaque license key is a random string that means nothing until the server looks it up — simple, and instantly revocable. A JWT license is a signed token carrying its own claims, so software can verify it offline against a public key. The right choice depends on whether your software is online, and how fast you need revocation to take effect.

Opaque keys

An opaque key (for example VLDX-7F3A-9C21-B8E4) is just an identifier. All the meaning — which plan, which entitlements, active or revoked — lives in the licensing server's database. Your software sends the key to a validate endpoint and trusts the answer.

  • Instant revocation — flip a row and the next check fails immediately
  • Nothing leaks — the string reveals no claims; state stays server-side
  • Always current — every check reflects the live plan and entitlements
  • Requires a network call — no connection, no validation

Signed JWT licenses

A JWT license is a token whose payload carries the claims — product, plan, entitlements, expiry — signed with the platform's private key. Your software verifies the signature offline against the public key (published at a JWKS endpoint). If the signature checks out and the token hasn't expired, the license is valid — no server round trip.

  • Offline verification — perfect for desktop, CLI, and air-gapped software
  • No validation latency — verification is local cryptography
  • Self-describing — the entitlements travel inside the token
  • Revocation lags — a token is valid until it expires, so use short TTLs

The core trade-off: revocation vs. offline

You can't have instant revocation and pure offline verification at once. Opaque keys give you instant revocation because every check hits the server. JWTs give you offline verification because no check hits the server — which means a revoked-but-unexpired token keeps working until it expires. The standard mitigation is a short time-to-live: ValidonX issues JWT licenses with a 96-hour TTL, so a revoked license stops working within days even offline, while online software re-fetches a fresh token well before expiry.

When to use which

  • Use opaque keys for always-online SaaS and web apps where instant revocation matters and a network call is free.
  • Use JWT licenses for desktop, CLI, embedded, or occasionally-connected software that must verify without a reliable network.
  • Use both when your product spans both worlds — many vendors do.

This is why ValidonX supports both, additively: a legacy opaque-hex path and an Ed25519-signed JWT path with a JWKS endpoint. You pick per product, not per platform. For the request mechanics, see how to add a license key API to your app.

Frequently asked questions

Are JWT license keys secure? Yes, when signed with a strong asymmetric algorithm (Ed25519 or RSA) and verified against the public key. Never use unsigned or symmetric-secret tokens for licensing — anyone with the secret could mint licenses.

Can a JWT license be revoked? Not instantly. A signed token is valid until it expires, so keep TTLs short (hours to days) and re-issue. If you need instant revocation, use opaque keys for that product.

Which is better, JWT or opaque? Neither is universally better — it's the revocation-vs-offline trade-off. Online software favours opaque; offline software favours JWT.

Want both models on one platform? Start free with ValidonX — no credit card.

We use essential cookies for authentication and session management. Privacy Policy