RSA keys & signing

How signing fits validation

When LicenseClient.ValidateAsync runs, it loads your public key into LicenseUtils.LoadLicensingSecrets(...) and verifies the RSA signature over the license payload. If the customer swaps in another product’s file, changes bytes, or you rotated keys without re-issuing, verification fails with LicenseValidationStatus.SignatureMismatch and actionable error text from the SDK.

Dashboard operations

1. Open the product → keys / security section.
2. Generate a new RSA pair when onboarding a product (one-time per environment strategy).
3. Copy / download public key and embed Base64 (strip PEM headers) into config or code.
4. Never export the private key to customer apps — only LicenPro services use it to sign.

REST API (product owner JWT)

Routes under /api/Products/{id}/keys/... (authorized product access):

• POST /api/Products/{id}/keys/generate — create/regenerate key material for the product.
• GET /api/Products/{id}/keys/status — whether keys exist / metadata.
• GET /api/Products/{id}/keys/public — JSON payload with public key for SDK wiring.
• GET /api/Products/{id}/keys/public/download — file download (PEM) for operators.

All of the above require an authorized user with product resource access (see API authorization policies).

Related security REST

POST /api/security/derive-key (anonymous) derives a key from licenseKey + salt Base64 — used in protected license file flows where the customer key participates in decryption (SDK coordinates this with LicenseFileProtector patterns).

SDK embedding

Pass the Base64 public key (no PEM headers) to LicenseClientOptions.PublicKey. The client configures LicenseUtils internally; you normally do not call LoadLicensingSecrets yourself for simple integrations.

using LicenPro.SDK;

await using var client = new LicenseClient(new LicenseClientOptions {
    LicenseFilePath = "license.bin",
    PublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...",
    LicenseKey = "LP-...."
});