Available now Web app · self-hosted on your server

🔑 Keymaster

Self-hosted license server: signed keys, seat limits, secure downloads — no platform cut.

Keygen.sh starts at $99/month. Gumroad takes 10% plus 50 cents of every sale you make. Keymaster is a self-hosted licensing server — ed25519-signed keys your apps verify completely offline, seat limits with machine fingerprints, expiring signed download URLs, HMAC webhooks — for a one-time $49 on your own $5 VPS. Your keys, your keypair.

from $99/mo forever $49once
Keymaster screenshot

Keymaster, as it actually looks — a real screenshot, not a mockup.

What's in the box

Features

Ed25519-signed keys

KM1.. format — self-describing, verifiable offline with just the public key. The keypair is generated on first boot; you own it.

Seat limits & fingerprints

Activation API with machine fingerprints, idempotent re-activation, deactivate to free a seat, signed activation receipts for offline runs. Stable, versioned /api/v1.

Offline validation snippets

Zero-dependency Node and browser/WebCrypto verifiers ship in the repo, and the key format is documented byte-for-byte so you can port it to any language.

Products & versions

Semver releases with artifact upload or external URLs. Customers download via signed URLs that expire in 15 minutes — artifacts are never exposed statically.

Activation webhooks

Per-product URL + secret, HMAC-SHA256 X-Keymaster-Signature header, 3 retries with backoff, and a full delivery log in the dashboard.

Admin dashboard

Stats and activation chart, license search, issue / bulk-issue / revoke, per-activation deactivate, webhook delivery log.

Customer portal

/license/ shows status, seats and a download button — no customer accounts to create or manage.

100% yours

SQLite plus Node built-in crypto — zero native crypto deps, no telemetry, no external services. One Express process on a $5 VPS.

The receipt

Keymaster vs Keygen

Keygen at from $99/mo runs roughly $1188/year — $2,376 over two years. Keymaster is $49, once.

KeymasterKeygen
Price$49 oncefrom $99/mo ($1,188/yr) — Gumroad: 10% + 50¢/sale
Cost at $10k/yr in sales$49 totalKeygen $1,188/yr · Gumroad ~$1,050/yr
Your own signing keypairYes — generated on your boxNo — managed for you
Offline validationYes, ed25519Yes
Seat limits + fingerprintsYesYes
Signed expiring downloadsYes (15-min TTL)Yes
Self-hosted / your dataYes — SQLite on your VPSNo
Source codeMIT, on GitHubClosed (hosted)

Against Keygen's $99/mo entry tier, Keymaster pays for itself in 15 days. Against Gumroad's 10% cut, it pays for itself on your first ~$500 of sales.

Setup

Three steps, no subscription

STEP 01

Buy once on Whop

One-time $49 for the packaged, ready-to-run version with a Windows installer and priority support.

STEP 02

Deploy and integrate

docker compose up on a $5 VPS, then drop the 20-line verification snippet into your app with your public key embedded at build time.

STEP 03

Issue keys, ship builds

Issue or bulk-issue licenses from the dashboard, wire the webhook into Stripe or Whop, and let customers download through expiring signed URLs.

FAQ

Honest answers

Is it really free on GitHub?

Yes — MIT source at github.com/bensblueprints/keymaster, always. $49 buys the packaged installer, updates and priority support. We dogfood it: the onetime-suite's own premium tiers run on Keymaster.

Can offline validation catch revoked keys?

No — and the docs say so upfront. An offline check proves a key is authentic and unexpired; it can't see revocations or seat counts. The shipped snippets show the recommended hybrid: verify offline instantly, check in online periodically, apply a grace period.

Why not just use Keygen?

If you want managed infrastructure, multi-region uptime and someone else holding the pager, Keygen is a solid product — that's what $99+/month buys. Keymaster is for sellers who'd rather own the keypair, the data and the bill: one Node process and a SQLite file on a $5 VPS.

What happens if I lose my signing key?

Back up data/keys/signing.pem — seriously. Your keys verify against that keypair; lose the private key and you can never issue new keys that pass validation in apps you've already shipped.

How hard is the app-side integration?

About 20 lines: copy the zero-dependency verifier snippet, embed your public key at build time, verify offline, then POST one activation call with a machine fingerprint. Full API docs plus a Stripe/Whop key-issuing recipe are in the repo.

Deep-dive comparisons:

Own Keymaster forever

$49 once. Deploy on your own server — your data never leaves it. No renewal, no account with us, no meter. Or build it yourself from the MIT source — it's the same app.