# Licensing Server Design Licensing should run as a separate cloud service controlled by Nexobiz. The packaged app contains a license client. The licensing server is the authoritative control plane for official activations, entitlement distribution, fraud review, support eligibility, and update access. Self-hosted installations cache signed certificates, but premium intelligence remains controlled remotely. ## Responsibilities - Purchase code validation - Domain activation - Installation fingerprint binding - Module entitlements - Update eligibility - Support validation - Fraud detection - Revocation - Heartbeat validation ## Control Plane APIs - `/api/v1/license-server/activation-policy` - `/api/v1/license-server/entitlement-policy` - `/api/v1/license-server/fraud-policy` - `/api/v1/license-server/revocation-policy` ## Core Tables ```text licenses license_activations licensed_domains licensed_modules license_heartbeats license_events revoked_licenses fraud_signals release_entitlements support_entitlements ``` The Phase 1 implementation maps this into: - `license_accounts`: customer, plan, status, entitlements, support window, expiry. - `license_activations`: domain, installation UUID, server fingerprint hash, environment hash. - `license_fraud_signals`: scored evidence from duplicate or suspicious installs. - `license_revocations`: scoped restrictions for activation, domain, license, or customer. ## Activation Flow ```text purchase code submitted -> license account located -> domain and installation UUID checked -> server fingerprint and environment hash bound -> fraud score evaluated -> signed local certificate issued -> heartbeat schedule established ``` ## Fraud Response - Score 50 or above enters manual review. - Score 75 or above restricts premium AI, marketplace, updates, and premium modules. - Score 90 or above blocks activation or revokes the disputed activation. Core data access stays available even when premium services are restricted. ## Local Certificate The license server returns a signed certificate: ```json { "license_id": "lic_123", "installation_uuid": "uuid", "domains": ["example.com"], "modules": ["core", "ai_basic", "workflow"], "plan": "enterprise", "expires_at": "2027-05-10T00:00:00Z", "offline_grace_until": "2026-05-17T00:00:00Z" } ``` The app verifies this locally using the license public key.