Abstract

Software licensing systems that support offline operation face a structural tension: the same cached credential that lets a product keep running during a licensor-side outage also lets a revoked customer keep running. Conventional stacks resolve this by coupling the cached-token lifetime to the grace window, producing a fail-open tail as long as the grace period — often days. This disclosure describes a two-clock, fail-closed entitlement engine that decouples the two concerns. An availability grace clock lives server-side on the activation row and is refreshed per heartbeat; a separate revocation clock is a signer-enforced offline-token TTL (≤24 hours) whose ceiling the token signer structurally refuses to exceed, combined with a per-token jti denylist populated on suspend/revoke. The /v1/validate decision is a fixed-precedence pipeline — state gate, denylist, cap-gated idempotent meter append (over-cap denies entitlement), fresh token mint — with offline verification pinning algorithm, type, and key id. The worst-case revoked-but-running window is one TTL, not the grace window. This document establishes dated, enabling public prior art over the mechanism.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS