Mirror SDK

Official SDK for LicenseChain Pay Mirror Payload (strict mode). Repository: LicenseChain-Mirror-SDK.

npm: @licensechain/mirror-sdk ยท Pay runbook: MIRROR_PAYLOAD_RUNBOOK.md

Capabilities

  • Build Mirror payload with AES-256-GCM encrypted CLIENT_EMAIL.
  • Generate checkout URL: https://pay.licensechain.app/checkout/{productId}?payload=....
  • Verify redirect callback HMAC (status, LCG, signature query params).
  • Call Pay POST /api/checkout/mirror/validate via verifyPurchase().
  • Examples: JavaScript, PHP, Python, Go, Rust.

Limitations

  • Does not create orders or enforce business rules โ€” your seller backend must approve the sale first.
  • Does not charge subscription renewals โ€” use subscription/charge from your backend.
  • Node.js-first; browser use requires a backend route (never embed callbackSecret client-side).
  • Strict mode only โ€” legacy unsigned checkout flows are out of scope.

Security: callbackSecret

The product callbackSecret (from Dashboard or POST /v1/products) is used to:

  • Encrypt Mirror payload fields on your server.
  • Verify redirect signature query parameters.
  • Verify Pay merchant webhooks (x-lc-pay-signature).

Never expose callbackSecret in frontend bundles, mobile apps, or public repos. Build payloads and verify signatures only on trusted server routes. Rotate the secret if leaked (product PATCH/PUT).

Signing model details: Webhook & callback signing models.

Strict mode flow

  1. Seller backend creates order / validates listing (return 4xx with clear message on failure).
  2. Build payload with TOKEN and encrypted CLIENT_EMAIL.
  3. Redirect buyer to Pay checkout.
  4. On return, verify callback signature server-side (fail closed).
  5. Call validate API; fulfill only when verified: true.

Install & usage

npm install @licensechain/mirror-sdk
import {
  buildMirrorPayload,
  buildMirrorCheckoutUrl,
  verifyCallbackSignature,
  verifyPurchase
} from "@licensechain/mirror-sdk";

const { payloadBase64Url } = buildMirrorPayload({
  thanksPage: "https://seller.example.com/thanks",
  cancelUrl: "https://seller.example.com/cancel",
  callbackSecret: process.env.MIRROR_CALLBACK_SECRET,
  token: "order_8f2a9f0c61",
  clientEmail: "buyer@example.com"
});

const checkoutUrl = buildMirrorCheckoutUrl(
  "https://pay.licensechain.app",
  "YOUR_PAY_PRODUCT_ID",
  payloadBase64Url
);

Related