License Management#


GW is Gateway, LM is License Manage.

How it works?#

You should install the roq-tools package and then generate your own public/private keys using the roq-keygen (from roq-tools). You will have to communicate your public key to Roq so it can be associated with your license agreement.

These are the steps

  • GW computes SHA256 hash of the sorted set of configured logins

  • GW creates a sealed request using its private key

  • GW sends the request and your public key to LM

  • LM opens the sealed request using its private key

  • LM matches the public key to an existing license agreement

  • LM responds to GW with HTTP status code 200 and an access token if a license can be locked

  • LM responds to GW with HTTP code 400 if

    • there is no associated license agreement

    • there are no available licenses

  • GW will on success (200) replace the locally cached access token


Logins are typically the API keys you use to identify yourself to an exchange. We only use the logins to hash the config file, NEVER secrets and passphrases.


GW’s are currently allowed to start with all features enabled but will terminate after a pre-configured timeout period if no valid access token can be acquired.


GW’s may indicate an ideal lock-period. This is only a hint and the LM is allowed to override.

If you change your config, and you have no more available licenses, please wait until a previously locked license becomes free.

This could have implications for up-time. In order to guarantee maxium up-time, you may wish to request a relatively long lock period, e.g. a day or a week.

However, you may not be able to restart your GW (with all features enabled) if you then find that you have to change an API key on the exchange. The only way to refresh the access token is then to contact Roq support.

Service interruption?#

Internet services are unstable and the design should allow for gateways to function without being able to contact the license manager.

This is done by locally caching the acquired access token. Each access token contains a valid period which takes into account what empirically should be a safe margin for interruptions.

The gateway will use a cached access token to allow operation with all features enabled until the access token expires.


GW’s will terminate after access token expiry if the token can not be refreshed.

Worst case?#

Contact Roq support staff and request an access token.

Is it safe?#

  • The request message contains a SHA256 of the sorted set of logins. This hash does not reveal any secrets from your configuration file.

  • You generate your own public/private key pair (using roq-keygen). Nobody else can request an access token using your license if you keep your private key safe.

  • GW’s access to the license manager provide some privacy by using TLS, but it will NOT validate the certificate. If you so wish, you can intercept all communication and verify what is being transmitted.

  • GW’s can be instructed to only fetch the access token. You can then specify the config file and leave out the secrets file, if you so wish. (The important thing is that the hash of the logins match what will be used in live mode.)

What exactly is being sent?#

  • Public key

  • Package name, version, build number

  • API flag (if present)

  • Service name (optionally)

  • Config hash

  • PID

  • Host description (the HOST environment variable package was compiled)

  • Kernel and operating system (equivalent to the results from this command: uname -srv)