RSA keys, signing & API credentials
LicenPro uses two different kinds of keys: RSA signing keys (per product, for license.bin) and account API keys (for your automation scripts with scoped REST access). Customer apps and the SDK need the product public key and optionally the product X-API-KEY—never your RSA private key or operator password.
RSA private key
Server-only; signs every license file.
RSA public key
Embed in apps; SDK verifies signatures.
Account API keys
JWT-backed REST automation with scopes.
Part 1 — RSA signing keys (per product)
Each product has its own RSA key pair. When you issue or download a license, LicenPro signs the payload with the private key stored on the server. Your application embeds only the matching public key so LicenseClient can prove the file was issued for that product and was not tampered with.
Dashboard: generate and download
- Open the product → Settings (
/dashboard/products/.../settings). - Scroll to License signing keys (RSA).
- Click Generate keys if none exist, or Regenerate when rotating (see warning below).
- Click Download public key (PEM) for operators or copy Base64 material for SDK config.
The private key never leaves LicenPro. Do not paste it into apps, config files, or customer deliverables.
How signing fits validation
LicenseClient.ValidateAsync loads your public key (via LicenseClientOptions.PublicKey) and verifies the RSA signature on license.bin. Wrong product file, edited bytes, or stale key after rotation yields LicenseValidationStatus.SignatureMismatch.
using LicenPro.SDK;
await using var client = new LicenseClient(new LicenseClientOptions {
LicenseFilePath = "license.bin",
PublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...",
LicenseKey = "LP-...."
});REST API (operator JWT)
Authorized product access required:
POST /api/Products/{id}/keys/generate— create or regenerate pair.GET /api/Products/{id}/keys/status— whether keys exist and metadata.GET /api/Products/{id}/keys/public— JSON public key for integrations.GET /api/Products/{id}/keys/public/download— PEM file download.
Key rotation
Regenerating RSA keys invalidates every license.bin signed with the old private key. Plan: publish app builds with the new public key, re-issue licenses, and stagger customer upgrades.
Related: derive-key endpoint
POST /api/security/derive-key (anonymous) derives material from licenseKey and salt for protected license file flows. The SDK coordinates this with LicenseFileProtector patterns where the customer key participates in decryption.
Part 2 — Account API keys (REST automation)
Separate from RSA and separate from the per-product X-API-KEY used on anonymous validation routes. Account API keys authenticate automation (CI, billing jobs, internal tools) to management APIs using scoped permissions. Manage them under Settings → API keys (/dashboard/settings, Developer & account section).
Generate API Key modal
Click Generate API Key and complete the form:
- Name (required) — e.g. CI/CD Pipeline.
- Description (optional) — rich text explaining purpose.
- Expiration date (optional) — leave empty for no expiration.
- Scopes — least privilege; typical pairs:
- Read / Write Licenses
- Read / Write Activations
- Read / Write Products
- Read / Write Releases
After Generate Key, the secret is shown once. Copy it to a vault immediately; revoked keys cannot be recovered.
Credentials cheat sheet
- Operator JWT — browser session after dashboard login; management routes.
- Account API key — scoped automation from Settings → API keys.
- Product X-API-KEY — per-product header for anonymous product routes (e.g. validate).
- RSA public key — verify
license.binin the SDK. - RSA private key — never distributed; signs on server only.
See also Credentials at a glance on the system overview.
