Features

Everything you need to license, activate, meter, and govern your SaaS product.

Integration API

I

License Validation

POST /v1/integration/licenses/{key}/validate — real-time validation with status, expiry, and entitlement checks. Returns structured JSON envelopes with request tracking.

I

Activation Management

POST /v1/integration/activations — create and validate per-device activations. Built-in idempotency (same license + instance returns existing activation). Enforces max activation limits.

I

Entitlement Checking

POST /v1/integration/entitlements/check — boolean and metered entitlement checks against the license entitlements JSON. Returns granted/denied per feature.

I

Usage Recording

POST /v1/integration/usage/record — record metered usage events with optional X-Idempotency-Key header. Supports custom metrics and metadata.

Platform

P

Tenant Provisioning

12-stage idempotent pipeline: validate, create DB, migrate, seed config, subscription, entitlements, usage counters, branding, API key, webhooks, audit, health check.

P

Tenant Resolution

Middleware-based resolution via X-API-Key (Integration API) or Bearer token + X-Tenant-ID (Dashboard). Automatic database connection switching per request.

Dashboard

D

Admin Dashboard

Full admin console: tenant management, lifecycle actions (suspend/reactivate/close), platform metrics, audit logs, product catalog, feature flags, billing operations.

D

Tenant Dashboard

Self-service portal: products, licenses, activations, entitlements, API keys, settings, billing invoices, subscription management, payment methods.

Security

S

Rate Limiting

Per-API-key rate limiting with X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset headers. 429 responses with Retry-After. Configurable limits via environment.

S

Audit Logging

Every state mutation logged to platform audit_logs table. Structured event codes (ACTIVATION.CREATED, LICENSE.VALIDATED, USAGE.RECORDED), severity levels, tenant context.

S

Error Taxonomy

ADR-009 compliant error envelopes: { error: { code, message, type, status }, meta: { request_id, api_version } }. Machine-readable codes, no stack trace leakage.

S

HMAC-SHA256 Key Hashing

API keys hashed with HMAC-SHA256 using APP_KEY. Never stored in plaintext. Constant-time comparison via hash_equals(). Fire-and-forget last_used_at tracking.

We use essential cookies for authentication and session management. Privacy Policy