🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

@copilotkit/license-verifier

Package Overview
Dependencies
Maintainers
1
Versions
8
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@copilotkit/license-verifier

CopilotKit license verification

Source
npmnpm
Version
0.3.0
Version published
Weekly downloads
272K
28.84%
Maintainers
1
Weekly downloads
 
Created
Source

@copilotkit/license-verifier

Public runtime package for offline CopilotKit license verification.

Public API

The package exports one root entry point:

import {
  LICENSED_FEATURES,
  addRuntimeKeyAttestation,
  clearRuntimeKeys,
  createLicenseChecker,
  getFeatureDisplayName,
  getFeatureLimit,
  getMasterPublicKey,
  getPublicKey,
  isComponentFeature,
  isFeatureEnabled,
  isRuntimeFeature,
  verifyKeyAttestation,
  verifyLicense,
  type KeyAttestationData,
  type LicenseChecker,
  type LicenseFeatures,
  type LicenseOwner,
  type LicensePayload,
  type LicenseStatus,
  type LicenseTier,
} from "@copilotkit/license-verifier";

verifyLicense(token) parses the signed payload, verifies the Ed25519 signature, checks expiration, and returns a LicenseStatus. Signed payloads may contain extra feature keys so older verifiers can still parse newer tokens structurally; helper reads still deny those unknown keys by default.

Feature reads are catalog-gated. isFeatureEnabled(license, feature) returns true only when feature is a known boolean feature in LICENSED_FEATURES and the signed payload value is exactly true. getFeatureLimit(license, feature) returns a number only when feature is a known numeric feature and the signed payload value is a non-negative integer. Unknown feature keys and value-kind mismatches deny by default.

LICENSED_FEATURES is re-exported from the internal @cpki/license-catalog projection used at build time. The verifier should not define a separate feature catalog.

createLicenseChecker(token?) verifies once, caches the signed payload, and re-evaluates expiration on each getStatus() call. checkFeature(feature) uses the same catalog-gated boolean feature behavior as isFeatureEnabled.

Online Key Attestation

The package does not export a network client for online verification. Hosts that fetch signing keys from an online endpoint should validate that response outside this package, then call addRuntimeKeyAttestation({ keyId, publicKey, attestationSig }). The attestation signature must be over keyId:publicKey and signed by the master key baked into the package.

FAQs

Package last updated on 05 May 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts