DEV Community: Traffic Orchestrator The latest articles on DEV Community by Traffic Orchestrator (@trafficorchestrator). https://dev.to/trafficorchestrator https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3810925%2F26f6918d-459b-40a0-b29c-f9a44d9c02e6.png DEV Community: Traffic Orchestrator https://dev.to/trafficorchestrator en Building a Domain-Bound Software Licensing System: Architecture Deep Dive Traffic Orchestrator Wed, 01 Apr 2026 01:43:45 +0000 https://dev.to/trafficorchestrator/building-a-domain-bound-software-licensing-system-architecture-deep-dive-1d1h https://dev.to/trafficorchestrator/building-a-domain-bound-software-licensing-system-architecture-deep-dive-1d1h <h2> TL;DR </h2> <p>We built a licensing system that cryptographically binds software licenses to specific domains. This post walks through the architecture decisions, security model, and real-world patterns we use in production.</p> <h2> The Problem </h2> <p>Most software licensing systems rely on API keys or serial numbers. The issue? These are trivially shareable. One customer buys a license, shares the key on a forum, and suddenly your entire customer base is using a single license.</p> <p>We needed something better: a system where licenses are <em>cryptographically bound</em> to specific domains, making unauthorized sharing technically impractical.</p> <h2> Architecture Overview </h2> <p>Our licensing system has three core layers:</p> <ol> <li> <strong>License Generation</strong> — Creates signed, domain-bound tokens</li> <li> <strong>Validation Engine</strong> — Verifies licenses both online and offline</li> <li> <strong>Enforcement Layer</strong> — Handles grace periods, trial expiry, and usage metering</li> </ol> <h3> License Structure </h3> <p>Each license is a signed JWT containing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lic_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"plan"</span><span class="p">:</span><span class="w"> </span><span class="s2">"professional"</span><span class="p">,</span><span class="w"> </span><span class="nl">"features"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"analytics"</span><span class="p">,</span><span class="w"> </span><span class="s2">"webhooks"</span><span class="p">,</span><span class="w"> </span><span class="s2">"custom-domains"</span><span class="p">],</span><span class="w"> </span><span class="nl">"limits"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"apiCalls"</span><span class="p">:</span><span class="w"> </span><span class="mi">50000</span><span class="p">,</span><span class="w"> </span><span class="nl">"seats"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1711929600</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1743465600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The domain binding is the critical piece. When a license is validated, we compare the requesting domain against the <code>domain</code> claim. Mismatches are rejected.</p> <h2> Domain Binding: How It Works </h2> <p>The binding happens at two levels:</p> <h3> 1. Server-Side Validation </h3> <p>When your application calls our API to validate a license:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/v1/licenses/validate</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">licenseKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lic_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="na">domain</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hostname</span> <span class="p">})</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">valid</span><span class="p">,</span> <span class="nx">features</span><span class="p">,</span> <span class="nx">limits</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <p>The API checks:</p> <ul> <li>Is the license key valid and not expired?</li> <li>Does the requesting domain match the bound domain?</li> <li>Is the license within its usage limits?</li> <li>Has the customer's subscription been canceled or suspended?</li> </ul> <h3> 2. Offline Validation </h3> <p>For applications that need to work without internet access, we provide offline validation using public key cryptography:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">verify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./license-verifier</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">verify</span><span class="p">({</span> <span class="na">licenseKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lic_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="na">publicKey</span><span class="p">:</span> <span class="nx">EMBEDDED_PUBLIC_KEY</span><span class="p">,</span> <span class="na">currentDomain</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hostname</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="nf">enableFeatures</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">features</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The license token is signed with our private key. The SDK ships with the corresponding public key, so it can verify the signature without calling home.</p> <h2> SDK Architecture </h2> <p>We ship SDKs for 9 languages:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Language</th> <th>Package Manager</th> <th>Validation</th> </tr> </thead> <tbody> <tr> <td>Node.js</td> <td>npm</td> <td>Online + Offline</td> </tr> <tr> <td>Python</td> <td>PyPI</td> <td>Online + Offline</td> </tr> <tr> <td>Go</td> <td>Go modules</td> <td>Online + Offline</td> </tr> <tr> <td>Ruby</td> <td>RubyGems</td> <td>Online</td> </tr> <tr> <td>Java</td> <td>Maven Central</td> <td>Online + Offline</td> </tr> <tr> <td>.NET</td> <td>NuGet</td> <td>Online + Offline</td> </tr> <tr> <td>Rust</td> <td>crates.io</td> <td>Online + Offline</td> </tr> <tr> <td>PHP</td> <td>Packagist</td> <td>Online</td> </tr> <tr> <td>Django</td> <td>PyPI</td> <td>Online (middleware)</td> </tr> </tbody> </table></div> <p>Each SDK follows the same pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Python example </span><span class="kn">from</span> <span class="n">traffic_orchestrator</span> <span class="kn">import</span> <span class="n">LicenseClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">LicenseClient</span><span class="p">(</span><span class="n">api_key</span><span class="o">=</span><span class="sh">'</span><span class="s">your_api_key</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Validate on every request (middleware pattern) </span><span class="n">result</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span> <span class="n">license_key</span><span class="o">=</span><span class="sh">'</span><span class="s">lic_abc123</span><span class="sh">'</span><span class="p">,</span> <span class="n">domain</span><span class="o">=</span><span class="sh">'</span><span class="s">customer-app.com</span><span class="sh">'</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">valid</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">Plan: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">plan</span><span class="si">}</span><span class="s">, Features: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">features</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">Invalid: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">error</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h2> Security Model </h2> <p>Several layers prevent abuse:</p> <h3> Rate Limiting </h3> <p>Validation endpoints are rate-limited per API key. Excessive requests trigger progressive delays, not hard blocks — we don't want to break legitimate applications.</p> <h3> Replay Protection </h3> <p>Each validation response includes a nonce. Replaying a captured response fails because the nonce won't match.</p> <h3> Certificate Pinning </h3> <p>Our SDKs pin the API's TLS certificate. This prevents MITM attacks where someone might try to intercept validation requests and return spoofed "valid" responses.</p> <h3> Webhook Notifications </h3> <p>When suspicious activity is detected (validation from unexpected domains, burst requests), we fire webhooks to the customer's configured endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"event"</span><span class="p">:</span><span class="w"> </span><span class="s2">"license.suspicious_activity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"license_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lic_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"domain_mismatch"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requested_domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pirated-site.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bound_domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"legitimate-app.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Lessons Learned </h2> <h3> 1. Grace Periods Matter </h3> <p>Don't immediately kill access when a license expires. We give a 7-day grace period where the license still works but returns <code>"grace": true</code> in the response. This gives developers time to renew without breaking their users' experience.</p> <h3> 2. Offline-First Design </h3> <p>We assumed most customers would always have internet. Wrong. Many enterprise customers deploy behind firewalls. Offline validation went from "nice to have" to "critical feature" within our first month.</p> <h3> 3. Feature Flags &gt; Plan Names </h3> <p>Instead of checking <code>plan === 'pro'</code>, we expose individual feature flags. This decouples your code from our pricing model. When we restructure plans, your code doesn't break.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Bad: Coupled to plan names</span> <span class="k">if </span><span class="p">(</span><span class="nx">license</span><span class="p">.</span><span class="nx">plan</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">professional</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">license</span><span class="p">.</span><span class="nx">plan</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">enterprise</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">enableAdvancedFeatures</span><span class="p">()</span> <span class="p">}</span> <span class="c1">// Good: Decoupled via feature flags</span> <span class="k">if </span><span class="p">(</span><span class="nx">license</span><span class="p">.</span><span class="nx">features</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">advanced-analytics</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nf">enableAdvancedFeatures</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Usage Metering Must Be Async </h3> <p>Don't block the validation response while recording usage. We fire-and-forget usage events to a queue, which are processed asynchronously. This keeps validation latency under 100ms.</p> <h2> What's Next </h2> <p>We're working on:</p> <ul> <li> <strong>Terraform provider</strong> (already live!) for infrastructure-as-code license management</li> <li> <strong>Usage-based billing</strong> integration with Stripe</li> <li> <strong>Multi-domain licenses</strong> for enterprise customers with multiple properties</li> </ul> <p>If you're building a SaaS product and struggling with license management, we'd love to hear about your use case. Drop a comment or check out our <a href="https://trafficorchestrator.com/docs" rel="noopener noreferrer">documentation</a>.</p> <p><em>What licensing challenges have you faced in your projects?</em></p> licensing architecture saas security Domain-Bound vs Traditional License Keys: A Security Deep Dive Traffic Orchestrator Tue, 31 Mar 2026 19:29:34 +0000 https://dev.to/trafficorchestrator/domain-bound-vs-traditional-license-keys-a-security-deep-dive-4ml6 https://dev.to/trafficorchestrator/domain-bound-vs-traditional-license-keys-a-security-deep-dive-4ml6 <p>Traditional license keys have a fundamental flaw: <strong>they can be shared.</strong></p> <p>A single string like <code>XXXX-YYYY-ZZZZ-AAAA</code> can be copied, pasted into a forum, or shared across an entire office. There's no inherent binding between the key and who should be using it.</p> <p>Domain-bound licensing solves this by tying your license to the domain where your software actually runs.</p> <h2> The Problem with Traditional Keys </h2> <p>Traditional license key validation checks a single string against a database. That means:</p> <ul> <li>Keys get posted on forums and piracy sites</li> <li>One purchase = unlimited installations</li> <li>No way to enforce per-customer terms</li> <li>Revoking a shared key punishes legitimate buyers too</li> </ul> <h2> How Domain-Bound Licensing Works </h2> <p>Instead of validating just a key, domain-bound licensing validates the <em>combination</em> of key + domain. The server checks:</p> <ol> <li>Is this license key valid?</li> <li>Is this domain authorized for this key?</li> <li>Has the domain limit been exceeded?</li> <li>Is the subscription active?</li> </ol> <p>If any check fails, validation is denied — even with a valid key.</p> <h2> Security Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attack Vector</th> <th>Traditional Keys</th> <th>Domain-Bound</th> </tr> </thead> <tbody> <tr> <td>Key sharing</td> <td>❌ Vulnerable</td> <td>✅ Protected</td> </tr> <tr> <td>Forum leaks</td> <td>❌ Vulnerable</td> <td>✅ Protected</td> </tr> <tr> <td>Offline cracking</td> <td>❌ Possible</td> <td>✅ Ed25519 signatures</td> </tr> <tr> <td>Replay attacks</td> <td>❌ Often unprotected</td> <td>✅ Timestamp + nonce</td> </tr> <tr> <td>Domain spoofing</td> <td>N/A</td> <td>✅ Server-side validation</td> </tr> </tbody> </table></div> <h2> Offline Validation with Ed25519 </h2> <p>What about environments without internet access? Cryptographic signatures enable offline validation. The signed payload contains the domain, expiration, and feature set — cryptographically tamper-proof without needing a network call.</p> <p>This means your customers can validate licenses even in air-gapped environments, on-premise deployments, or regions with unreliable connectivity.</p> <h2> Performance </h2> <p>Traditional license servers add 200-500ms of latency per validation. With edge computing, domain-bound validation can happen in <strong>under 50ms</strong> at 300+ global locations.</p> <p>License checks shouldn't slow down your customers' experience.</p> <h2> When to Use Each Approach </h2> <p><strong>Traditional keys work fine if:</strong></p> <ul> <li>Simple desktop app with no internet requirement</li> <li>You don't care about key sharing</li> <li>Your product is low-cost and piracy isn't a concern</li> </ul> <p><strong>Domain-bound licensing is better if:</strong></p> <ul> <li>Selling to businesses (SaaS, WordPress plugins, web apps)</li> <li>Need to enforce per-domain pricing</li> <li>Revenue protection matters</li> <li>Want real-time usage analytics</li> </ul> <p><em>We built <a href="https://trafficorchestrator.com" rel="noopener noreferrer">Traffic Orchestrator</a> to make domain-bound licensing accessible to every software company. Check out our <a href="https://trafficorchestrator.com/docs" rel="noopener noreferrer">documentation</a> to get started.</em></p> security licensing saas webdev Validate Software Licenses in 10 Lines of Code (Any Language) Traffic Orchestrator Tue, 31 Mar 2026 19:27:41 +0000 https://dev.to/trafficorchestrator/validate-software-licenses-in-10-lines-of-code-any-language-2dip https://dev.to/trafficorchestrator/validate-software-licenses-in-10-lines-of-code-any-language-2dip <p>Adding license validation to your software shouldn't require a PhD in cryptography. Here's how to do it in 10 lines (or less) across popular languages.</p> <h2> The API </h2> <p>Every example below calls the same REST endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/v1/license/validate Content-Type: application/json { "license_key": "your-key", "domain": "customer-domain.com" } </span></code></pre> </div> <p>Response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"valid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"plan"</span><span class="p">:</span><span class="w"> </span><span class="s2">"professional"</span><span class="p">,</span><span class="w"> </span><span class="nl">"features"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_domains"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"api_calls"</span><span class="p">:</span><span class="w"> </span><span class="mi">50000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now let's implement it everywhere.</p> <h2> JavaScript / Node.js </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateLicense</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">domain</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.trafficorchestrator.com/api/v1/license/validate</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">license_key</span><span class="p">:</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">domain</span> <span class="p">})</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> Python </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="k">def</span> <span class="nf">validate_license</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">domain</span><span class="p">):</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">'</span><span class="s">https://api.trafficorchestrator.com/api/v1/license/validate</span><span class="sh">'</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">license_key</span><span class="sh">'</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">'</span><span class="s">domain</span><span class="sh">'</span><span class="p">:</span> <span class="n">domain</span><span class="p">})</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h2> Go </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">validateLicense</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">domain</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"license_key"</span><span class="o">:</span> <span class="n">key</span><span class="p">,</span> <span class="s">"domain"</span><span class="o">:</span> <span class="n">domain</span><span class="p">})</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"https://api.trafficorchestrator.com/api/v1/license/validate"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBuffer</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">var</span> <span class="n">result</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">result</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h2> Ruby </h2> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="nb">require</span> <span class="s1">'net/http'</span> <span class="nb">require</span> <span class="s1">'json'</span> <span class="k">def</span> <span class="nf">validate_license</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">domain</span><span class="p">)</span> <span class="n">uri</span> <span class="o">=</span> <span class="no">URI</span><span class="p">(</span><span class="s1">'https://api.trafficorchestrator.com/api/v1/license/validate'</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">uri</span><span class="p">,</span> <span class="p">{</span> <span class="ss">license_key: </span><span class="n">key</span><span class="p">,</span> <span class="ss">domain: </span><span class="n">domain</span> <span class="p">}.</span><span class="nf">to_json</span><span class="p">,</span> <span class="s1">'Content-Type'</span> <span class="o">=&gt;</span> <span class="s1">'application/json'</span><span class="p">)</span> <span class="no">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="nf">body</span><span class="p">)</span> <span class="k">end</span> </code></pre> </div> <h2> PHP </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">validate_license</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="nv">$domain</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nf">wp_remote_post</span><span class="p">(</span><span class="s1">'https://api.trafficorchestrator.com/api/v1/license/validate'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'headers'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Content-Type'</span> <span class="o">=&gt;</span> <span class="s1">'application/json'</span><span class="p">],</span> <span class="s1">'body'</span> <span class="o">=&gt;</span> <span class="nb">json_encode</span><span class="p">([</span><span class="s1">'license_key'</span> <span class="o">=&gt;</span> <span class="nv">$key</span><span class="p">,</span> <span class="s1">'domain'</span> <span class="o">=&gt;</span> <span class="nv">$domain</span><span class="p">])</span> <span class="p">]);</span> <span class="k">return</span> <span class="nb">json_decode</span><span class="p">(</span><span class="nf">wp_remote_retrieve_body</span><span class="p">(</span><span class="nv">$response</span><span class="p">),</span> <span class="kc">true</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> cURL (Bash) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST https://api.trafficorchestrator.com/api/v1/license/validate <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"license_key":"your-key","domain":"example.com"}'</span> </code></pre> </div> <h2> Rust </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">async</span> <span class="k">fn</span> <span class="nf">validate_license</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">domain</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nn">serde_json</span><span class="p">::</span><span class="n">Value</span><span class="p">,</span> <span class="nn">reqwest</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">reqwest</span><span class="p">::</span><span class="nn">Client</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="k">let</span> <span class="n">body</span> <span class="o">=</span> <span class="nn">serde_json</span><span class="p">::</span><span class="nd">json!</span><span class="p">({</span><span class="s">"license_key"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="s">"domain"</span><span class="p">:</span> <span class="n">domain</span><span class="p">});</span> <span class="k">let</span> <span class="n">res</span> <span class="o">=</span> <span class="n">client</span><span class="nf">.post</span><span class="p">(</span><span class="s">"https://api.trafficorchestrator.com/api/v1/license/validate"</span><span class="p">)</span> <span class="nf">.json</span><span class="p">(</span><span class="o">&amp;</span><span class="n">body</span><span class="p">)</span><span class="nf">.send</span><span class="p">()</span><span class="k">.await</span><span class="o">?</span><span class="nf">.json</span><span class="p">()</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> C# / .NET </h2> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">JsonElement</span><span class="p">&gt;</span> <span class="nf">ValidateLicense</span><span class="p">(</span><span class="kt">string</span> <span class="n">key</span><span class="p">,</span> <span class="kt">string</span> <span class="n">domain</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpClient</span><span class="p">();</span> <span class="kt">var</span> <span class="n">content</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">StringContent</span><span class="p">(</span> <span class="n">JsonSerializer</span><span class="p">.</span><span class="nf">Serialize</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">license_key</span> <span class="p">=</span> <span class="n">key</span><span class="p">,</span> <span class="n">domain</span> <span class="p">}),</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">PostAsync</span><span class="p">(</span> <span class="s">"https://api.trafficorchestrator.com/api/v1/license/validate"</span><span class="p">,</span> <span class="n">content</span><span class="p">);</span> <span class="k">return</span> <span class="n">JsonSerializer</span><span class="p">.</span><span class="n">Deserialize</span><span class="p">&lt;</span><span class="n">JsonElement</span><span class="p">&gt;(</span><span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span><span class="p">.</span><span class="nf">ReadAsStringAsync</span><span class="p">());</span> <span class="p">}</span> </code></pre> </div> <h2> What You Get Back </h2> <p>Every successful validation returns:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>valid</code></td> <td>boolean</td> <td>Whether the license is valid for this domain</td> </tr> <tr> <td><code>plan</code></td> <td>string</td> <td>The plan tier (builder, starter, professional, business, enterprise)</td> </tr> <tr> <td><code>features</code></td> <td>object</td> <td>Plan-specific feature limits</td> </tr> <tr> <td><code>expires_at</code></td> <td>string</td> <td>When the license expires (ISO 8601)</td> </tr> </tbody> </table></div> <h2> Error Handling </h2> <p>Always handle failures gracefully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateLicense</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">domain</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Show upgrade prompt, not a hard block</span> <span class="nf">showUpgradeNotice</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">enablePremiumFeatures</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">features</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Pro tip:</strong> Cache validation results locally for 5-15 minutes to reduce API calls and handle temporary network issues.</p> </blockquote> <p><em><a href="https://trafficorchestrator.com" rel="noopener noreferrer">Traffic Orchestrator</a> provides SDKs for all these languages (and more) with built-in caching, retry logic, and offline fallback. <a href="https://trafficorchestrator.com/signup" rel="noopener noreferrer">Get started free</a>.</em></p> tutorial programming api beginners How We Built Edge-First License Validation in Under 50ms Traffic Orchestrator Tue, 31 Mar 2026 16:57:09 +0000 https://dev.to/trafficorchestrator/how-we-built-edge-first-license-validation-in-under-50ms-1jl9 https://dev.to/trafficorchestrator/how-we-built-edge-first-license-validation-in-under-50ms-1jl9 <h2> TL;DR </h2> <p>We built a licensing API where license validation happens at the CDN edge - not a centralized server. The result: sub-50ms validation times globally.</p> <h2> The Problem </h2> <p>Most licensing APIs work like this:</p> <ol> <li>Your app makes an HTTP request to a central server</li> <li>The server queries a database</li> <li>The result comes back 200-500ms later</li> <li>Your users wait</li> </ol> <p>That is unacceptable for performance-critical applications.</p> <h2> Our Approach: Edge Validation </h2> <p>Instead of a central server, Traffic Orchestrator validates licenses at edge nodes distributed globally. Here is what the integration looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.trafficorchestrator.com/api/v1/licenses/validate</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-api-key</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">license_key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">LIC-XXXX-XXXX</span><span class="dl">'</span><span class="p">,</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">customer-app.com</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> Domain-Bound Security </h2> <p>License keys are cryptographically bound to specific domains. This means:</p> <ul> <li>Keys cannot be shared across unauthorized domains</li> <li>Validation includes origin checking</li> <li>No complex hardware fingerprinting needed</li> </ul> <h2> What is Available Today </h2> <ul> <li> <strong>12 SDK packages</strong> across every major language</li> <li><strong>Real-time analytics dashboard</strong></li> <li> <strong>Free Builder tier</strong> to get started</li> <li> <strong>Webhook notifications</strong> for license events</li> </ul> <p>Check it out at <a href="https://trafficorchestrator.com" rel="noopener noreferrer">trafficorchestrator.com</a></p> <p><em>What is your current approach to software licensing? We would love to hear what pain points you have experienced.</em></p> api javascript webdev saas Why Most Software Licensing APIs Are Broken Traffic Orchestrator Tue, 31 Mar 2026 16:57:09 +0000 https://dev.to/trafficorchestrator/why-most-software-licensing-apis-are-broken-n0b https://dev.to/trafficorchestrator/why-most-software-licensing-apis-are-broken-n0b <p>Most licensing solutions are slow, bloated, and painful to integrate.</p> <p>We spent months building Traffic Orchestrator, a licensing API that validates at the edge in under 50ms.</p> <h2> What makes it different </h2> <ul> <li> <strong>Edge validation</strong> - License checks happen at the CDN edge, not a centralized server</li> <li> <strong>Domain-bound keys</strong> - Licenses are cryptographically tied to specific domains</li> <li> <strong>12 SDK packages</strong> - Drop-in integration for every major language</li> <li> <strong>Real-time analytics</strong> - See license usage as it happens</li> <li> <strong>Free tier</strong> - Get started without a credit card</li> </ul> <h2> TL;DR </h2> <p>We built a licensing API that prioritizes developer experience and performance. No bloated SDKs, no slow validation, no vendor lock-in.</p> <p>Check it out: <a href="https://trafficorchestrator.com" rel="noopener noreferrer">trafficorchestrator.com</a></p> licensing saas webdev security