npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

tiny-engine-license

v0.1.0

Published

License activation and validation helpers for Tiny Engine packages.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

urveshgohilurveshgohil

Keywords

tiny-enginelicenseactivationvalidation

Readme

Tiny Engine License

License activation and validation helpers for Tiny Engine commercial packages.

The secure path is signed license tokens: your license server signs the license payload with a private ECDSA P-256 key, and this package verifies it with the matching public key. Keep the private key on your server only.

Licenses are not locked to tiny-engine-pro by default. Set product when a plugin or app needs to enforce a specific product id; omit it when the same license token should be accepted across products.

Security model

This package does not try to hide secrets inside the npm package. Client-side JavaScript can always be inspected, modified, or bypassed by a determined user. The secure part is the signature:

  • The private signing key stays on your license server.
  • The npm package ships only the public verification key.
  • License payloads cannot be changed without breaking the signature.
  • Expiry, product, email, revocation flags, and feature flags are verified before Pro features are registered.

For stronger protection, validate through your server during activation and periodically re-check active licenses from your Pro package or app.

Secure without obfuscation

This package is designed to stay secure without hiding its source code. It uses signed license tokens, so license data cannot be changed unless the attacker has your private signing key.

That avoids the usual disadvantages of obfuscation:

  • No false promise that client code cannot be reverse engineered.
  • No bigger bundle from obfuscation transforms.
  • No harder debugging for real customers.
  • No broken tree-shaking or sourcemaps from aggressive code rewriting.

For actual license integrity, use signed tokens plus server-side activation, revocation checks, and rate limits. Obfuscation can still be added by your Pro package as an optional release step, but it is not required for this package.

Set requireServerValidation: true when signed tokens must also be confirmed by your server. This is the stronger mode for revocation and stricter enforcement.

Install

npm install tiny-engine-license

Activate before loading Pro features

import { UI } from 'tiny-engine-core';
import { TinyEnginePro } from 'tiny-engine-pro';
import { activateLicense, configureLicense } from 'tiny-engine-license';

configureLicense({
  product: 'tiny-engine-pro',
  endpoint: 'https://license.your-domain.com/activate',
  requireServerValidation: true,
  publicKey: {
    kty: 'EC',
    crv: 'P-256',
    x: '...',
    y: '...',
    ext: true
  }
});

await activateLicense({
  key: 'TEP-XXXX-XXXX',
  email: '[email protected]'
});

UI.use(TinyEnginePro());

Validate inside tiny-engine-pro

import { validateLicense } from 'tiny-engine-license';

export function TinyEnginePro(options = {}) {
  return {
    name: 'tiny-engine-pro',
    async install(UI) {
      const license = await validateLicense({
        token: options.licenseKey,
        product: 'tiny-engine-pro'
      });

      if (!license.valid) {
        UI.warn(`Tiny Engine Pro license is invalid: ${license.status}.`);
        return;
      }

      UI.register('datagrid', DataGridPro);
      UI.register('scheduler', SchedulerPro);
    }
  };
}

If options.licenseKey is omitted, validateLicense() checks the active in-memory token and then the persisted token in localStorage.

API

configureLicense(config)

Sets shared defaults for all calls.

configureLicense({
  product: 'tiny-engine-pro',
  endpoint: 'https://license.your-domain.com/activate',
  requireServerValidation: true,
  publicKey,
  storageKey: 'tiny-engine-pro-license'
});

product is optional. When provided, the token payload must contain the same product value. When omitted, no product-specific restriction is applied.

activateLicense(options)

Activates a plain key against your server when endpoint is configured. The server should return { token: "tel_..." } or { license: "tel_..." }. Valid signed tokens are saved to storage automatically.

Without an endpoint, key is treated as an offline signed token.

validateLicense(input)

Validates a signed token locally, or validates a plain key through endpoint. When requireServerValidation is true, signed tokens must pass local signature validation and server validation.

Returns:

{
  valid: boolean;
  status: 'valid' | 'missing' | 'expired' | 'bad-signature' | 'wrong-product' | string;
  reason?: string;
  payload?: LicensePayload;
  token?: string;
}

Other helpers

  • clearLicense() removes the active and stored token.
  • getStoredLicense() returns the stored token.
  • sha256(value) hashes license keys before storing them in payloads.
  • generateKeyPair() creates an ECDSA P-256 key pair for development.
  • createLicenseToken(payload, privateKey) signs an offline license token.

Signed token format

Tokens look like:

tel_<base64url-json-payload>.<base64url-signature>

Payload example:

{
  "v": 1,
  "licenseId": "lic_123",
  "product": "tiny-engine-pro",
  "plan": "pro",
  "email": "[email protected]",
  "issuedAt": "2026-06-04T00:00:00.000Z",
  "expiresAt": "2027-06-04T00:00:00.000Z",
  "features": ["datagrid", "scheduler"]
}

Build

npm install
npm run build

The build emits ESM, CommonJS, and TypeScript declarations into dist.