🦅 Axix Technologies · Software Licensing Infrastructure
Stop Building
Your Own
License Server.
Axix Hawk is a multi-tenant licensing platform for ISVs. Issue RSA-2048 signed licenses, enforce them on customer machines via an on-prem agent, and revoke instantly from a dashboard — with audit trails, webhook events, and Go & Python SDKs included.
RSA
2048-bit signed licenses
48h
Grace period for offline machines
<50ms
License issuance via API
RLS
Zero cross-tenant data leakage
★★★★★
Trusted by ISVs shipping on-prem & industrial software
Start Free Trial
Issue your first license in under 30 minutes
Trusted by ISVs shipping industrial, desktop, and security software worldwide
How It Works
From Signup to Enforced
Licenses in 30 Minutes.
Licenses in 30 Minutes.
Three steps — vendor onboarding, license issuance, and on-prem agent enforcement. No manual infrastructure setup required.
1
Sign Up & Get Your Vendor Console
Your vendor signs up at hawk.yourdomain.com. Axix Hawk auto-provisions a dedicated Keycloak realm, a tenant database with row-level security, and a white-label dashboard. No manual setup. No DevOps required.
2
Issue Licenses from Dashboard or API
Create products, define feature tiers (Starter / Pro / Enterprise), and issue RSA-signed license blobs. Each license is cryptographically bound to a machine ID and signed with a per-tenant RSA-2048 key. License API responds in under 50ms.
3
Agent Enforces It on Customer Machine
Customer installs the axix-agent with a single curl command. The agent verifies the RSA blob offline, sends a heartbeat every 30 minutes, enforces feature gates, and enters a 48-hour grace period if the server is unreachable. Revoke from the dashboard — detected on next heartbeat.
Platform Capabilities
12 Feature Categories.
Nothing You Have to Build.
Nothing You Have to Build.
Every component — agent, SDKs, dashboard, webhooks, billing, observability — ships production-ready. No assembly required.
License Lifecycle Management
Issue, renew, revoke, or bulk-revoke RSA-2048 signed licenses. Each blob carries license_id, machine_id, product, tier, features[], expires_at, tenant_id. Self-verifiable offline — no network call needed.
On-Prem Agent (axix-agent)
Lightweight Go daemon. Verifies RSA signature offline on startup. Heartbeat POST every 30 minutes. 48-hour grace period on server outage. Detects revocation on next heartbeat. Linux x86_64/arm64 + macOS supported.
Go & Python SDKs
Embed in your app. Go SDK: hawk.Init(), client.RequireFeature(), client.Status(), background heartbeat goroutine, zero external deps. Python SDK: identical API, daemon thread, Python 3.9+, single dep: cryptography lib.
Multi-Tenant Architecture + RLS
Every vendor is a completely isolated tenant — separate Keycloak realm, separate RLS policy. PostgreSQL row-level security enforced at the DB level. A bug in app code cannot leak cross-tenant data — the database itself rejects unauthorized reads.
White-Label Vendor Dashboard
Next.js 14 dashboard at app.hawk.yourdomain.com. Overview, license list + status filter, client management, product & tier definition, API key management, webhooks, team SSO, Stripe billing portal. Your branding, your domain.
Webhooks & Event Delivery
Register unlimited endpoints per tenant. Events: license.issued, license.renewed, license.revoked, license.expired, heartbeat.received, heartbeat.failed. Async BullMQ queue with retries. HMAC-signed payloads. Delivery history in dashboard.
Security Infrastructure
RSA-2048 per-tenant keys encrypted with AES-256-GCM. KEY_ENCRYPTION_KEY in AWS Secrets Manager. Tamper-evident audit trail with hash chain. Rate limiting per IP and tenant. Helmet headers. UUID validation on all path params.
Observability Stack
Structured JSON logging (Pino) with tenant_id + trace_id on every request. OpenTelemetry tracing. Prometheus metrics. Grafana dashboards. Jaeger traces. Loki logs. Alertmanager with Slack + PagerDuty receivers.
Keycloak SSO per Tenant
Dedicated Keycloak realm provisioned automatically on signup. MFA (TOTP) enforcement configurable per plan. Brute-force protection enabled. Platform realm for superadmin. Realm cleanup cron removes inactive realms.
Stripe Billing Integration
Stripe Checkout for vendor signup — no custom payment form. Idempotent webhook handler safe to replay. Usage metering job reports seat counts to Stripe. Customer Portal linked from dashboard. Separate price IDs per plan.
Superadmin Platform Dashboard
Operator console at admin.hawk.yourdomain.com. Tenant list with search and filter. Cross-tenant license lookup. Signing key age table across all tenants. Rotate any tenant's key with one click. Separate Keycloak platform realm.
Kubernetes Deployment Ready
45 Kubernetes manifests included. cert-manager + nginx ingress. HPA min 2 / max 10 on platform-api. 5 hardened container images (distroless, non-root, readOnlyRootFilesystem). Trivy + gitleaks + npm audit in CI on every PR.
Pricing
Simple Per-Seat Pricing.
No Usage Surprises.
No Usage Surprises.
All plans include the agent, Go + Python SDKs, and the vendor dashboard. Pay only for licensed seats.
Starter
For small ISVs getting started
$[YOUR PRICE]/mo
Up to [N] licensed seats. Everything you need to ship your first licensed product.
- ✓RSA-2048 license issuance
- ✓axix-agent (Linux + macOS)
- ✓Go + Python SDKs
- ✓License renew & revoke
- ✓Vendor dashboard
- ✓Audit trail
- ✓Email support
⭐ Most Popular
Pro
For growing ISVs with multiple products
$[YOUR PRICE]/mo
Up to [N] licensed seats. Webhooks, multi-product support, observability metrics included.
- ✓Everything in Starter
- ✓Webhook event delivery
- ✓Multiple products & feature tiers
- ✓API key management
- ✓Grafana + Prometheus metrics
- ✓Stripe Customer Portal
- ✓Priority support
Enterprise
For platforms, resellers & large deployments
Contact us
Unlimited seats. Signing key rotation, custom domains, SLA, and on-premise deployment option.
- ✓Everything in Pro
- ✓Signing key rotation API
- ✓Dedicated Keycloak realm per tenant
- ✓Custom domain for vendor dashboard
- ✓On-premise deployment option
- ✓SLA + dedicated support
- ✓45 Kubernetes manifests included
Integration Guide
Integrate in an Afternoon.
Embed the SDK in your application. The agent runs as a system service on the customer machine. SDK communicates with the agent over localhost — not directly with Hawk servers.
// go get github.com/axix-hawk/sdk-go import hawk "github.com/axix-hawk/sdk-go" client, err := hawk.Init(hawk.Config{ ProductID: "my-product", OrgID: "my-org", LicensePath: "/etc/axix/license.axlic", OnRevoked: func() { os.Exit(1) }, OnExpired: func() { log.Fatal("License expired") }, }) if err != nil { log.Fatal(err) } // Gate features by license tier if err := client.RequireFeature("analytics"); err != nil { log.Fatal("analytics not licensed:", err) } // Check current status: active | grace | grace_expired | revoked | expired status := client.Status()
# pip install axix-hawk-sdk from axix_hawk import init, HawkConfig import sys client = init(HawkConfig( product_id="my-product", org_id="my-org", license_path="/etc/axix/license.axlic", on_revoked=lambda: sys.exit(1), on_expired=lambda: sys.exit(1), )) # Gate features by license tier client.require_feature("analytics") # Check current status print(client.status()) # active | grace | grace_expired | revoked | expired
# Install agent on customer machine (one command) curl -fsSL https://api.hawk.yourdomain.com/agent/fingerprint.sh | bash # Place the license file your customer received cp license.axlic /etc/axix/license.axlic # Start the agent (systemd service on Linux) systemctl start axix-agent systemctl enable axix-agent # Check agent status via local HTTP endpoint curl http://localhost:7443/v1/status
Full integration guide, troubleshooting table, and API reference at hawk.yourdomain.com/docs →
Use Cases
Who Uses Axix Hawk?
Built for ISVs whose customers run software on their own machines — not SaaS.
Industrial / OT Software Vendors
You sell software that runs on factory floors, PLCs, or SCADA systems. Your customers cannot use SaaS — everything runs on-prem or in air-gapped environments. Axix Hawk's agent and 48-hour grace period handle exactly this: license enforcement continues even with no internet access.
Desktop Application Vendors
You ship Windows or Linux desktop software to enterprise customers. You need per-machine licensing, feature gating by tier, and the ability to instantly revoke a license if a customer cancels. Axix Hawk handles all of this without you writing a single line of license server code.
Cybersecurity Software Vendors
You ship security tools — endpoint agents, network monitors, threat detection — that run inside customer infrastructure. Your customers are security-conscious and will not accept a SaaS phone-home that sends telemetry. Axix Hawk's agent sends only a signed heartbeat ping. Nothing else leaves the customer network.
ISV Platforms & Resellers
You are building a platform for other ISVs to license their software. Each ISV must be completely isolated — separate keys, separate data, separate Keycloak realm. Axix Hawk's multi-tenant architecture is designed for exactly this: PostgreSQL RLS means one ISV can never read another ISV's data, even with a bug in application code.
Architecture
Built for Production
from Day One.
from Day One.
No prototype shortcuts. Every component ships with observability, security scanning, and Kubernetes manifests.
Backend
Fastify 4 (Node.js) — TypeScript, structured Pino logging, OpenTelemetry tracing
Database
PostgreSQL with Drizzle ORM and row-level security — cross-tenant isolation enforced at DB level
Queue
BullMQ on Redis — async webhook delivery, usage metering jobs, retry queues
Auth
Keycloak (per-tenant realms) + NextAuth v5 — OIDC SSO, TOTP MFA, brute-force protection
Frontend
Next.js 14 + Tailwind CSS + Radix UI — vendor dashboard + vendor portal
Agent
Go 1.22 — distroless Docker image, non-root (UID 1000), Linux x86_64/arm64 + macOS
SDKs
Go (stdlib + crypto only, zero external deps), Python 3.9+ (single dep: cryptography)
Observability
OpenTelemetry + Prometheus + Grafana + Jaeger + Loki + Alertmanager (Slack + PagerDuty)
Secrets
AWS Secrets Manager via ExternalSecrets Operator — KEY_ENCRYPTION_KEY never in env files
Deployment
Kubernetes (EKS/GKE/DigitalOcean) — 45 manifests, cert-manager, nginx ingress, HPA
CI/CD
GitHub Actions — lint, typecheck, unit, integration, security scans, GHCR image push
Security Scan
gitleaks (pre-commit + CI), npm audit (high+ blocks PR), Trivy on all 5 container images
Security
Security Is Not a Feature.
It Is the Foundation.
It Is the Foundation.
Every cryptographic decision, infrastructure choice, and CI gate was made with production ISV deployments in mind.
RSA-2048 Per-Tenant Signing Keys
Every license is cryptographically signed with a dedicated per-tenant RSA key pair — not just hashed. Machine-bound. Unforgeable.
AES-256-GCM Key Encryption at Rest
Private keys encrypted before being stored in the database. Raw key material never touches the filesystem or logs.
AWS Secrets Manager for KEK
Key Encryption Key stored in AWS Secrets Manager — rotatable without downtime. Never in the codebase, env files, or CI variables.
PostgreSQL Row-Level Security
Cross-tenant data leakage is impossible at the database level — not just the application layer. A bug in app code cannot expose another tenant's data.
Tamper-Evident Audit Trail
Hash chain links every license event. Any tampering — insertion, deletion, modification — is detectable. SOC 2-ready.
Signing Key Rotation (Enterprise)
POST /v1/signing-keys/rotate generates a new RSA key pair with zero downtime. Existing licenses remain valid until expiry. Re-issue flow available.
UUID Validation + Rate Limiting
All :id path parameters validated as UUIDs — injection and enumeration attacks blocked before DB. Rate limiting per IP and per tenant.
Container Hardening
Distroless images, non-root user (UID 1000), readOnlyRootFilesystem on all 5 production images. Trivy scanning on every PR.
gitleaks + npm audit in CI
Pre-commit hook + CI gate prevents secrets from ever reaching the repo. npm audit (high+ severity) blocks every pull request.
Why Axix Hawk
Why Not Build It Yourself?
Here is what an in-house license server actually costs — honest estimates from teams that have tried.
| Capability | Axix Hawk | Build Your Own |
|---|---|---|
| RSA license signing | ✓ Included, per-tenant | 2–4 weeks to implement |
| On-prem agent with grace period | ✓ Included, cross-platform | 4–8 weeks |
| Go + Python SDKs | ✓ Included | 4–6 weeks per language |
| Multi-tenant isolation (RLS) | ✓ PostgreSQL RLS + Keycloak realms | Extremely complex, high risk |
| Webhook event delivery | ✓ Included with retry | 1–2 weeks |
| White-label vendor console | ✓ Included | 8–16 weeks |
| Signing key rotation | ✓ One API call | 2–4 weeks |
| Audit trail with hash chain | ✓ Included | 2–3 weeks |
| Kubernetes deployment | ✓ 45 manifests included | 4–8 weeks |
| Ongoing security maintenance | ✓ Handled | Yours forever |
| Time to first license issued | ✓ ~30 minutes | 6–12 months |
FAQ
Common Questions.
No. The only outbound network call from the agent is a POST /v1/heartbeat with: license_id, machine_id, agent_version, sdk_version. No telemetry, no usage data, no personally identifiable information. Nothing else leaves the customer network.
The agent enters a 48-hour grace period and continues operating normally. If the server is still unreachable after 48 hours, the license enters grace_expired status and the agent enforces shutdown. The grace period duration is configurable.
No. The license blob is RSA-signed and includes the machine_id. The agent verifies the signature and checks that the machine_id in the blob matches the actual machine fingerprint on startup. A copied license fails verification on a different machine.
Every tenant has a dedicated RSA-2048 key pair. The private key is encrypted with AES-256-GCM before being stored in the database. The encryption key (KEY_ENCRYPTION_KEY) is stored in AWS Secrets Manager and never appears in the codebase, environment files, or logs.
The POST /v1/signing-keys/rotate endpoint (Enterprise) generates a new RSA key pair, encrypts and stores the new private key, and returns the new public key PEM. Existing licenses signed with the old key remain valid until expiry. New licenses are signed with the new key. A re-issue flow is available for customers who need immediate key migration.
Yes. Each tenant gets a dedicated Keycloak realm with custom branding. The vendor dashboard is deployed at your domain and shows your branding. You can point a custom subdomain (app.mycompany.com) at the vendor dashboard for each of your customers.
Yes. The Enterprise plan includes an on-premise deployment option. All Kubernetes manifests, Helm chart values, and deployment runbooks are provided. The platform runs on any Kubernetes cluster — EKS, GKE, DigitalOcean, or on-prem.
License generation via the API typically responds in under 50ms. Webhook delivery is asynchronous and typically arrives within 2–5 seconds after the license event is triggered.
The axix-agent is a standalone daemon that runs on the customer machine and handles license verification, heartbeat sending, and status caching. The Go and Python SDKs communicate with the local agent over HTTP at :7443. You embed the SDK in your application; the agent runs as a system service. The SDK does not communicate directly with the Axix Hawk platform — all network communication goes through the agent.
Ready to Stop Building
License Servers?
Sign up in 2 minutes. Issue your first RSA-signed license in 30. No credit card required for the free trial.
🦅
Hawk Assistant
● Online · Axix Technologies
Hi! I'm the Axix Hawk assistant. What can I help you with?
🦅