Reliability

Your customers keep running, even during our outages.

A licensing API sits on your revenue path. Every minute we are unreachable is a minute your app could fail to start. That is why the SDK is built to outlive our outages, and why leaving us is always possible.

Live status

Public uptime probes for the API and the dashboard, updated every minute.

View status page →

72-hour offline grace

Built into the SDK, on by default.

When validate() returns valid:true, the SDK writes the verdict to a local cache. If the next call fails because our API is unreachable (network error, timeout, or 5xx), the SDK transparently replays the cached verdict for up to 72 hours. Authoritative negatives like revocation, expiration, or any 4xx are never cached and always honored. A revoked license stays revoked.

  • Default 72 h, configurable via gracePeriodMs (max 30 days).
  • Pluggable storage: memoryCache (default), fileSystemCache(path), or your own.
  • Only positive verdicts are cached. Revocations propagate immediately.
  • License keys are hashed before being used as cache keys. Raw keys are never written to disk. 
import { createClient, fileSystemCache } from '@paperkeyhq/sdk';

const paperkey = createClient({
  apiKey: process.env.PAPERKEY_PK!,
  cache: fileSystemCache({ path: app.getPath('userData') }),
});

const result = await paperkey.validate(licenseKey, fingerprint);
if (result.source === 'cache') {
  // We are running on the last verified verdict.
  // The user's session continues normally.
}

Available since @paperkeyhq/sdk v0.3.0.

How we run

A small, predictable stack.

No magic. The SDK is MIT-licensed. The runtime stack is intentionally boring: a single managed database, a small set of stateless API replicas behind an edge proxy, and a job queue for outbound webhooks.

  • API runtime served behind an edge proxy with TLS 1.3 and HTTP/3.
  • Managed database with daily encrypted backups and point-in-time recovery.
  • Webhooks signed with HMAC-SHA-256, 5 second timeout, auto-pause after 10 consecutive failures.
  • Dashboard auth via httpOnly JWT cookie. Public API via Bearer keys with per-IP and per-key rate limits.
  • Hosted in the EU. License data stays in the EU.

Zero lock-in

Leaving us is always possible.

You are not betting your business on us being around forever. Concrete escape hatches exist today, and we keep adding more.

  • MIT-licensed SDK: @paperkeyhq/sdk on npm. Fork it, vendor it, or swap its baseUrl to point at any compatible backend.
  • Self-custody export: from the dashboard, you can download every license and activation per product as CSV or JSON, any time.
  • Self-hostable runtime: a packaged release runs the production stack on your own server, on the same recipe we run.

Honest list

What we do not claim yet.

A licensing provider that overstates its compliance posture is a liability.

  • No formal SLA. One will be published before general availability, alongside a public incident history.
  • No SOC 2 or ISO 27001. We are not at the scale where these audits are meaningful, and a fake badge would not help.
  • No PCI scope. We do not process payment cards. Your customers pay you on Stripe, Lemon Squeezy, Paddle, etc. Paperkey only issues and validates the license.
  • No "Trusted by 50+ startups" badge until 50+ startups actually ship with us.

Questions about how we operate?

Email a real person. We answer in business hours, often faster.

hello@paperkey.dev GitHub →

Still evaluating?

Read the 5-minute quickstart. Or skip it: the SDK has decent defaults and the dashboard explains itself.

Open the docs Or just start free →