Licensing

Quark Commerce uses RSA-4096 digital signatures to validate licenses. The system is designed so that no configuration bypass is possible — a valid signed license is always required.

How It Works

Components

Component	Purpose
`LicenseMiddleware`	Intercepts every request, enforces valid license
`LicenseValidationService`	RSA public key signature verification
`LicenseWatcherService`	Background service: watches file changes + 5-min periodic revalidation
`LicensePhoneHomeService`	Optional periodic callback to license server

Bypass Paths

These paths are exempt from license validation:

/health
/swagger
/api/health
/api/admin/license

Configuration

Local Development

In appsettings.Development.json:

{
  "Licensing": {
    "PublicKeyBase64": "your-base64-rsa-public-key",
    "LicenseFilePath": "/absolute/path/to/license.lic"
  }
}

Production (Docker / Coolify)

Use environment variables to avoid storing secrets on disk:

Licensing__PublicKeyBase64=MIICIjANBgkqhkiG9w0BAQE...
Licensing__LicenseFileBase64=eyJsaWNlbnNlSWQiOiIuLi4...

When LicenseFileBase64 is set, the API decodes it in memory — no file on disk needed.

License Payload

A license file contains a JSON payload with these fields (signed by the license server):

Field	Description
`LicenseId`	Unique license identifier
`CustomerName`	Licensed customer name
`AllowedHosts`	List of allowed hostnames
`ExpiresAt`	License expiration date
`MaxStores`	Maximum number of stores allowed
`Features`	Enabled feature flags

info

For local development, localhost and *.local hostnames are automatically allowed for host validation, but a valid signed license file is still required.

License Status Page

The Backoffice panel includes a license status page at Settings → License that shows:

License validity status
Expiration date
Licensed features
Allowed hosts
Phone-home status

How It Works​

Components​

Bypass Paths​

Configuration​

Local Development​

Production (Docker / Coolify)​

License Payload​

License Status Page​