Originally published on the Keylight blog.
A license check that needs a server is a license check that fails on a plane. For desktop and CLI apps that is unacceptable, so Keylight makes the license itself verifiable offline: it is an Ed25519-signed document your app checks locally with only a bundled public key. This post walks through how that works in Rust with the keylight crate — the synchronous verifier, the trusted keys, and the cached lease that keeps an app licensed without a connection.
The shape of offline validation
There are two distinct jobs in any licensing system, and the mistake most DIY implementations make is fusing them. The first job is verification: is this license genuine and unexpired? The second is revalidation: has anything changed server-side — a refund, a downgrade, a revocation — since the last time we checked?
Verification can and should be local. A Keylight lease is a small JSON document signed with Keylight's Ed25519 private key. Your app ships with the matching public key, so it can confirm the lease is authentic and untampered using only math, in microseconds, with no connection. Revalidation is the only part that needs the network, and it is periodic and can happen in the background — never on the critical path of launching the app.







