Abstract
Software licensing systems that support offline operation face a structural tension: the same cached credential that lets a product keep running during a licensor-side outage also lets a revoked customer keep running. Conventional stacks resolve this by coupling the cached-token lifetime to the grace window, producing a fail-open tail as long as the grace period — often days. This disclosure describes a two-clock, fail-closed entitlement engine that decouples the two concerns. An availability grace clock lives server-side on the activation row and is refreshed per heartbeat; a separate revocation clock is a signer-enforced offline-token TTL (≤24 hours) whose ceiling the token signer structurally refuses to exceed, combined with a per-token jti denylist populated on suspend/revoke. The /v1/validate decision is a fixed-precedence pipeline — state gate, denylist, cap-gated idempotent meter append (over-cap denies entitlement), fresh token mint — with offline verification pinning algorithm, type, and key id. The worst-case revoked-but-running window is one TTL, not the grace window. This document establishes dated, enabling public prior art over the mechanism.
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Assuncao, gustavo matthew, "Two-Clock Fail-Closed Entitlement Engine", Technical Disclosure Commons, (July 13, 2026)
https://www.tdcommons.org/dpubs_series/10874