Mirror SDK
Official SDK for LicenseChain Pay Mirror Payload (strict mode). Repository: LicenseChain-Mirror-SDK.
npm: @licensechain/mirror-sdk ยท Pay runbook:
MIRROR_PAYLOAD_RUNBOOK.md
Capabilities
- Build Mirror payload with AES-256-GCM encrypted
CLIENT_EMAIL. - Generate checkout URL:
https://pay.licensechain.app/checkout/{productId}?payload=.... - Verify redirect callback HMAC (
status,LCG,signaturequery params). - Call Pay
POST /api/checkout/mirror/validateviaverifyPurchase(). - Examples: JavaScript, PHP, Python, Go, Rust.
Limitations
- Does not create orders or enforce business rules โ your seller backend must approve the sale first.
- Does not charge subscription renewals โ use subscription/charge from your backend.
- Node.js-first; browser use requires a backend route (never embed
callbackSecretclient-side). - Strict mode only โ legacy unsigned checkout flows are out of scope.
Security: callbackSecret
The product callbackSecret (from Dashboard or POST /v1/products) is used to:
- Encrypt Mirror payload fields on your server.
- Verify redirect
signaturequery parameters. - Verify Pay merchant webhooks (
x-lc-pay-signature).
Never expose callbackSecret in frontend bundles, mobile apps, or public repos.
Build payloads and verify signatures only on trusted server routes. Rotate the secret if leaked (product PATCH/PUT).
Signing model details: Webhook & callback signing models.
Strict mode flow
- Seller backend creates order / validates listing (return 4xx with clear message on failure).
- Build payload with
TOKENand encryptedCLIENT_EMAIL. - Redirect buyer to Pay checkout.
- On return, verify callback signature server-side (fail closed).
- Call validate API; fulfill only when
verified: true.
Install & usage
npm install @licensechain/mirror-sdk import {
buildMirrorPayload,
buildMirrorCheckoutUrl,
verifyCallbackSignature,
verifyPurchase
} from "@licensechain/mirror-sdk";
const { payloadBase64Url } = buildMirrorPayload({
thanksPage: "https://seller.example.com/thanks",
cancelUrl: "https://seller.example.com/cancel",
callbackSecret: process.env.MIRROR_CALLBACK_SECRET,
token: "order_8f2a9f0c61",
clientEmail: "buyer@example.com"
});
const checkoutUrl = buildMirrorCheckoutUrl(
"https://pay.licensechain.app",
"YOUR_PAY_PRODUCT_ID",
payloadBase64Url
);