Changelog

0.14.1

2026-05-30

• Free upgrades. Set an upgrade-enabled key type’s price to 0 to offer it as a no-cost upgrade. Customers get it applied instantly in the portal — no payment provider required. Subscription-billed tiers are excluded.

0.14.0

2026-05-29

• Customer portal. Your customers get a hosted account portal at portal.keylight.dev. They sign in with a magic link sent to the email on their license — no password — then see every license they own across your apps, copy keys, manage devices, and re-send themselves a key. Link your support pages straight to it. (A fully brand-customized portal on your own domain is on the roadmap.)
• Upgrade in the portal. Signed-in customers upgrade from their license detail: pick a higher tier and go straight to your payment provider’s checkout — no license-key or email re-entry. See Upgrades.
• Claim a legacy key. Moving customers over from a previous vendor? They prove ownership of an old key at portal.keylight.dev/p/<tenant>/claim/<product> and Keylight mints them a license, delivered by a white-label email. Verification runs against a Keylight-managed table or your own signed webhook. Enabled per product by Keylight — contact us to turn it on for a migration.
• One customer host + retirements. All public customer pages now live on portal.keylight.dev. The standalone upgrade form (/p/<tenant>/upgrade/<product>) and the key-recovery page (/p/<tenant>/recover) are retired — customers sign in to upgrade or to recover a lost key (the portal shows their keys directly). Update any links that pointed at api.keylight.dev/p/....
• Swift SDK 0.5.0 (breaking). LicenseManager.upgradeURL(to:) and makeUpgradeURL(...) are removed — they built a link to the now-retired hosted upgrade page. Point your in-app “Upgrade” button at portal.keylight.dev instead. Binary live via keylight-swift 0.5.0; see the Swift SDK install guide.

0.13.1

2026-05-27

• Onboarding redesign. Setup flow rebuilt around a single code-block component. The SDK install step now points to the docs rather than dumping a long Swift snippet into the wizard, and step 5 is a payments picker covering Stripe Connect, manual Stripe, and every MoR provider with per-provider setup links.
• Pricing FAQ corrected. “Do you take a cut?” now reflects reality: 0.1% only on Stripe Connect autopilot (we run the Stripe pipeline for you); 0% on your own Stripe account or any other provider.
• Swift SDK 0.4.0 shipped. Binary is live on SwiftPM via keylight-swift 0.4.1 — defensive-readiness audit + lifecycle event notifications (LicenseLifecycleEvent). Manifest’s platform list narrowed to macOS + iOS to match the shipped slices. See the Swift SDK install guide.

0.13.0

2026-05-24

• License upgrade portal. Customers can now upgrade their license without you needing a backend. Two new Keylight-hosted endpoints:
  • /p/<tenant>/upgrade/<product> — public form where the customer enters their email + license key and is redirected to your payment provider’s checkout with the upgrade metadata baked in. See Upgrades.
  • /p/<tenant>/recover — emails the customer their license keys when they enter their address. Self-service support for “I lost my key.”
• Swift SDK helper. licenseManager.upgradeURL(to: "pro") returns the pre-filled portal URL for the in-app upgrade button.
• Multi-provider coverage. Stripe Connect, Stripe override key, Stripe Payment Link, Polar, Paddle, Lemon Squeezy, Creem, Gumroad, and Shopify are all supported. For non-Stripe providers, paste the hosted checkout URL into the new Upgrade checkout URL field on each key type in the dashboard.
• Paddle email enrichment. Paddle webhooks don’t include customer email; Keylight now fetches it via Paddle’s Customers API at issuance time (and caches in KV). Add your Paddle API key on the Integrations card. A backfill script is available for existing Paddle customers — contact support.
• Audit additions. Two new audit-log actions surface in the Activity tab: license_recovery_email_sent and upgrade_attempt_rejected.

0.12.0

2026-05-23

• SDK traffic defense. Layered server-side protection now runs in front of every SDK endpoint. Per-route rate limits (/validate 120/240, /activate 5/10, /deactivate 5/10, /free-tier 10/20 — steady/burst per IP per minute), a tenant-wide ceiling across all SDK routes, a per-(license, instance) cap that stops replay loops, and a /free-tier new-instance creation cap. 429 responses now carry X-Keylight-Limit-Scope, X-Keylight-Limit, X-Keylight-Remaining, and Retry-After headers so well-behaved clients can back off correctly.
• Diagnostics surface on the Activity tab. A filter chip switches between Business events, SDK traffic, and All. With SDK traffic visible you get a 30-minute summary card (route × status code), a recent SDK request log, and a Manage blocks & rate limits panel where you can block by IP or by license-key hash and clear stuck rate-limit counters. Per-row Block IP / Block license buttons on each request row.
• Anomaly emails. An hourly check looks at 5 metrics (failed-activate spike, new-free-tier spike, rate-limit spike, sustained 401s, single-IP dominance) against a rolling baseline. Unusual traffic emails you and shows a dismissible badge on the Activity tab.
• SDK key rotation is now support-gated. Rotation goes through Keylight support to prevent accidental self-lockout. The dashboard rotate button is removed; existing keys keep working unchanged. See SDK key.

0.11.2

2026-05-27

• Swift SDK 0.4.0 — defensive-readiness hardening + lifecycle event notifications. Two things landed in one cut:
  • 14-finding audit patch. Tighter signature verification, stricter activation-token handling, network-error retry semantics, and clearer error logging. The factory grew three optional parameters (kid:, freeTierEnabled:, maxOfflineDays:) with defaults that preserve prior behavior. Drop-in update for apps that don’t opt in. If your product has the keyless free tier enabled, you must pass freeTierEnabled: true to the factory — without it, post-trial users resolve to .expired instead of .freeTier.
  • Lifecycle event notifications. A new opt-in keylightLifecycleEvent notification with three derived events (.expired, .restored, .renewed). Subscribe via NotificationCenter to dismiss paywalls on renewal, show “thanks for renewing” toasts on expiry advance, or react to lapses — without polling LicenseManager.licenseState. Suppressed on first-launch and user-initiated deactivate(). Stale entitlements are now cleared on .expired / .invalid / .freeTier. See the Swift SDK install guide for the subscriber example.

0.11.1

2026-05-21

• Free-tier devices on the Analytics page. Per-app cards now surface active free-tier device counts alongside paying instances, so the conversion shape is visible at a glance. New icon for the Free-tier Devices stat.

0.11.0

2026-05-19

• Multi-provider payments. Keylight is no longer Stripe-only. Each app can now run on a Merchant-of-Record provider: Polar, Paddle, Lemon Squeezy, Shopify, Creem, or Gumroad — alongside the existing Stripe Connect path. Each adapter handles the platform’s webhook payloads, license issuance, customer linking, and (where supported) subscription lifecycle + refunds.
• Per-app payment providers. The Integrations card on the dashboard scopes payment providers to individual apps. Different apps under the same account can be on different providers (one on Stripe Connect, another on Polar, a third on Shopify). The Activity log surfaces the source per issued license.
• Payments Control Center. Consolidates Stripe Connect setup, pricing, manual key issuance, and the MoR provider roster into one card per app on the App view. Replaces several scattered pages and the standalone /stripe-pricing route.

0.10.0

2026-05-18

• Subscription-type license keys. Key types can now be set to billingModel: 'subscription'. Expiry is driven by the payment platform (Stripe customer.subscription.updated) rather than by durationDays. A configurable graceDays window (default 7) keeps the license active after a failed renewal while payment recovers. See Subscription key types.
• Limited access fallback (.limited state). Key types with fallbackAccess: true issue a valid signed lease on expiry rather than refusing. The lease carries no paid entitlements and the Swift SDK reports LicenseState.limited. Your app can keep a reduced mode (e.g. read-only, data export) so customers never lose access to their data. See Limited access.
• License upgrades. A checkout with keylight_upgrade_key metadata performs an in-place key-type swap on the existing license — same key string, no remint. Entitlements and activation limit update to the new tier; the device sees the change on its next lease fetch (or immediately via refresh(force: true) on return from a Keylight checkout).
• Keyless free tier (.freeTier state). Apps can set freeTierEnabled on their product config to offer a free plan to users who never paid. When the trial is ended/not-started and freeTierEnabled is on, the SDK reports LicenseState.freeTier instead of LicenseState.expired. The SDK tracks an anonymous instance UUID (no PII) and sends a lightweight heartbeat to Keylight so the dashboard shows free-tier device counts alongside paying customers. Free→paid conversions are automatically linked at activation time.
• New refresh(force: true) API. Bypasses the 5-minute debounce and 6-hour staleness gate. Called automatically when the app foregrounds after returning from a Keylight checkout deep link, so upgrade entitlements appear without an extra relaunch.

Caution

Breaking (SDK): LicenseState gains two new cases — .limited and .freeTier. Because LicenseState is a public Swift enum, any exhaustive switch statement in your app will not compile until you add these cases. Add a case .limited: and case .freeTier: branch (your paywall or reduced-mode UI is the right destination). Apps that only check isEntitled or use default: are unaffected.

0.9.2

• Stripe and Gumroad license issuance now appears in the Activity log. Each webhook-driven mint writes a mint_license audit entry with the source, app, and key type, so the Activity feed shows lines like Stripe · MyApp · Pro license instead of leaving sales invisible.
• Per-payment detail view at /dashboard/<tenant>/billing/<paymentId>. Click any Revenue row to see the customer, app, key type (display name + activation limit + duration), and the linked license (display key, status, expiry, active instances) in one place.
• Revenue table now has an App column — surfacing the Keylight-configured product display name (joined via the issued license) instead of the raw Stripe/Gumroad line-item description.

0.9.1

• Gumroad parity for customer linking. The Gumroad webhook now upserts the buyer into the customers table and back-links the issued license to that customer, mirroring what Stripe has done since 0.9.0. Gumroad buyers now appear in the dashboard’s Customers view, and “licenses owned by this customer” joins resolve correctly.

0.9.0

• Owner notifications on license events. You get an email when a license is issued and when an instance activates against one of your licenses.
• product_id surfaced on the app view with a copy button — needed for raw-API integration testing.
• Stripe customer linked as license owner on every checkout (not just first-time buyers), so the dashboard’s customer view stays correct across repeat purchases.
• Argon2id is now the default password hash on Workers (PBKDF2 hashes still verify and rehash on next login).
• Webhook now tries every product override when Stripe metadata is missing.
• Unified pill UI across dashboard, marketing, and operator surfaces.
• Design CSS externalized to /static/css with immutable cache; Google Fonts via preconnect instead of inline @import.

0.8.0

• Better Auth-backed authentication. Login, signup, password reset, and session management run on Better Auth instead of the bespoke handler. Cookies remain backwards-compatible.
• Account ID picker on signup. You now choose your account ID directly on the signup form (between email and password) — see Signup & verification.
• Pricing and landing-page redesign.
• Dashboard lineage column for remint chains; license status icon moved to the left of list rows.
• Remint inherits predecessor expiresAt instead of resetting the clock.

Caution

Breaking (SDK): Default keychain service prefix changed from com.<tenantId>.<productId>.keylight to <tenantId>.<productId>.keylight.dev. Apps updating to this SDK will see existing users re-activate on first launch. Apps using the long-form KeylightConfiguration(...) constructor pass their own prefix and are unaffected.

0.7.0

• maxOfflineDays (default 15) on KeylightConfiguration. The SDK records lastValidatedOnline after every successful activate/validate and rejects cached leases past this window — a hard backstop on top of the 7-day lease TTL. See Offline leases.
• Remint chain linking. Reminted licenses now carry a previousKey link so the dashboard can render the full chain.
• License expiry tracking in the SDK. LicenseManager exposes the current lease’s expiresAt.
• Marketing pages: support, privacy, terms.
• SDK productionOrigin updated to api.keylight.dev to match the rebrand.

0.6.0

• Postgres migration: KV → Neon + Hyperdrive + Drizzle. All entity records (tenants, licenses, customers, payments, audit log) now live in Neon Postgres, accessed via Cloudflare Hyperdrive. KV is reserved for TTL ephemera and encrypted secrets.
• Rebrand to keylight.dev — Worker now serves app.keylight.dev (dashboard) + api.keylight.dev (SDK/API).
• Stripe test-mode UI polish with manual-webhook detection.

Note

The Postgres migration is internal infrastructure: the public API (/activate, /validate, /deactivate), the Swift SDK, and Stripe/Gumroad webhook URLs and payloads are all behaviorally identical.

0.5.0

• Stripe test mode per product. Each product can hold an encrypted Stripe override (secret key + webhook secret) that takes effect when the dashboard’s “Test mode” toggle is on. See Test mode.
• Test-mode UI in the dashboard — enable/exit button, credential form, “Testing” badge.

0.4.0

• License key delivery email sent automatically on Stripe checkout completion and Gumroad purchase.
• supportEmail on ProductConfig — collected during onboarding, used as the reply-to / footer contact in customer-facing emails.

0.3.1

• Full-platform xcframework via CI: tvOS, watchOS, and visionOS in addition to iOS and macOS.

0.3.0

• Keylight.manager(...) one-call factory.
• X-Keylight-SDK-Key header now attached to every Worker request and validated server-side. See SDK key.
• SwiftPM product renamed from Keylight to KeylightSDK.

Caution

Breaking (SDK): KeylightProvider.init(baseURL:configuration:session:) removed; the Worker origin is now hardcoded in the SDK. KeylightConfiguration gains a required sdkKey parameter.

0.2.0

• Self-service account signup with Turnstile and email verification.
• Operator admin portal at /admin.
• Stripe Billing integration: paid plan checkout, subscription lifecycle webhooks.
• 6-state account lifecycle machine: pending_verification → trial → active → past_due → canceled → suspended.
• Hard instance cap enforcement at /activate; soft license/API metering with 90% warning emails.
• Argon2id password hashing with dual-verify PBKDF2 migration.

0.1.0

• Licensing foundation: Swift SDK, Cloudflare Worker, Ed25519 lease signing, Stripe webhook license issuance, per-account dashboard.