Minting licenses

Most licenses flow from Stripe automatically. Manual minting is for the cases where they don’t: beta testers, refunds-turned-comps, influencer keys, one-off enterprise deals.

Flow

1. Go to Licenses → Mint license in the dashboard.
2. Pick an app and key type.
3. Submit. Keylight generates a fresh key prefixed with your app’s 4-character key prefix and shows it once.
4. Copy the key and deliver it to the recipient out-of-band (email, DM, whatever).

Caution

The full key is shown exactly once. Keylight only stores a SHA-256 hash - there is no “recover key” workflow. If you lose it before copying, you need to revoke and remint.

What gets created

A LicenseRecord in Postgres + a Durable Object keyed by <tenant-id>:<product-id>:<key-hash>. The record carries:

• keyHash (SHA-256 hex of the normalized key)
• displayKey (masked form, e.g. ACME-XXXX-...-XXXX-7B2D)
• status: "active"
• activationLimit (copied from the key type)
• expiresAt (computed from key type’s durationDays, or null for lifetime)
• Empty activations map

The customer’s activation starts the first time the SDK calls /activate.

Rate limit

• 20 mints per account per hour. Exceeding returns 429.
• Counter resets hourly.

This exists to catch runaway scripts more than malicious abuse - the dashboard UI rate-limits you way before you’d hit it manually.

Audit log

Every manual mint records an audit entry (action: manual_mint, actorType: operator, targetId: <keyHash>). View it under Settings → Audit log.

When to mint vs. let Stripe do it

• Stripe Connect: customers buy; licenses mint automatically. Use Connect.
• Manual webhook mode: you run checkout; your webhook triggers a mint. Use Manual webhook mode.
• Dashboard mint: one-off keys. Beta access, goodwill, enterprise.

Related

• Managing licenses - revoke, remint, deactivate after mint.
• Apps & key types - what the key type controls.