@licenseseat/js 0.2.0 → 0.2.2

package/README.md

@@ -1,10 +1,10 @@
-# LicenseSeat JavaScript SDK
-
-Official JavaScript/TypeScript SDK for [LicenseSeat](https://licenseseat.com) – the simple, secure licensing platform for apps, games, and plugins.
+# LicenseSeat - JavaScript SDK
 
 [![CI](https://github.com/licenseseat/licenseseat-js/actions/workflows/ci.yml/badge.svg)](https://github.com/licenseseat/licenseseat-js/actions/workflows/ci.yml)
 [![npm version](https://img.shields.io/npm/v/@licenseseat/js.svg)](https://www.npmjs.com/package/@licenseseat/js)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+Official JavaScript/TypeScript SDK for [LicenseSeat](https://licenseseat.com) – the simple, secure licensing platform for apps, games, and plugins.
 
 ---
 
@@ -121,7 +121,7 @@ const sdk = new LicenseSeat({
   apiKey: 'your-api-key',
 
   // API Configuration
-  apiBaseUrl: 'https://api.licenseseat.com',  // Default
+  apiBaseUrl: 'https://licenseseat.com/api',  // Default
 
   // Storage
   storagePrefix: 'licenseseat_',              // localStorage key prefix
@@ -148,18 +148,18 @@ const sdk = new LicenseSeat({
 
 ### Configuration Options
 
-| Option | Type | Default | Description |
-|--------|------|---------|-------------|
-| `apiKey` | `string` | `null` | API key for authentication (required for most operations) |
-| `apiBaseUrl` | `string` | `'https://api.licenseseat.com'` | API base URL |
-| `storagePrefix` | `string` | `'licenseseat_'` | Prefix for localStorage keys |
-| `autoValidateInterval` | `number` | `3600000` | Auto-validation interval in ms (1 hour) |
-| `autoInitialize` | `boolean` | `true` | Auto-initialize and validate cached license |
-| `offlineFallbackEnabled` | `boolean` | `false` | Enable offline validation on network errors |
-| `maxOfflineDays` | `number` | `0` | Maximum days license works offline (0 = disabled) |
-| `maxRetries` | `number` | `3` | Max retry attempts for failed API calls |
-| `retryDelay` | `number` | `1000` | Initial retry delay in ms (exponential backoff) |
-| `debug` | `boolean` | `false` | Enable debug logging to console |
+| Option                   | Type      | Default                         | Description                                               |
+| ------------------------ | --------- | ------------------------------- | --------------------------------------------------------- |
+| `apiKey`                 | `string`  | `null`                          | API key for authentication (required for most operations) |
+| `apiBaseUrl`             | `string`  | `'https://licenseseat.com/api'` | API base URL                                              |
+| `storagePrefix`          | `string`  | `'licenseseat_'`                | Prefix for localStorage keys                              |
+| `autoValidateInterval`   | `number`  | `3600000`                       | Auto-validation interval in ms (1 hour)                   |
+| `autoInitialize`         | `boolean` | `true`                          | Auto-initialize and validate cached license               |
+| `offlineFallbackEnabled` | `boolean` | `false`                         | Enable offline validation on network errors               |
+| `maxOfflineDays`         | `number`  | `0`                             | Maximum days license works offline (0 = disabled)         |
+| `maxRetries`             | `number`  | `3`                             | Max retry attempts for failed API calls                   |
+| `retryDelay`             | `number`  | `1000`                          | Initial retry delay in ms (exponential backoff)           |
+| `debug`                  | `boolean` | `false`                         | Enable debug logging to console                           |
 
 ---
 
@@ -296,6 +296,15 @@ Clear all cached data and reset SDK state.
 sdk.reset();
 ```
 
+#### `sdk.destroy()`
+
+Destroy the SDK instance and release all resources. Call this when you no longer need the SDK to prevent memory leaks. After calling `destroy()`, the SDK instance should not be used.
+
+```javascript
+// When unmounting a component or closing an app
+sdk.destroy();
+```
+
 #### `sdk.initialize()`
 
 Manually initialize the SDK (only needed if `autoInitialize: false`).
@@ -330,41 +339,42 @@ sdk.off('activation:success', handler);
 
 ### Available Events
 
-| Event | Description | Data |
-|-------|-------------|------|
-| **Lifecycle** | | |
-| `license:loaded` | Cached license loaded on init | `CachedLicense` |
-| `sdk:reset` | SDK was reset | – |
-| `sdk:error` | General SDK error | `{ message, error? }` |
-| **Activation** | | |
-| `activation:start` | Activation started | `{ licenseKey, deviceId }` |
-| `activation:success` | Activation succeeded | `CachedLicense` |
-| `activation:error` | Activation failed | `{ licenseKey, error }` |
-| **Deactivation** | | |
-| `deactivation:start` | Deactivation started | `CachedLicense` |
-| `deactivation:success` | Deactivation succeeded | `Object` |
-| `deactivation:error` | Deactivation failed | `{ error, license }` |
-| **Validation** | | |
-| `validation:start` | Validation started | `{ licenseKey }` |
-| `validation:success` | Online validation succeeded | `ValidationResult` |
-| `validation:failed` | Validation failed (invalid license) | `ValidationResult` |
-| `validation:error` | Validation error (network, etc.) | `{ licenseKey, error }` |
-| `validation:offline-success` | Offline validation succeeded | `ValidationResult` |
-| `validation:offline-failed` | Offline validation failed | `ValidationResult` |
-| `validation:auth-failed` | Auth failed during validation | `{ licenseKey, error, cached }` |
-| **Auto-Validation** | | |
-| `autovalidation:cycle` | Auto-validation scheduled | `{ nextRunAt: Date }` |
-| `autovalidation:stopped` | Auto-validation stopped | – |
-| **Network** | | |
-| `network:online` | Network connectivity restored | – |
-| `network:offline` | Network connectivity lost | `{ error }` |
-| **Offline License** | | |
-| `offlineLicense:fetching` | Fetching offline license | `{ licenseKey }` |
-| `offlineLicense:fetched` | Offline license fetched | `{ licenseKey, data }` |
-| `offlineLicense:fetchError` | Offline license fetch failed | `{ licenseKey, error }` |
-| `offlineLicense:ready` | Offline assets synced | `{ kid, exp_at }` |
-| `offlineLicense:verified` | Offline signature verified | `{ payload }` |
-| `offlineLicense:verificationFailed` | Offline signature invalid | `{ payload }` |
+| Event                               | Description                         | Data                            |
+| ----------------------------------- | ----------------------------------- | ------------------------------- |
+| **Lifecycle**                       |                                     |                                 |
+| `license:loaded`                    | Cached license loaded on init       | `CachedLicense`                 |
+| `sdk:reset`                         | SDK was reset                       | –                               |
+| `sdk:destroyed`                     | SDK was destroyed                   | –                               |
+| `sdk:error`                         | General SDK error                   | `{ message, error? }`           |
+| **Activation**                      |                                     |                                 |
+| `activation:start`                  | Activation started                  | `{ licenseKey, deviceId }`      |
+| `activation:success`                | Activation succeeded                | `CachedLicense`                 |
+| `activation:error`                  | Activation failed                   | `{ licenseKey, error }`         |
+| **Deactivation**                    |                                     |                                 |
+| `deactivation:start`                | Deactivation started                | `CachedLicense`                 |
+| `deactivation:success`              | Deactivation succeeded              | `Object`                        |
+| `deactivation:error`                | Deactivation failed                 | `{ error, license }`            |
+| **Validation**                      |                                     |                                 |
+| `validation:start`                  | Validation started                  | `{ licenseKey }`                |
+| `validation:success`                | Online validation succeeded         | `ValidationResult`              |
+| `validation:failed`                 | Validation failed (invalid license) | `ValidationResult`              |
+| `validation:error`                  | Validation error (network, etc.)    | `{ licenseKey, error }`         |
+| `validation:offline-success`        | Offline validation succeeded        | `ValidationResult`              |
+| `validation:offline-failed`         | Offline validation failed           | `ValidationResult`              |
+| `validation:auth-failed`            | Auth failed during validation       | `{ licenseKey, error, cached }` |
+| **Auto-Validation**                 |                                     |                                 |
+| `autovalidation:cycle`              | Auto-validation scheduled           | `{ nextRunAt: Date }`           |
+| `autovalidation:stopped`            | Auto-validation stopped             | –                               |
+| **Network**                         |                                     |                                 |
+| `network:online`                    | Network connectivity restored       | –                               |
+| `network:offline`                   | Network connectivity lost           | `{ error }`                     |
+| **Offline License**                 |                                     |                                 |
+| `offlineLicense:fetching`           | Fetching offline license            | `{ licenseKey }`                |
+| `offlineLicense:fetched`            | Offline license fetched             | `{ licenseKey, data }`          |
+| `offlineLicense:fetchError`         | Offline license fetch failed        | `{ licenseKey, error }`         |
+| `offlineLicense:ready`              | Offline assets synced               | `{ kid, exp_at }`               |
+| `offlineLicense:verified`           | Offline signature verified          | `{ payload }`                   |
+| `offlineLicense:verificationFailed` | Offline signature invalid           | `{ payload }`                   |
 
 ---
 
@@ -444,12 +454,12 @@ try {
 
 ### Error Types
 
-| Error | Description |
-|-------|-------------|
-| `APIError` | HTTP request failures (includes `status` and `data`) |
-| `LicenseError` | License operation failures (includes `code`) |
-| `ConfigurationError` | SDK misconfiguration |
-| `CryptoError` | Cryptographic operation failures |
+| Error                | Description                                          |
+| -------------------- | ---------------------------------------------------- |
+| `APIError`           | HTTP request failures (includes `status` and `data`) |
+| `LicenseError`       | License operation failures (includes `code`)         |
+| `ConfigurationError` | SDK misconfiguration                                 |
+| `CryptoError`        | Cryptographic operation failures                     |
 
 ---
 
@@ -551,17 +561,17 @@ npm install
 
 ### Scripts
 
-| Command | Description |
-|---------|-------------|
-| `npm run build` | Build JS bundle + TypeScript declarations |
-| `npm run build:js` | Build JavaScript bundle only |
-| `npm run build:types` | Generate TypeScript declarations |
-| `npm run build:iife` | Build global/IIFE bundle |
-| `npm run dev` | Watch mode for development |
-| `npm test` | Run tests |
-| `npm run test:watch` | Run tests in watch mode |
-| `npm run test:coverage` | Run tests with coverage report |
-| `npm run typecheck` | Type-check without emitting |
+| Command                 | Description                               |
+| ----------------------- | ----------------------------------------- |
+| `npm run build`         | Build JS bundle + TypeScript declarations |
+| `npm run build:js`      | Build JavaScript bundle only              |
+| `npm run build:types`   | Generate TypeScript declarations          |
+| `npm run build:iife`    | Build global/IIFE bundle                  |
+| `npm run dev`           | Watch mode for development                |
+| `npm test`              | Run tests                                 |
+| `npm run test:watch`    | Run tests in watch mode                   |
+| `npm run test:coverage` | Run tests with coverage report            |
+| `npm run typecheck`     | Type-check without emitting               |
 
 ### Project Structure
 
@@ -661,12 +671,12 @@ This ensures:
 
 Once published to npm, the package is automatically available on CDNs:
 
-| CDN | URL |
-|-----|-----|
-| **esm.sh** | `https://esm.sh/@licenseseat/js` |
-| **unpkg** | `https://unpkg.com/@licenseseat/js/dist/index.js` |
+| CDN          | URL                                                          |
+| ------------ | ------------------------------------------------------------ |
+| **esm.sh**   | `https://esm.sh/@licenseseat/js`                             |
+| **unpkg**    | `https://unpkg.com/@licenseseat/js/dist/index.js`            |
 | **jsDelivr** | `https://cdn.jsdelivr.net/npm/@licenseseat/js/dist/index.js` |
-| **Skypack** | `https://cdn.skypack.dev/@licenseseat/js` |
+| **Skypack**  | `https://cdn.skypack.dev/@licenseseat/js`                    |
 
 **Version pinning** (recommended for production):
 ```html
@@ -721,10 +731,10 @@ This project follows [Semantic Versioning](https://semver.org/):
 
 ### Breaking Changes in v0.2.0
 
-| Change | Before | After | Migration |
-|--------|--------|-------|-----------|
-| `apiBaseUrl` default | `/api` | `https://api.licenseseat.com` | Set `apiBaseUrl` explicitly if using a relative URL |
-| `offlineFallbackEnabled` default | `true` | `false` | Set `offlineFallbackEnabled: true` if you need offline fallback |
+| Change                           | Before | After                         | Migration                                                       |
+| -------------------------------- | ------ | ----------------------------- | --------------------------------------------------------------- |
+| `apiBaseUrl` default             | `/api` | `https://licenseseat.com/api` | Set `apiBaseUrl` explicitly if using a relative URL             |
+| `offlineFallbackEnabled` default | `true` | `false`                       | Set `offlineFallbackEnabled: true` if you need offline fallback |
 
 ### New Features in v0.2.0
 

package/dist/index.js

@@ -221,8 +221,6 @@ function parseActiveEntitlements(payload = {}) {
   const raw = payload.active_ents || payload.active_entitlements || [];
   return raw.map((e) => ({
     key: e.key,
-    name: e.name ?? null,
-    description: e.description ?? null,
     expires_at: e.expires_at ?? null,
     metadata: e.metadata ?? null
   }));
@@ -262,7 +260,14 @@ function base64UrlDecode(base64UrlString) {
   while (base64.length % 4) {
     base64 += "=";
   }
-  const raw = window.atob(base64);
+  let raw;
+  if (typeof atob === "function") {
+    raw = atob(base64);
+  } else if (typeof Buffer !== "undefined") {
+    raw = Buffer.from(base64, "base64").toString("binary");
+  } else {
+    throw new Error("No base64 decoder available (neither atob nor Buffer found)");
+  }
   const outputArray = new Uint8Array(raw.length);
   for (let i = 0; i < raw.length; ++i) {
     outputArray[i] = raw.charCodeAt(i);
@@ -291,6 +296,11 @@ function getCanvasFingerprint() {
   }
 }
 function generateDeviceId() {
+  if (typeof window === "undefined" || typeof navigator === "undefined") {
+    const os = typeof process !== "undefined" ? process.platform : "unknown";
+    const arch = typeof process !== "undefined" ? process.arch : "unknown";
+    return `node-${hashCode(os + "|" + arch)}`;
+  }
   const nav = window.navigator;
   const screen = window.screen;
   const data = [
@@ -302,7 +312,7 @@ function generateDeviceId() {
     nav.hardwareConcurrency,
     getCanvasFingerprint()
   ].join("|");
-  return `web-${hashCode(data)}-${Date.now().toString(36)}`;
+  return `web-${hashCode(data)}`;
 }
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
@@ -314,7 +324,7 @@ function getCsrfToken() {
 
 // src/LicenseSeat.js
 var DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.licenseseat.com",
+  apiBaseUrl: "https://licenseseat.com/api",
   storagePrefix: "licenseseat_",
   autoValidateInterval: 36e5,
   // 1 hour
@@ -352,6 +362,8 @@ var LicenseSeatSDK = class {
     this.connectivityTimer = null;
     this.offlineRefreshTimer = null;
     this.lastOfflineValidation = null;
+    this.syncingOfflineAssets = false;
+    this.destroyed = false;
     if (ed && ed.etc && sha512) {
       ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
     } else {
@@ -488,7 +500,7 @@ var LicenseSeatSDK = class {
   async validateLicense(licenseKey, options = {}) {
     try {
       this.emit("validation:start", { licenseKey });
-      const response = await this.apiCall("/licenses/validate", {
+      const rawResponse = await this.apiCall("/licenses/validate", {
         method: "POST",
         body: {
           license_key: licenseKey,
@@ -496,6 +508,10 @@ var LicenseSeatSDK = class {
           product_slug: options.productSlug
         }
       });
+      const response = {
+        valid: rawResponse.valid,
+        ...rawResponse.license || {}
+      };
       const cachedLicense = this.cache.getLicense();
       if ((!response.active_entitlements || response.active_entitlements.length === 0) && cachedLicense?.validation?.active_entitlements?.length) {
         response.active_entitlements = cachedLicense.validation.active_entitlements;
@@ -744,12 +760,12 @@ var LicenseSeatSDK = class {
    * Test server authentication
    * Useful for verifying API key/session is valid.
    * @returns {Promise<Object>} Result from the server
-   * @throws {Error} When API key is not configured
+   * @throws {ConfigurationError} When API key is not configured
    * @throws {APIError} When authentication fails
    */
   async testAuth() {
     if (!this.config.apiKey) {
-      const err = new Error("API key is required for auth test");
+      const err = new ConfigurationError("API key is required for auth test");
       this.emit("auth_test:error", { error: err });
       throw err;
     }
@@ -769,10 +785,36 @@ var LicenseSeatSDK = class {
    */
   reset() {
     this.stopAutoValidation();
+    this.stopConnectivityPolling();
+    if (this.offlineRefreshTimer) {
+      clearInterval(this.offlineRefreshTimer);
+      this.offlineRefreshTimer = null;
+    }
     this.cache.clear();
     this.lastOfflineValidation = null;
+    this.currentAutoLicenseKey = null;
     this.emit("sdk:reset");
   }
+  /**
+   * Destroy the SDK instance and release all resources
+   * Call this when you no longer need the SDK to prevent memory leaks.
+   * After calling destroy(), the SDK instance should not be used.
+   * @returns {void}
+   */
+  destroy() {
+    this.destroyed = true;
+    this.stopAutoValidation();
+    this.stopConnectivityPolling();
+    if (this.offlineRefreshTimer) {
+      clearInterval(this.offlineRefreshTimer);
+      this.offlineRefreshTimer = null;
+    }
+    this.eventListeners = {};
+    this.cache.clear();
+    this.lastOfflineValidation = null;
+    this.currentAutoLicenseKey = null;
+    this.emit("sdk:destroyed");
+  }
   // ============================================================
   // Event Handling
   // ============================================================
@@ -907,10 +949,16 @@ var LicenseSeatSDK = class {
   // ============================================================
   /**
    * Fetch and cache offline license and public key
+   * Uses a lock to prevent concurrent calls from causing race conditions
    * @returns {Promise<void>}
    * @private
    */
   async syncOfflineAssets() {
+    if (this.syncingOfflineAssets || this.destroyed) {
+      this.log("Skipping syncOfflineAssets: already syncing or destroyed");
+      return;
+    }
+    this.syncingOfflineAssets = true;
     try {
       const offline = await this.getOfflineLicense();
       this.cache.setOfflineLicense(offline);
@@ -936,6 +984,8 @@ var LicenseSeatSDK = class {
       }
     } catch (err) {
       this.log("Failed to sync offline assets:", err);
+    } finally {
+      this.syncingOfflineAssets = false;
     }
   }
   /**
@@ -1016,6 +1066,7 @@ var LicenseSeatSDK = class {
   }
   /**
    * Quick offline verification using only local data (no network)
+   * Performs signature verification plus basic validity checks (expiry, license key match)
    * @returns {Promise<import('./types.js').ValidationResult|null>}
    * @private
    */
@@ -1032,7 +1083,21 @@ var LicenseSeatSDK = class {
       if (!ok) {
         return { valid: false, offline: true, reason_code: "signature_invalid" };
       }
-      const active = parseActiveEntitlements(signed.payload || {});
+      const payload = signed.payload || {};
+      const cached = this.cache.getLicense();
+      if (!cached || !constantTimeEqual(payload.lic_k || "", cached.license_key || "")) {
+        return { valid: false, offline: true, reason_code: "license_mismatch" };
+      }
+      const now = Date.now();
+      const expAt = payload.exp_at ? Date.parse(payload.exp_at) : null;
+      if (expAt && expAt < now) {
+        return { valid: false, offline: true, reason_code: "expired" };
+      }
+      const lastSeen = this.cache.getLastSeenTimestamp();
+      if (lastSeen && now + this.config.maxClockSkewMs < lastSeen) {
+        return { valid: false, offline: true, reason_code: "clock_tamper" };
+      }
+      const active = parseActiveEntitlements(payload);
       return {
         valid: true,
         offline: true,

package/dist/types/LicenseSeat.d.ts

@@ -57,7 +57,7 @@ export class LicenseSeatSDK {
     private eventListeners;
     /**
      * Auto-validation timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     private validationTimer;
@@ -81,13 +81,13 @@ export class LicenseSeatSDK {
     private currentAutoLicenseKey;
     /**
      * Connectivity polling timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     private connectivityTimer;
     /**
      * Offline license refresh timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     private offlineRefreshTimer;
@@ -97,6 +97,18 @@ export class LicenseSeatSDK {
      * @private
      */
     private lastOfflineValidation;
+    /**
+     * Flag to prevent concurrent syncOfflineAssets calls
+     * @type {boolean}
+     * @private
+     */
+    private syncingOfflineAssets;
+    /**
+     * Flag indicating if SDK has been destroyed
+     * @type {boolean}
+     * @private
+     */
+    private destroyed;
     /**
      * Initialize the SDK
      * Loads cached license and starts auto-validation if configured.
@@ -173,7 +185,7 @@ export class LicenseSeatSDK {
      * Test server authentication
      * Useful for verifying API key/session is valid.
      * @returns {Promise<Object>} Result from the server
-     * @throws {Error} When API key is not configured
+     * @throws {ConfigurationError} When API key is not configured
      * @throws {APIError} When authentication fails
      */
     testAuth(): Promise<any>;
@@ -182,6 +194,13 @@ export class LicenseSeatSDK {
      * @returns {void}
      */
     reset(): void;
+    /**
+     * Destroy the SDK instance and release all resources
+     * Call this when you no longer need the SDK to prevent memory leaks.
+     * After calling destroy(), the SDK instance should not be used.
+     * @returns {void}
+     */
+    destroy(): void;
     /**
      * Subscribe to an event
      * @param {string} event - Event name
@@ -231,6 +250,7 @@ export class LicenseSeatSDK {
     private stopConnectivityPolling;
     /**
      * Fetch and cache offline license and public key
+     * Uses a lock to prevent concurrent calls from causing race conditions
      * @returns {Promise<void>}
      * @private
      */
@@ -249,6 +269,7 @@ export class LicenseSeatSDK {
     private verifyCachedOffline;
     /**
      * Quick offline verification using only local data (no network)
+     * Performs signature verification plus basic validity checks (expiry, license key match)
      * @returns {Promise<import('./types.js').ValidationResult|null>}
      * @private
      */

package/dist/types/LicenseSeat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LicenseSeat.d.ts","sourceRoot":"","sources":["../../src/LicenseSeat.js"],"names":[],"mappings":"AAomCA;;;;GAIG;AACH,2CAHW,OAAO,YAAY,EAAE,iBAAiB,GACpC,cAAc,CAO1B;AAED;;;;;GAKG;AACH,kCAJW,OAAO,YAAY,EAAE,iBAAiB,UACtC,OAAO,GACL,cAAc,CAW1B;AAED;;;GAGG;AACH,uCAFa,IAAI,CAOhB;AAplCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH;IACE;;;OAGG;IACH,qBAFW,OAAO,YAAY,EAAE,iBAAiB,EAiFhD;IA9EC;;;OAGG;IACH,QAFU,OAAO,YAAY,EAAE,iBAAiB,CAK/C;IAED;;;;OAIG;IACH,uBAAwB;IAExB;;;;OAIG;IACH,wBAA2B;IAE3B;;;;OAIG;IACH,cAAwD;IAExD;;;;OAIG;IACH,eAAkB;IAElB;;;;OAIG;IACH,8BAAiC;IAEjC;;;;OAIG;IACH,0BAA6B;IAE7B;;;;OAIG;IACH,4BAA+B;IAE/B;;;;OAIG;IACH,8BAAiC;IAiBnC;;;;;OAKG;IACH,cAFa,IAAI,CAkDhB;IAED;;;;;;OAMG;IACH,qBALW,MAAM,YACN,OAAO,YAAY,EAAE,iBAAiB,GACpC,OAAO,CAAC,OAAO,YAAY,EAAE,aAAa,CAAC,CA4CvD;IAED;;;;;OAKG;IACH,cAJa,OAAO,KAAQ,CA+B3B;IAED;;;;;;OAMG;IACH,4BALW,MAAM,YACN,OAAO,YAAY,EAAE,iBAAiB,GACpC,OAAO,CAAC,OAAO,YAAY,EAAE,gBAAgB,CAAC,CAkF1D;IAED;;;;OAIG;IACH,iCAHW,MAAM,GACJ,OAAO,YAAY,EAAE,sBAAsB,CA6BvD;IAED;;;;;;OAMG;IACH,+BAHW,MAAM,GACJ,OAAO,CAInB;IAED;;;;;OAKG;IACH,qBAJa,OAAO,CAAC,OAAO,YAAY,EAAE,oBAAoB,CAAC,CAmC9D;IAED;;;;;OAKG;IACH,oBAJW,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAwB3B;IAED;;;;;;;OAOG;IACH,wCANW,OAAO,YAAY,EAAE,oBAAoB,gBACzC,MAAM,GACJ,OAAO,CAAC,OAAO,CAAC,CAuD5B;IAED;;;OAGG;IACH,aAFa,OAAO,YAAY,EAAE,aAAa,CA6C9C;IAED;;;;;;OAMG;IACH,YAJa,OAAO,KAAQ,CAoB3B;IAED;;;OAGG;IACH,SAFa,IAAI,CAOhB;IAMD;;;;;OAKG;IACH,UAJW,MAAM,YACN,OAAO,YAAY,EAAE,aAAa,GAChC,OAAO,YAAY,EAAE,gBAAgB,CAQjD;IAED;;;;;OAKG;IACH,WAJW,MAAM,YACN,OAAO,YAAY,EAAE,aAAa,GAChC,IAAI,CAQhB;IAED;;;;;;OAMG;IACH,aAWC;IAMD;;;;;OAKG;IACH,4BAqBC;IAED;;;;OAIG;IACH,2BAMC;IAED;;;;OAIG;IACH,iCA4BC;IAED;;;;OAIG;IACH,gCAKC;IAMD;;;;OAIG;IACH,0BA+BC;IAED;;;;OAIG;IACH,+BAMC;IAED;;;;OAIG;IACH,4BA0EC;IAED;;;;OAIG;IACH,sCAsBC;IAMD;;;;;;;;;;OAUG;IACH,gBAiFC;IAED;;;;;OAKG;IACH,yBAsBC;IAMD;;;OAGG;IACH,gBAFa,MAAM,CAIlB;IAED;;;;;OAKG;IACH,YAIC;CACF"}
+{"version":3,"file":"LicenseSeat.d.ts","sourceRoot":"","sources":["../../src/LicenseSeat.js"],"names":[],"mappings":"AAwrCA;;;;GAIG;AACH,2CAHW,OAAO,YAAY,EAAE,iBAAiB,GACpC,cAAc,CAO1B;AAED;;;;;GAKG;AACH,kCAJW,OAAO,YAAY,EAAE,iBAAiB,UACtC,OAAO,GACL,cAAc,CAW1B;AAED;;;GAGG;AACH,uCAFa,IAAI,CAOhB;AAxqCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH;IACE;;;OAGG;IACH,qBAFW,OAAO,YAAY,EAAE,iBAAiB,EA+FhD;IA5FC;;;OAGG;IACH,QAFU,OAAO,YAAY,EAAE,iBAAiB,CAK/C;IAED;;;;OAIG;IACH,uBAAwB;IAExB;;;;OAIG;IACH,wBAA2B;IAE3B;;;;OAIG;IACH,cAAwD;IAExD;;;;OAIG;IACH,eAAkB;IAElB;;;;OAIG;IACH,8BAAiC;IAEjC;;;;OAIG;IACH,0BAA6B;IAE7B;;;;OAIG;IACH,4BAA+B;IAE/B;;;;OAIG;IACH,8BAAiC;IAEjC;;;;OAIG;IACH,6BAAiC;IAEjC;;;;OAIG;IACH,kBAAsB;IAiBxB;;;;;OAKG;IACH,cAFa,IAAI,CAkDhB;IAED;;;;;;OAMG;IACH,qBALW,MAAM,YACN,OAAO,YAAY,EAAE,iBAAiB,GACpC,OAAO,CAAC,OAAO,YAAY,EAAE,aAAa,CAAC,CA4CvD;IAED;;;;;OAKG;IACH,cAJa,OAAO,KAAQ,CA+B3B;IAED;;;;;;OAMG;IACH,4BALW,MAAM,YACN,OAAO,YAAY,EAAE,iBAAiB,GACpC,OAAO,CAAC,OAAO,YAAY,EAAE,gBAAgB,CAAC,CAyF1D;IAED;;;;OAIG;IACH,iCAHW,MAAM,GACJ,OAAO,YAAY,EAAE,sBAAsB,CA6BvD;IAED;;;;;;OAMG;IACH,+BAHW,MAAM,GACJ,OAAO,CAInB;IAED;;;;;OAKG;IACH,qBAJa,OAAO,CAAC,OAAO,YAAY,EAAE,oBAAoB,CAAC,CAmC9D;IAED;;;;;OAKG;IACH,oBAJW,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAwB3B;IAED;;;;;;;OAOG;IACH,wCANW,OAAO,YAAY,EAAE,oBAAoB,gBACzC,MAAM,GACJ,OAAO,CAAC,OAAO,CAAC,CAuD5B;IAED;;;OAGG;IACH,aAFa,OAAO,YAAY,EAAE,aAAa,CA6C9C;IAED;;;;;;OAMG;IACH,YAJa,OAAO,KAAQ,CAoB3B;IAED;;;OAGG;IACH,SAFa,IAAI,CAahB;IAED;;;;;OAKG;IACH,WAFa,IAAI,CAehB;IAMD;;;;;OAKG;IACH,UAJW,MAAM,YACN,OAAO,YAAY,EAAE,aAAa,GAChC,OAAO,YAAY,EAAE,gBAAgB,CAQjD;IAED;;;;;OAKG;IACH,WAJW,MAAM,YACN,OAAO,YAAY,EAAE,aAAa,GAChC,IAAI,CAQhB;IAED;;;;;;OAMG;IACH,aAWC;IAMD;;;;;OAKG;IACH,4BAqBC;IAED;;;;OAIG;IACH,2BAMC;IAED;;;;OAIG;IACH,iCA4BC;IAED;;;;OAIG;IACH,gCAKC;IAMD;;;;;OAKG;IACH,0BAwCC;IAED;;;;OAIG;IACH,+BAMC;IAED;;;;OAIG;IACH,4BA0EC;IAED;;;;;OAKG;IACH,sCA+CC;IAMD;;;;;;;;;;OAUG;IACH,gBAiFC;IAED;;;;;OAKG;IACH,yBAsBC;IAMD;;;OAGG;IACH,gBAFa,MAAM,CAIlB;IAED;;;;;OAKG;IACH,YAIC;CACF"}

package/dist/types/types.d.ts

@@ -141,20 +141,13 @@ export type CachedLicense = {
 };
 /**
  * Entitlement object
+ * Note: API returns only key, expires_at, and metadata. Name/description are not provided.
  */
 export type Entitlement = {
     /**
      * - Unique entitlement key
      */
     key: string;
-    /**
-     * - Human-readable name
-     */
-    name: string | null;
-    /**
-     * - Description of the entitlement
-     */
-    description: string | null;
     /**
      * - ISO8601 expiration timestamp
      */
@@ -251,26 +244,50 @@ export type LicenseStatus = {
  * Offline license payload
  */
 export type OfflineLicensePayload = {
+    /**
+     * - Payload version (currently 1)
+     */
+    v?: number;
     /**
      * - License key
      */
     lic_k?: string;
     /**
-     * - ISO8601 expiration timestamp
+     * - Product slug
+     */
+    prod_s?: string;
+    /**
+     * - License plan key
      */
-    exp_at?: string;
+    plan_k?: string;
     /**
-     * - Key ID for signature verification
+     * - ISO8601 expiration timestamp (null for perpetual)
+     */
+    exp_at?: string | null;
+    /**
+     * - Seat limit (null for unlimited)
+     */
+    sl?: number | null;
+    /**
+     * - Key ID for public key lookup
      */
     kid?: string;
     /**
      * - Active entitlements
      */
-    active_ents?: Array<any>;
+    active_ents?: Array<{
+        key: string;
+        expires_at: string | null;
+        metadata: any | null;
+    }>;
     /**
      * - Active entitlements (alternative key)
      */
-    active_entitlements?: Array<any>;
+    active_entitlements?: Array<{
+        key: string;
+        expires_at: string | null;
+        metadata: any | null;
+    }>;
     /**
      * - Additional metadata
      */
@@ -310,7 +327,11 @@ export type APIErrorData = {
      */
     error?: string;
     /**
-     * - Error code
+     * - Machine-readable reason code (e.g., "license_not_found", "expired", "revoked")
+     */
+    reason_code?: string;
+    /**
+     * - Legacy error code (deprecated, use reason_code)
      */
     code?: string;
     /**

package/dist/types/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.js"],"names":[],"mappings":";;;;;;;iBASc,MAAM;;;;aACN,MAAM;;;;oBACN,MAAM;;;;2BACN,MAAM;;;;6BACN,MAAM;;;;iBACN,MAAM;;;;iBACN,MAAM;;;;YACN,OAAO;;;;oCACP,MAAM;;;;6BACN,OAAO;;;;qBACP,MAAM;;;;qBACN,MAAM;;;;qBACN,OAAO;;;;;;;;;uBAMP,MAAM;;;;0BACN,MAAM;;;;;;;;;;;;;uBAON,MAAM;;;;kBACN,MAAM;;;;;;;;;QAMN,MAAM;;;;iBACN,MAAM;;;;uBACN,MAAM;;;;kBACN,MAAM;;;;;;;;;;;;;iBAON,MAAM;;;;uBACN,MAAM;;;;iBACN,kBAAkB;;;;kBAClB,MAAM;;;;oBACN,MAAM;;;;iBACN,gBAAgB;;;;;;;;;SAMhB,MAAM;;;;UACN,MAAM,GAAC,IAAI;;;;iBACX,MAAM,GAAC,IAAI;;;;gBACX,MAAM,GAAC,IAAI;;;;cACX,MAAO,IAAI;;;;;;;;;WAMX,OAAO;;;;cACP,OAAO;;;;aACP,MAAM;;;;kBACN,MAAM;;;;0BACN,WAAW,EAAE;;;;iBACb,OAAO;;;;;;;;;YAMP,OAAO;;;;aACP,MAAM;;;;iBACN,MAAM;;;;kBACN,WAAW;;;;;;;;;YAMX,MAAM;;;;cACN,MAAM;;;;cACN,MAAM;;;;aACN,MAAM;;;;mBACN,MAAM;;;;qBACN,MAAM;;;;mBACN,WAAW,EAAE;;;;;;;;;YAMb,MAAM;;;;aACN,MAAM;;;;UACN,MAAM;;;;kBACN,KAAK,KAAQ;;;;0BACb,KAAK,KAAQ;;;;;;;;;;;;;aAOb,qBAAqB;;;;oBACrB,MAAM;;;;UACN,MAAM;;;;;mCAMT,GAAC,KACC,IAAI;;;;qCAMJ,IAAI;;;;;;;;YAMH,MAAM;;;;WACN,MAAM"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.js"],"names":[],"mappings":";;;;;;;iBASc,MAAM;;;;aACN,MAAM;;;;oBACN,MAAM;;;;2BACN,MAAM;;;;6BACN,MAAM;;;;iBACN,MAAM;;;;iBACN,MAAM;;;;YACN,OAAO;;;;oCACP,MAAM;;;;6BACN,OAAO;;;;qBACP,MAAM;;;;qBACN,MAAM;;;;qBACN,OAAO;;;;;;;;;uBAMP,MAAM;;;;0BACN,MAAM;;;;;;;;;;;;;uBAON,MAAM;;;;kBACN,MAAM;;;;;;;;;QAMN,MAAM;;;;iBACN,MAAM;;;;uBACN,MAAM;;;;kBACN,MAAM;;;;;;;;;;;;;iBAON,MAAM;;;;uBACN,MAAM;;;;iBACN,kBAAkB;;;;kBAClB,MAAM;;;;oBACN,MAAM;;;;iBACN,gBAAgB;;;;;;;;;;SAOhB,MAAM;;;;gBACN,MAAM,GAAC,IAAI;;;;cACX,MAAO,IAAI;;;;;;;;;WAMX,OAAO;;;;cACP,OAAO;;;;aACP,MAAM;;;;kBACN,MAAM;;;;0BACN,WAAW,EAAE;;;;iBACb,OAAO;;;;;;;;;YAMP,OAAO;;;;aACP,MAAM;;;;iBACN,MAAM;;;;kBACN,WAAW;;;;;;;;;YAMX,MAAM;;;;cACN,MAAM;;;;cACN,MAAM;;;;aACN,MAAM;;;;mBACN,MAAM;;;;qBACN,MAAM;;;;mBACN,WAAW,EAAE;;;;;;;;;QAMb,MAAM;;;;YACN,MAAM;;;;aACN,MAAM;;;;aACN,MAAM;;;;aACN,MAAM,GAAC,IAAI;;;;SACX,MAAM,GAAC,IAAI;;;;UACX,MAAM;;;;kBACN,KAAK,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,GAAC,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAO,IAAI,CAAA;KAAC,CAAC;;;;0BACpE,KAAK,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,GAAC,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAO,IAAI,CAAA;KAAC,CAAC;;;;;;;;;;;;;aAOpE,qBAAqB;;;;oBACrB,MAAM;;;;UACN,MAAM;;;;;mCAMT,GAAC,KACC,IAAI;;;;qCAMJ,IAAI;;;;;;;;YAMH,MAAM;;;;kBACN,MAAM;;;;WACN,MAAM"}

package/dist/types/utils.d.ts

@@ -20,6 +20,7 @@ export function constantTimeEqual(a?: string, b?: string): boolean;
 export function canonicalJsonStringify(obj: any): string;
 /**
  * Decode a Base64URL string to a Uint8Array
+ * Works in both browser and Node.js environments.
  * @param {string} base64UrlString - The Base64URL encoded string
  * @returns {Uint8Array} Decoded bytes
  */
@@ -36,8 +37,9 @@ export function hashCode(str: string): string;
  */
 export function getCanvasFingerprint(): string;
 /**
- * Generate a unique device identifier based on browser characteristics
- * @returns {string} Unique device identifier
+ * Generate a stable device identifier based on browser characteristics.
+ * The ID is deterministic - same device will produce the same ID across calls.
+ * @returns {string} Stable device identifier
  */
 export function generateDeviceId(): string;
 /**

package/dist/types/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/utils.js"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,wDAFa,OAAO,YAAY,EAAE,WAAW,EAAE,CAW9C;AAED;;;;;GAKG;AACH,sCAJW,MAAM,MACN,MAAM,GACJ,OAAO,CASnB;AAED;;;;;GAKG;AACH,kDAFa,MAAM,CAuBlB;AAED;;;;GAIG;AACH,iDAHW,MAAM,GACJ,UAAU,CAatB;AAED;;;;GAIG;AACH,8BAHW,MAAM,GACJ,MAAM,CAUlB;AAED;;;GAGG;AACH,wCAFa,MAAM,CAalB;AAED;;;GAGG;AACH,oCAFa,MAAM,CAgBlB;AAED;;;;GAIG;AACH,0BAHW,MAAM,GACJ,OAAO,CAAC,IAAI,CAAC,CAIzB;AAED;;;GAGG;AACH,gCAFa,MAAM,CAMlB"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/utils.js"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,wDAFa,OAAO,YAAY,EAAE,WAAW,EAAE,CAS9C;AAED;;;;;GAKG;AACH,sCAJW,MAAM,MACN,MAAM,GACJ,OAAO,CASnB;AAED;;;;;GAKG;AACH,kDAFa,MAAM,CAuBlB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,GACJ,UAAU,CA0BtB;AAED;;;;GAIG;AACH,8BAHW,MAAM,GACJ,MAAM,CAUlB;AAED;;;GAGG;AACH,wCAFa,MAAM,CAalB;AAED;;;;GAIG;AACH,oCAFa,MAAM,CAyBlB;AAED;;;;GAIG;AACH,0BAHW,MAAM,GACJ,OAAO,CAAC,IAAI,CAAC,CAIzB;AAED;;;GAGG;AACH,gCAFa,MAAM,CAMlB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@licenseseat/js",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Official JavaScript SDK for LicenseSeat – simple, secure software licensing.",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -62,6 +62,7 @@
     "node": ">=18.0.0"
   },
   "devDependencies": {
+    "@types/node": "^25.0.9",
     "@vitest/coverage-v8": "^1.6.0",
     "esbuild": "^0.20.2",
     "jsdom": "^24.1.3",

package/src/LicenseSeat.js

@@ -21,7 +21,7 @@ import * as ed from "@noble/ed25519";
 import { sha512 } from "@noble/hashes/sha512";
 
 import { LicenseCache } from "./cache.js";
-import { APIError, LicenseError, CryptoError } from "./errors.js";
+import { APIError, ConfigurationError, LicenseError, CryptoError } from "./errors.js";
 import {
   parseActiveEntitlements,
   constantTimeEqual,
@@ -37,7 +37,7 @@ import {
  * @type {import('./types.js').LicenseSeatConfig}
  */
 const DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.licenseseat.com",
+  apiBaseUrl: "https://licenseseat.com/api",
   storagePrefix: "licenseseat_",
   autoValidateInterval: 3600000, // 1 hour
   networkRecheckInterval: 30000, // 30 seconds
@@ -98,7 +98,7 @@ export class LicenseSeatSDK {
 
     /**
      * Auto-validation timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     this.validationTimer = null;
@@ -126,14 +126,14 @@ export class LicenseSeatSDK {
 
     /**
      * Connectivity polling timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     this.connectivityTimer = null;
 
     /**
      * Offline license refresh timer ID
-     * @type {number|null}
+     * @type {ReturnType<typeof setInterval>|null}
      * @private
      */
     this.offlineRefreshTimer = null;
@@ -145,6 +145,20 @@ export class LicenseSeatSDK {
      */
     this.lastOfflineValidation = null;
 
+    /**
+     * Flag to prevent concurrent syncOfflineAssets calls
+     * @type {boolean}
+     * @private
+     */
+    this.syncingOfflineAssets = false;
+
+    /**
+     * Flag indicating if SDK has been destroyed
+     * @type {boolean}
+     * @private
+     */
+    this.destroyed = false;
+
     // Enable synchronous SHA512 for noble-ed25519
     if (ed && ed.etc && sha512) {
       ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
@@ -312,7 +326,7 @@ export class LicenseSeatSDK {
     try {
       this.emit("validation:start", { licenseKey });
 
-      const response = await this.apiCall("/licenses/validate", {
+      const rawResponse = await this.apiCall("/licenses/validate", {
         method: "POST",
         body: {
           license_key: licenseKey,
@@ -321,6 +335,13 @@ export class LicenseSeatSDK {
         },
       });
 
+      // Normalize response: API returns { valid, license: { active_entitlements, ... } }
+      // SDK expects flat structure { valid, active_entitlements, ... }
+      const response = {
+        valid: rawResponse.valid,
+        ...(rawResponse.license || {}),
+      };
+
       // Preserve cached entitlements if server response omits them
       const cachedLicense = this.cache.getLicense();
       if (
@@ -616,12 +637,12 @@ export class LicenseSeatSDK {
    * Test server authentication
    * Useful for verifying API key/session is valid.
    * @returns {Promise<Object>} Result from the server
-   * @throws {Error} When API key is not configured
+   * @throws {ConfigurationError} When API key is not configured
    * @throws {APIError} When authentication fails
    */
   async testAuth() {
     if (!this.config.apiKey) {
-      const err = new Error("API key is required for auth test");
+      const err = new ConfigurationError("API key is required for auth test");
       this.emit("auth_test:error", { error: err });
       throw err;
     }
@@ -643,11 +664,38 @@ export class LicenseSeatSDK {
    */
   reset() {
     this.stopAutoValidation();
+    this.stopConnectivityPolling();
+    if (this.offlineRefreshTimer) {
+      clearInterval(this.offlineRefreshTimer);
+      this.offlineRefreshTimer = null;
+    }
     this.cache.clear();
     this.lastOfflineValidation = null;
+    this.currentAutoLicenseKey = null;
     this.emit("sdk:reset");
   }
 
+  /**
+   * Destroy the SDK instance and release all resources
+   * Call this when you no longer need the SDK to prevent memory leaks.
+   * After calling destroy(), the SDK instance should not be used.
+   * @returns {void}
+   */
+  destroy() {
+    this.destroyed = true;
+    this.stopAutoValidation();
+    this.stopConnectivityPolling();
+    if (this.offlineRefreshTimer) {
+      clearInterval(this.offlineRefreshTimer);
+      this.offlineRefreshTimer = null;
+    }
+    this.eventListeners = {};
+    this.cache.clear();
+    this.lastOfflineValidation = null;
+    this.currentAutoLicenseKey = null;
+    this.emit("sdk:destroyed");
+  }
+
   // ============================================================
   // Event Handling
   // ============================================================
@@ -799,10 +847,18 @@ export class LicenseSeatSDK {
 
   /**
    * Fetch and cache offline license and public key
+   * Uses a lock to prevent concurrent calls from causing race conditions
    * @returns {Promise<void>}
    * @private
    */
   async syncOfflineAssets() {
+    // Prevent concurrent syncs
+    if (this.syncingOfflineAssets || this.destroyed) {
+      this.log("Skipping syncOfflineAssets: already syncing or destroyed");
+      return;
+    }
+
+    this.syncingOfflineAssets = true;
     try {
       const offline = await this.getOfflineLicense();
       this.cache.setOfflineLicense(offline);
@@ -832,6 +888,8 @@ export class LicenseSeatSDK {
       }
     } catch (err) {
       this.log("Failed to sync offline assets:", err);
+    } finally {
+      this.syncingOfflineAssets = false;
     }
   }
 
@@ -931,6 +989,7 @@ export class LicenseSeatSDK {
 
   /**
    * Quick offline verification using only local data (no network)
+   * Performs signature verification plus basic validity checks (expiry, license key match)
    * @returns {Promise<import('./types.js').ValidationResult|null>}
    * @private
    */
@@ -947,7 +1006,32 @@ export class LicenseSeatSDK {
         return { valid: false, offline: true, reason_code: "signature_invalid" };
       }
 
-      const active = parseActiveEntitlements(signed.payload || {});
+      /** @type {import('./types.js').OfflineLicensePayload} */
+      const payload = signed.payload || {};
+      const cached = this.cache.getLicense();
+
+      // License key match check
+      if (
+        !cached ||
+        !constantTimeEqual(payload.lic_k || "", cached.license_key || "")
+      ) {
+        return { valid: false, offline: true, reason_code: "license_mismatch" };
+      }
+
+      // Expiry check
+      const now = Date.now();
+      const expAt = payload.exp_at ? Date.parse(payload.exp_at) : null;
+      if (expAt && expAt < now) {
+        return { valid: false, offline: true, reason_code: "expired" };
+      }
+
+      // Clock tamper detection
+      const lastSeen = this.cache.getLastSeenTimestamp();
+      if (lastSeen && now + this.config.maxClockSkewMs < lastSeen) {
+        return { valid: false, offline: true, reason_code: "clock_tamper" };
+      }
+
+      const active = parseActiveEntitlements(payload);
       return {
         valid: true,
         offline: true,

package/src/types.js

@@ -7,7 +7,7 @@
 /**
  * SDK Configuration options
  * @typedef {Object} LicenseSeatConfig
- * @property {string} [apiBaseUrl="https://api.licenseseat.com"] - Base URL for the LicenseSeat API
+ * @property {string} [apiBaseUrl="https://licenseseat.com/api"] - Base URL for the LicenseSeat API
  * @property {string} [apiKey] - API key for authentication (required for most operations)
  * @property {string} [storagePrefix="licenseseat_"] - Prefix for localStorage keys
  * @property {number} [autoValidateInterval=3600000] - Interval in ms for automatic license validation (default: 1 hour)
@@ -60,10 +60,9 @@
 
 /**
  * Entitlement object
+ * Note: API returns only key, expires_at, and metadata. Name/description are not provided.
  * @typedef {Object} Entitlement
  * @property {string} key - Unique entitlement key
- * @property {string|null} name - Human-readable name
- * @property {string|null} description - Description of the entitlement
  * @property {string|null} expires_at - ISO8601 expiration timestamp
  * @property {Object|null} metadata - Additional metadata
  */
@@ -103,11 +102,15 @@
 /**
  * Offline license payload
  * @typedef {Object} OfflineLicensePayload
+ * @property {number} [v] - Payload version (currently 1)
  * @property {string} [lic_k] - License key
- * @property {string} [exp_at] - ISO8601 expiration timestamp
- * @property {string} [kid] - Key ID for signature verification
- * @property {Array<Object>} [active_ents] - Active entitlements
- * @property {Array<Object>} [active_entitlements] - Active entitlements (alternative key)
+ * @property {string} [prod_s] - Product slug
+ * @property {string} [plan_k] - License plan key
+ * @property {string|null} [exp_at] - ISO8601 expiration timestamp (null for perpetual)
+ * @property {number|null} [sl] - Seat limit (null for unlimited)
+ * @property {string} [kid] - Key ID for public key lookup
+ * @property {Array<{key: string, expires_at: string|null, metadata: Object|null}>} [active_ents] - Active entitlements
+ * @property {Array<{key: string, expires_at: string|null, metadata: Object|null}>} [active_entitlements] - Active entitlements (alternative key)
  * @property {Object} [metadata] - Additional metadata
  */
 
@@ -136,7 +139,8 @@
  * API Error data
  * @typedef {Object} APIErrorData
  * @property {string} [error] - Error message
- * @property {string} [code] - Error code
+ * @property {string} [reason_code] - Machine-readable reason code (e.g., "license_not_found", "expired", "revoked")
+ * @property {string} [code] - Legacy error code (deprecated, use reason_code)
  * @property {Object} [details] - Additional error details
  */
 

package/src/utils.js

@@ -15,8 +15,6 @@ export function parseActiveEntitlements(payload = {}) {
   const raw = payload.active_ents || payload.active_entitlements || [];
   return raw.map((e) => ({
     key: e.key,
-    name: e.name ?? null,
-    description: e.description ?? null,
     expires_at: e.expires_at ?? null,
     metadata: e.metadata ?? null,
   }));
@@ -68,6 +66,7 @@ export function canonicalJsonStringify(obj) {
 
 /**
  * Decode a Base64URL string to a Uint8Array
+ * Works in both browser and Node.js environments.
  * @param {string} base64UrlString - The Base64URL encoded string
  * @returns {Uint8Array} Decoded bytes
  */
@@ -76,7 +75,20 @@ export function base64UrlDecode(base64UrlString) {
   while (base64.length % 4) {
     base64 += "=";
   }
-  const raw = window.atob(base64);
+
+  // Cross-platform base64 decoding
+  /** @type {string} */
+  let raw;
+  if (typeof atob === "function") {
+    // Browser environment (or Node.js 16+ with global atob)
+    raw = atob(base64);
+  } else if (typeof Buffer !== "undefined") {
+    // Node.js environment
+    raw = Buffer.from(base64, "base64").toString("binary");
+  } else {
+    throw new Error("No base64 decoder available (neither atob nor Buffer found)");
+  }
+
   const outputArray = new Uint8Array(raw.length);
   for (let i = 0; i < raw.length; ++i) {
     outputArray[i] = raw.charCodeAt(i);
@@ -117,10 +129,19 @@ export function getCanvasFingerprint() {
 }
 
 /**
- * Generate a unique device identifier based on browser characteristics
- * @returns {string} Unique device identifier
+ * Generate a stable device identifier based on browser characteristics.
+ * The ID is deterministic - same device will produce the same ID across calls.
+ * @returns {string} Stable device identifier
  */
 export function generateDeviceId() {
+  // Check if we're in a browser environment
+  if (typeof window === "undefined" || typeof navigator === "undefined") {
+    // Node.js or non-browser environment - use a fallback
+    const os = typeof process !== "undefined" ? process.platform : "unknown";
+    const arch = typeof process !== "undefined" ? process.arch : "unknown";
+    return `node-${hashCode(os + "|" + arch)}`;
+  }
+
   const nav = window.navigator;
   const screen = window.screen;
   const data = [
@@ -133,7 +154,8 @@ export function generateDeviceId() {
     getCanvasFingerprint(),
   ].join("|");
 
-  return `web-${hashCode(data)}-${Date.now().toString(36)}`;
+  // Stable ID without timestamp - same device produces same ID
+  return `web-${hashCode(data)}`;
 }
 
 /**