Licensing Behavior
How StickCode v6.0.15 validates licenses, binds devices, and derives encryption keys.
License file (*.lic)
The vendor delivers a signed JSON file with payload and signature fields (RSA-2048). StickCode auto-discovers *.lic files in this order:
STICKCODE_LICENSE_FILEor--license <path>- Current working directory (
./) ~/.config/stickcode/~/.stickcode//etc/stickcode/
If multiple *.lic files exist, name one license.lic or pass --license explicitly. Add *.lic to .gitignore.
Activation flow
On first init() / initFromFile():
- Verify the RSA signature on the license payload
- Compute a machine ID (
hostname+platform+arch→ SHA-256) - Contact the activation server (internet required on first run)
- Store a signed token in
node_modules/stickcode/.device_registry - Derive the AES-256 key via HKDF-SHA256 from the activation token +
licenseId
Subsequent runs work 100% offline using the local registry cache.
Device limits
Each license supports a fixed number of devices (maxDevices). When the limit is reached on the activation server, new machines receive a DEVICE_LIMIT_EXCEEDED error. Remove unused devices in the StickCode License Dashboard, then re-activate with internet access.
Resetting local cache
resetDevices() or manually deleting node_modules/stickcode/.device_registry clears the local activation cache on this machine only. It does not free a server-side device slot.
stickcode.resetDevices();
// or:
rm -f node_modules/stickcode/.device_registry
Enterprise tier
Enterprise customers receive unlimited device nodes within their verified corporate domain, enabling large CI/CD and server-farm deployments without per-machine tracking limits.
Security (v6.0.5+)
- CLI has no default encryption key — use
--licenseorSTICKCODE_LICENSE_FILEin production STICKCODE_SKIP_INTEGRITYbypass is removed on published builds- Published JS is integrity-signed — tampering triggers
process.exit(1); reinstall from npm to fix