Skip to content

Offline verification

The offline artifact is a signed v3 lease issued by the Keylight API. The SDK reconstructs the exact signed payload (entitlements sorted, pipe-delimited) and verifies it with Ed25519 against the tenant’s trusted keyset, applying a 300-second clock-skew tolerance.

cachedLease returns the lease only when it is kid-known, signature-valid, unexpired, and (if maxOfflineDays is set) within that window of the last online validation:

import { Keylight } from "@keylight-dev/js";
const kl = new Keylight({
tenantId: "your-tenant",
productId: "your-product",
// Pin trusted keys explicitly instead of fetching them:
trustedKeys: { k1: "<raw ed25519 public key, base64>" },
maxOfflineDays: 7, // omit to run offline as long as the lease itself is current
});

The trusted keyset can be fetched once from GET /{tenant}/.well-known/keylight-keys (fetchKeyset) or pinned at construction time. Call await kl.load() at startup before reading cachedLease — it hydrates the cache that backs the synchronous reads.

You can verify a lease without a client instance — e.g. in server middleware:

import { verifyLease, isTrusted } from "@keylight-dev/js";
// `lease` is the parsed lease; look its key up by the lease's own kid.
const pubKey = "<raw ed25519 public key, base64>";
const r = verifyLease(lease, { [lease.kid]: pubKey }, Math.floor(Date.now() / 1000));
if (!isTrusted(r)) throw new Error("Untrusted lease");
if (r.expired) throw new Error("Lease expired");

verifyLease returns { kidKnown, signatureValid, expired }. A forged or hand-edited lease cannot pass isTrusted() without the tenant’s private key — the security boundary is the signature, not at-rest secrecy.

  • Try it live — the demo includes a “Tamper” toggle that edits a real lease and shows the signature check fail.