Get started · Introduction

Welcome to Keysat.

Keysat lets independent software creators sell their work on their own terms. You ship software — open source, closed source, free / paid versions, whatever fits — and Keysat handles the buy page, the Bitcoin payment via BTCPay, and a signed license for each buyer. How you use that license inside your software is up to you: a one-time purchase to unlock the whole app, a free + paid split with specific paid features, a tip-jar style supporter badge — all legitimate. The licensing layer is a primitive, not a script.

These docs cover both ends:

Operator

Install & setup →

Sideload the package, connect BTCPay, define your first product. About an afternoon, end to end.

Developer

Integrate the SDK →

Add the SDK to your app, embed your public key, verify a license at startup. About five lines of code.

Architecture

Keysat is the licensing layer sitting on top of your existing payments stack. Three boxes:

BTCPay Server — takes the payment. On-chain Bitcoin or Lightning, settling to your wallet. Lives on your Start9.
Keysat — your private licensing service. Holds the Ed25519 signing key. Hosts the public purchase URLs at /buy/<product>. Listens for BTCPay payment webhooks and issues a signed license on each settlement. Lives on your Start9.
Your software — the thing you sell. Ships with the Keysat public key embedded at compile time. On startup it reads the user’s license and verifies the signature offline. No network call.

The key word is offline. Once a license is issued, your software does not need to phone home to verify it. The verification is a pure function of the license bytes and the public key. This is the same model used by signed JWTs, except wrapped in a small fixed-width format that’s comfortable to print on a receipt.

Why offline matters. Online license servers are a single point of failure for every customer who ever bought your software. With Keysat, if your Start9 disappears tomorrow, every previously-issued license still verifies. That’s sovereignty.

Products & policies

You declare two things in Keysat: products and policies.

A product is the thing you sell — "Bitcoin Ticker Pro", "Aurora Plugin", whatever. It has a slug, a display name, a description, and a price in sats.

A policy is a license template attached to a product. It specifies:

Field	Meaning
`duration_seconds`	How long the license is valid. `0` means perpetual.
`grace_seconds`	Extra time after expiry before the verifier rejects.
`max_machines`	Seat cap. `0` means unlimited.
`is_trial`	Sets a `TRIAL` bit so your app can show a "trial" banner.
`entitlements`	Free-form list of feature flags baked into the signed key (e.g. `core`, `sync`, `export`).

Each product has one policy slugged default — that’s the one consumed by the public purchase URL. You can attach additional named policies for manual issuance: a longer-duration "Lifetime" policy you hand out at conferences, a richer-entitlement "Pro" policy for upsells, etc.

Discount codes

Three kinds:

Kind	What it does
`percent`	Buyer appends `?code=FOUNDERS50` to the purchase URL; price drops by N%.
`fixed_sats`	Like above, but a flat sat amount comes off.
`free_license`	No payment at all. Buyer redeems the code via `POST /v1/redeem` and gets a signed license back.

Codes can be capped at N uses, dated to expire, restricted to a single product, and tagged with a referrer label so you can see which campaign drove which sales in the audit log.

Revocation strategy

This is the one piece of the architecture that requires a design decision from you.

Because verification is offline, a license that was once issued continues to verify forever — even if you mark it as revoked in the admin UI. The verifier in your app doesn’t know about your admin actions.

You have three options:

Don’t support revocation at all. Many indie developers do this. Once a key is sold, it stays valid. Refunds are still possible — you send sats back via BTCPay; the key still works but the customer agreed to stop using it.
Periodic online check. Your app fetches a small revocation list from your Keysat (or a CDN you point at it) once a week / month. Adds a "soft-online" requirement.
Short-lived licenses with renewal. Issue 30-day licenses; the app fetches a fresh signed token before expiry. v0.2 will ship recurring renewals as a first-class flow.

You decide the policy. Keysat doesn’t force a particular revocation model. The default is no revocation — that’s the simplest, sovereign-by-default choice. If you need stronger guarantees, layer them on with the patterns above.

Where to next

Step 1 for operators

Install & setup →

Get Keysat running on your Start9, connect BTCPay, define your first product.

Step 1 for integrators

Integrate the SDK →

Embed your public key, add the SDK to your app, verify a license offline.