KMS Patterns
Production-hardened key management architectures for license generation, offline grace, and hardware-bound activation.
Offline Grace Cache
Ship an HMAC-signed grace blob that survives network loss. The loader validates the blob against a baked-in public key, checks the machine fingerprint hasn't drifted, and enforces a monotonic wall-clock window. On reconnect, the blob is refreshed transparently.
Hardware-Bound Activation
Derive a stable machine identity from TPM EK, disk serial, and BIOS UUID. The license server signs a challenge-response pair that the loader replays locally. No raw hardware secrets leave the machine.
response = Ed25519_Sign(challenge, k_license)
Key Rotation Without Downtime
Publish a JWK set with overlapping validity windows. The loader fetches the set on startup, caches it, and tolerates one generation of key skew. Revocation is instant via the license server's deny-list.
Circuit Breakers
Token-bucket rate limit on activation attempts. Exponential backoff with jitter on transient failures. If the license server returns 5xx for more than 30 seconds, the loader falls back to the grace cache and alerts the dashboard.
These patterns are used across Meridian's C++ loader and KeyAuth integration. For implementation details, see the Loader Architecture guide.