TomatoRTC

Source-available. Cryptographically enforced. Fully offline.

License holders receive the full TypeScript source. A signed key file — verified by a closed-source WASM module — is required at runtime on every deployment. No phone-home. No internet required to validate.

ECDSA-P256 signatures Works offline Domain-locked keys Per-tier feature caps

The license key file

A signed payload that carries all your entitlements.

When you purchase a license, you receive a .trtc-license file. It is a compact, base64url-encoded JSON payload with a detached ECDSA signature. Drop it in your deployment and point the SDK at it — nothing else needed.

Not a string token Cryptographically bound Human-readable payload
licenseeId "cust_abc123" — unique identifier, watermarks the key
tier "business" — starter | business | enterprise
features ["core", "sfu", "turn", "recording", "ai-workers"]
aiWorkerCap 20 — enforced in AI worker supervisor
regionCap 3 — enforced in deployment router
domains ["app.acme.com", "staging.acme.com"]
issuedAt Unix timestamp
expiresAt null for perpetual, or Unix timestamp
signature ES256 over entire payload — cannot be forged or modified

Validation

Verified at startup. No network required.

The SDK calls loadLicense() before any room or server can be created. Validation happens inside a closed-source WASM module — fully offline, no license server call needed.

The WASM module embeds the ECDSA public key at compile time. Even with the full TypeScript source, a licensee cannot produce a valid signature.

1

Read key file

WASM module reads .trtc-license from disk (server) or supplied string (browser). No network request.

2

Verify ECDSA signature

ES256 signature checked against the public key hardcoded in the WASM binary. Any modification — even a single character — fails verification.

3

Check expiry and domain

expiresAt compared to current time. Deployment origin checked against domains — mismatch throws immediately.

4

Return LicenseCapabilities

A typed capabilities object is returned. Required parameter for every SDK constructor — will not compile or run without it.

Architecture

One closed-source seam. Everything else is readable.

The TypeScript SDK source is available to license holders. The one component that is not source-available is validator.wasm. This is the seam that makes enforcement meaningful — modifying any TypeScript still hits the WASM boundary.

The capabilities object returned by the WASM module threads through the SDK as a required constructor parameter — not an optional flag. Removing the check means rewriting the TypeScript type system across every constructor.

TypeScript source — packages/ Full source available to license holders. Modifiable for integration and customization.
@rtc-sdk/licensing — TypeScript wrapper Source-available thin wrapper. Calls WASM, exposes LicenseCapabilities type, handles errors.
validator.wasm — closed-source WASM Not source-available. Performs signature verification. Embedded public key. Cannot be modified without replacing the binary.
SignalingServer, RtcClient, subsystems Require LicenseCapabilities at construction. Feature caps enforced at the subsystem level, not a single guard clause.
Source-available to license holders Closed-source binary

Bypass resistance

Every attack path costs more than a license.

No enforcement is mathematically absolute when source is available. The goal is to make bypass more expensive — in effort, risk, and legal exposure — than purchasing a license.

⚡ Modify TypeScript to skip init
TypeScript compiler rejects — LicenseCapabilities is a required parameter type on every downstream constructor. Not a single deletable line.
⚡ Replace validator.wasm
Must write + compile a compatible WASM module that mimics the interface and type contracts. Significant effort; clear EULA §6 violation with DMCA §1201 exposure.
⚡ Forge a key file
Requires Licensor's ECDSA private key, which is never distributed. Cryptographically infeasible without key compromise.
Note
Note Slide context
Circumvention of technical protection measures violates EULA §6 and 17 U.S.C. §1201 (DMCA). Every key carries licenseeId — leaked keys are traceable to their holder. See the licensing architecture reference for full technical detail.

Bypass resistance · continued

Operational and lifecycle protections.

⚡ Share or reuse a key
Every key carries a licenseeId watermark and domain list. A leaked key is traceable to its holder and fails on unauthorized origins.
⚡ Capture an expired key
Eval and pilot keys carry short expiry dates. Perpetual production keys don't expire but are domain-locked — useless outside the licensed origin.
⚡ Downgrade SDK version
Key format is versioned. Old keys are re-signed on renewal. Old SDK + new key or new SDK + old key combinations are rejected by the WASM validator.

Feature unlocks

The key file encodes exactly what your tier permits.

Tier caps are enforced at the subsystem level — AI worker count by the AI supervisor, region count by the deployment router, advanced features by the feature flag in each handler. Exceeding a cap throws a typed LicenseCapabilityError, not a silent failure.

“WHIP/WHEP RTP gateway” in tier tables covers the shipped HTTP media gateway: real SDP negotiation, trickle ICE, producer/consumer wiring, and mediasoup/first-party engine coverage. Production-scale multi-tenant hardening and real-player playback validation remain deployment work — see docs-site/content/signaling.md.

Starter

  • Core signaling
  • Mesh topology
  • SFU (mediasoup)
  • First-party SFU
  • TURN server
  • 2 AI workers
  • 1 region
  • Room recording
  • WHIP/WHEP RTP gateway
  • SIP gateway
  • Wildcard domains

Business

  • Core signaling
  • Mesh topology
  • SFU (mediasoup)
  • First-party SFU
  • TURN server
  • 20 AI workers
  • 3 regions
  • Room recording
  • Wildcard domains
  • WHIP/WHEP RTP gateway
  • SIP gateway

Enterprise

  • Core signaling
  • Mesh topology
  • SFU (mediasoup)
  • First-party SFU
  • TURN server
  • Unlimited AI workers
  • Custom regions
  • Room recording
  • WHIP/WHEP RTP gateway
  • SIP gateway
  • Wildcard domains

Eval & pilot

Try before you commit — scoped, time-boxed, non-production.

Eval and pilot licenses let you validate the SDK against your infrastructure before signing a production EULA. They carry a hard expiry, a limited domain set, and feature caps matching the scoped tier.

Hard expiry

Eval keys expire after 14 days. Pilot keys match the agreed pilot window — typically 30–90 days.

Domain scope

Issued for localhost plus one staging origin. Production traffic rejected at the WASM boundary.

Feature tier match

Pilot feature set mirrors the tier under evaluation — no artificial feature ceiling beyond the target tier.

Watermarked

Every eval key carries a licenseeId. Misuse is traceable. EULA §6 applies from day one.

No phone-home

Air-gapped deployments. No license server dependency.

Validation is entirely local. The WASM binary carries the public key at compile time — there is no license server URL, no heartbeat call, and no runtime network requirement. A deployment with no outbound internet access works identically to one with it.

  • No license server The ECDSA public key is embedded in the WASM binary. Validation is a local cryptographic operation — no HTTP call, no DNS lookup.
  • Air-gap compatible Works in VPCs, private clouds, and fully isolated environments. Meets the requirements of air-gapped government and financial deployments.
  • No heartbeat There is no periodic check-in. Once a perpetual key is validated at startup, the SDK runs indefinitely with no further license calls.
  • Startup-only overhead Validation runs once at process start. The capabilities object is cached in memory for the process lifetime — zero per-request overhead.

Runtime enforcement

Cap violations throw typed errors, not silent degradation.

Feature caps are enforced at the point of use — not at a single door-checker. Exceeding any cap throws a LicenseCapabilityError with a typed reason code, making violations discoverable in development and auditable in production logs.

AI worker cap

Enforced in the AI worker supervisor on spawn(). Throws LicenseCapabilityError("ai-worker-cap-exceeded") with current and permitted counts.

Region cap

Enforced in the deployment router on addRegion(). Attempting to register a fourth region on a Business license throws immediately.

Feature flags

WHIP/WHEP, SIP, and recording handlers check capabilities at handler registration time — not per-request — to fail fast during server boot.

Domain enforcement

Browser SDK checks window.location.origin against the key's domain list at loadLicense(). Invalid origin throws before any WebRTC object is created.

Legal framework

Technical enforcement backed by legal exposure.

Cryptographic controls are one layer. Legal controls are the other. Together they make bypass more costly than a license — not just technically, but financially and legally.

  • EULA §6 Prohibits circumvention of technical protection measures. Breach constitutes immediate license termination plus statutory damages.
  • 17 U.S.C. §1201 (DMCA) Circumventing a technical protection measure — including replacing validator.wasm — is a federal violation independent of the EULA.
  • licenseeId watermark Every key file encodes the licenseeId in the signed payload. A leaked or redistributed key is cryptographically traceable to the original licensee.
  • Key versioning Old keys are invalidated on renewal. Holding a leaked key from a prior period provides no ongoing benefit after the customer re-keys.

A signed key file and source access — issued in one business day.

  1. Choose tier

    Starter ($28k/yr), Business ($84k/yr), or Enterprise ($220k+/yr) — see pricing for full feature breakdown.

  2. Sign the EULA

    Review the EULA at the repository root, countersign, and return to Licensor.

  3. Receive your key

    A .trtc-license file and source repository access issued to your organization within one business day.