Integration
Licensing is unusually decoupled: it makes no outbound HTTP calls to sister services and consumes no events. Its entire cross-service contract is the signed certificate it writes to Redis, which
@nx/core'sLicenseMiddleware(running inside every other service) reads.
1. Sister Services
Direction:→calls /←called by /↔bidir.
| Sister | Direction | Surface | Contract | Auth | Failure Mode | Idempotency |
|---|---|---|---|---|---|---|
@nx/identity | → | JWKS endpoint (APP_ENV_JWKS_REST_PATH) | JWT verification (VerifierApplication) | — (public keys) | request fails 401 if JWKS unreachable | n/a |
@nx/core | ↔ | In-process library — schemas, repositories, LicenseCertSignerHelper (sign), LicenseMiddleware (verify) | compile-time dependency | — | n/a | n/a |
| All verifier services (sale, commerce, inventory, …) | ← | Redis key lic:certs:<type>:<id> | cert envelope | Ed25519 signature + AES secret | fail-open → null license context | last-write-wins |
There is no licensing client SDK called by sisters at runtime.
APP_ENV_LICENSING_SERVICE_BASE_URLexists in core's env registry but the runtime licensing checks are done from the cached certificate, not by calling licensing.
2. External Systems
| System | Direction | Surface | Auth | Failure Mode |
|---|---|---|---|---|
| Redis | → (write) / ← (read by consumers) | SET/GET lic:certs:* | Redis password | write failure logged; cert still stored on License.certificate row |
| PostgreSQL | ↔ | licensing schema via Drizzle | DB credentials | transactional; rollback on error |
3. Critical Cross-Service Flows
3.1 License state change propagates to all consumers
| Step | Detail |
|---|---|
| 1–2 | Suspend transaction commits, then publishCertificate() re-signs with the new status |
| 3 | New cert overwrites the Redis key (last-write-wins) |
| 4–6 | Next consumer request pulls the fresh cert; no call to licensing needed |
Propagation lag = up to the existing cert's remaining TTL only if re-publish is skipped (e.g. keys not configured). With keys configured, propagation is immediate on the next consumer request.
4. Contract Stability
| Surface | Stability | Versioning |
|---|---|---|
REST /v1/api/licensing/* | stable | URL /v1/ |
Redis cert key lic:certs:<type>:<id> | stable | — (key shape fixed in both signer + middleware) |
Cert envelope alg field | stable | aes-256-gcm+ed25519; verifier rejects unknown alg |
Cert payload ILicenseCertificatePayload | stable | additive only (no version field — coordinate changes across @nx/core) |