Licensing Behavior

How StickCode v6.0.15 validates licenses, binds devices, and derives encryption keys.

License file (*.lic)

The vendor delivers a signed JSON file with payload and signature fields (RSA-2048). StickCode auto-discovers *.lic files in this order:

  1. STICKCODE_LICENSE_FILE or --license <path>
  2. Current working directory (./)
  3. ~/.config/stickcode/
  4. ~/.stickcode/
  5. /etc/stickcode/

If multiple *.lic files exist, name one license.lic or pass --license explicitly. Add *.lic to .gitignore.

Activation flow

On first init() / initFromFile():

  1. Verify the RSA signature on the license payload
  2. Compute a machine ID (hostname + platform + arch → SHA-256)
  3. Contact the activation server (internet required on first run)
  4. Store a signed token in node_modules/stickcode/.device_registry
  5. Derive the AES-256 key via HKDF-SHA256 from the activation token + licenseId

Subsequent runs work 100% offline using the local registry cache.

Device limits

Each license supports a fixed number of devices (maxDevices). When the limit is reached on the activation server, new machines receive a DEVICE_LIMIT_EXCEEDED error. Remove unused devices in the StickCode License Dashboard, then re-activate with internet access.

Resetting local cache

resetDevices() or manually deleting node_modules/stickcode/.device_registry clears the local activation cache on this machine only. It does not free a server-side device slot.

stickcode.resetDevices();
// or:
rm -f node_modules/stickcode/.device_registry

Enterprise tier

Enterprise customers receive unlimited device nodes within their verified corporate domain, enabling large CI/CD and server-farm deployments without per-machine tracking limits.

Security (v6.0.5+)

  • CLI has no default encryption key — use --license or STICKCODE_LICENSE_FILE in production
  • STICKCODE_SKIP_INTEGRITY bypass is removed on published builds
  • Published JS is integrity-signed — tampering triggers process.exit(1); reinstall from npm to fix