You've built great software. Now you need to decide who can use it, how they pay for it, and what features they get access to.
Commercial license platforms charge per-seat, per-month, and your customer data lives on someone else's servers. Building your own takes months of engineering on activation logic, payment webhooks, quota tracking, and all the edge cases that come at 2 AM.
Keygate is the middle ground. A production-ready license server you deploy on your own infrastructure, connect to your own Stripe, and manage through a clean dashboard. It handles everything from activation to dunning โ so you can focus on building your product.
One binary. One database. Full control. Free, forever.
Who is it for?
๐งโ๐ป Indie Developers โ Selling a desktop app, CLI tool, or Electron app? Keygate handles license keys, activation limits, and trials so you can focus on shipping.
๐ข SaaS Companies โ Managing subscription tiers with different feature sets? Define plans with entitlements, track usage, and let Stripe handle billing automatically.
๐ญ Enterprise Vendors โ Need floating licenses for large teams? Concurrent seat checkout with heartbeat monitoring, perfect for shared-seat environments.
โก API Providers โ Enforcing rate limits and usage quotas? Atomic quota enforcement tracks every call and warns customers before they hit limits.
Features
๐ License Management
Every model in one platform โ subscriptions, perpetual, trials, and floating (concurrent) licenses. Create, activate, verify, suspend, reinstate, and revoke with full audit trail. Per-device or per-user activation limits with atomic enforcement (no double-counting under retry). Grace periods. License keys hashed with SHA-256, encrypted at rest. Signed tokens for offline verification. Idempotency-Key header support on writes โ retries never duplicate.
Public SDK endpoints (activate / verify / deactivate / usage / download) take license_key directly โ no embedded API keys to leak from your binaries. Customers can self-serve activation slots from the portal (free up a lost laptop without a support ticket).
๐ Software Distribution
Ship signed updates to your installed clients. Sparkle (macOS), Velopack (Windows), and Tauri (cross-platform) updaters all consume the same release feed โ one publish, every updater compatible. Per-platform binaries grouped under a single release, atomic publish gate (no half-uploaded releases ever leak), yank for instant rollback. Per-product Ed25519 signing keys with private keys encrypted at rest under AES-256-GCM + HKDF-derived subkeys. Server-side SHA-256 for integrity (never trust the client's hash). Stable feeds are public โ your customers' auto-updater never breaks when a license rotates. Per-product minimum_supported_version floor for forced upgrades.
Object storage is S3-compatible โ Cloudflare R2, AWS S3, MinIO, anything that speaks SigV4. Presigned URLs for direct browser upload (no proxying through Keygate), and license-gated short-TTL download URLs.
๐ Usage Metering
Track API calls, storage, bandwidth, or any custom metric. Quotas enforced atomically at the database level โ even under high concurrency, limits are never exceeded. Hourly, daily, monthly, or yearly cycles with automatic reset. Threshold warnings via webhooks.
๐ณ Payments
Stripe integrated end-to-end with three-layer reliability โ webhook, success-page verification, and periodic sync ensure no payment is ever missed. Customer pays โ license created automatically. Payment fails โ dunning emails on schedule. Supports checkout, plan upgrades/downgrades with proration, cancellations, refunds, and billing portal. Stripe webhook is auto-configured โ just set your API key.
๐ฅ Team Seats & Entitlements
Customers manage their own teams within a license. Seat roles (owner/admin/member), configurable limits per plan. Feature entitlements as boolean flags, numeric limits, or usage quotas. Purchasable add-ons that extend plan capabilities.
๐ง Server-to-Server API
Programmatic admin access via Authorization: Bearer kg_live_โฆ โ mint licenses from your Stripe webhook, run nightly usage exports from cron, automate everything /admin/* can do. Scope-based authorization with fail-closed defaults (an API key with no scopes can do nothing). System-wide admin keys or per-product keys โ same model as Stripe sk_live_ and GitHub PATs.
๐ Admin Dashboard
Products, plans, licenses, customers, API keys, webhooks, analytics, audit logs, team management, email templates, and brand customization โ all from one interface. Search, filter, and export (CSV/JSON).
๐ก๏ธ Security
Email OTP login with constant-time hash verification, role-based access checked per-request from database, brute-force protection, rate limiting, HMAC-signed webhooks, SameSite cookies, HSTS, and startup validation that rejects weak secrets. License verify endpoints collapse all "license-knowable" failures to a single 404 so license_key enumeration is closed off. Idempotency-Key middleware prevents double-execution on retried writes.
๐ Self-Hosted
Single Go binary + PostgreSQL + (optional) S3-compatible storage for release artifacts. No Redis, no microservices. Auto-migration on startup. Setup wizard for first run. Custom branding, email templates, and i18n (English/Chinese built-in).
Quick Start
Docker (recommended)
# 1. Download
curl -O https://raw.githubusercontent.com/tabloy/keygate/main/docker-compose.yml
curl -O https://raw.githubusercontent.com/tabloy/keygate/main/.env.example
cp .env.example .env
# 2. Set your secrets
# Edit .env: set JWT_SECRET and LICENSE_SIGNING_KEY (openssl rand -hex 32)
# 3. Run
docker compose up -d
From source
git clone https://github.com/tabloy/keygate.git
cd keygate && cp .env.example .env
make build && ./bin/keygate
You are free to fork, modify, and self-host this software under the AGPL v3. The "Powered by Keygate" attribution in the UI must be preserved (see NOTICE). A commercial license to remove the attribution is available โ contact hello@keygate.app.
Star History
If Keygate helps your business, consider giving it a โญ