Offline verification
The offline artifact is a signed v3 lease issued by the Keylight API. The SDK reconstructs the exact signed payload (entitlements sorted, pipe-delimited) and verifies it with Ed25519 against the tenant’s trusted keyset, applying a 300-second clock-skew tolerance.
How the SDK gates a cached lease
Section titled “How the SDK gates a cached lease”cachedLease returns the lease only when it is kid-known, signature-valid, unexpired, and (if maxOfflineDays is set) within that window of the last online validation:
import { Keylight } from "@keylight-dev/js";
const kl = new Keylight({ tenantId: "your-tenant", productId: "your-product", // Pin trusted keys explicitly instead of fetching them: trustedKeys: { k1: "<raw ed25519 public key, base64>" }, maxOfflineDays: 7, // omit to run offline as long as the lease itself is current});The trusted keyset can be fetched once from GET /{tenant}/.well-known/keylight-keys (fetchKeyset) or pinned at construction time. Call await kl.load() at startup before reading cachedLease — it hydrates the cache that backs the synchronous reads.
Verify a lease standalone
Section titled “Verify a lease standalone”You can verify a lease without a client instance — e.g. in server middleware:
import { verifyLease, isTrusted } from "@keylight-dev/js";
// `lease` is the parsed lease; look its key up by the lease's own kid.const pubKey = "<raw ed25519 public key, base64>";const r = verifyLease(lease, { [lease.kid]: pubKey }, Math.floor(Date.now() / 1000));if (!isTrusted(r)) throw new Error("Untrusted lease");if (r.expired) throw new Error("Lease expired");verifyLease returns { kidKnown, signatureValid, expired }. A forged or hand-edited lease cannot pass isTrusted() without the tenant’s private key — the security boundary is the signature, not at-rest secrecy.
- Try it live — the demo includes a “Tamper” toggle that edits a real lease and shows the signature check fail.