CLI

License validation

How ck auth authenticates — the POST to /api/license/validate, the cached credentials in ~/.claudekit/config.json, activation limits, and revocation behaviour.

ck auth turns a license key into a cached credential the CLI uses for every install and update. This page describes exactly how that works.

The validation request

When you run ck auth <license-key>, the CLI sends:

POST https://theclaudekit.com/api/license/validate
Content-Type: application/json
x-ck-activate: 1
 
{ "license_key": "ck_xxxxxxxxxxxxxxxxxxxx" }

The x-ck-activate: 1 header is only sent by ck auth — it consumes one device activation. Re-validation during ck install, ck update, and ck doctor omits the header, so routine use never burns activations. A successful response looks like:

{
  "valid": true,
  "email_masked": "m*****@example.com",
  "kits": [
    {
      "slug": "seokit",
      "version": "1.0.0",
      "updates_until": "2027-06-10T00:00:00.000Z",
      "download_url": "https://theclaudekit.com/api/kits/seokit/download?token=…"
    }
  ],
  "activations": { "used": 1, "limit": 3 }
}
json
  • valid — whether the key is currently active and within its activation limit.
  • kits — the kits this license unlocks, each with its current version, an update-window date, and a signed download URL the CLI pulls the release zip from. ck install checks this list before downloading.
  • activations — how many of your device activations are used.

The cached credentials

On success, the CLI writes your key and entitlement snapshot to:

~/.claudekit/config.json

After this, ck list, ck install, ck update, and ck tokens work without re-entering your key. ck whoami reads this file to tell you who you are authenticated as. Deleting the file logs you out; running ck auth again re-authenticates and re-activates the device.

This file contains a credential — treat it like a password. Do not commit it or share it. If you believe it has leaked, regenerate your key from the dashboard (see below), which invalidates the old one.

Activation limits

A license permits a fixed number of device activations3 devices by default. Each machine that runs ck auth consumes one activation. When you hit the limit, validation fails with an activation-limit error (exit code 2) and the install is blocked.

To free up an activation, either log out on a machine you no longer use, or regenerate the key from your dashboard, which resets activations. Need more seats than your plan allows? Email hello@theclaudekit.com.

Revocation behaviour

A license is revoked automatically when the underlying purchase ends — a refund, a subscription cancellation or expiry, or a chargeback all revoke access.

When a key is revoked:

  • New ck auth, ck install, and ck update calls fail with a license error (exit code 1).
  • Files already installed on disk stay where they areck does not reach into ~/.claude or ./.claude to delete a kit you previously installed. What you lose is the right to install, update, and download new versions, plus dashboard downloads.
  • Re-purchasing or resolving the billing issue re-issues a valid key, and ck auth restores full access.

Offline behaviour

Validation and downloads need outbound HTTPS to theclaudekit.com. Once a kit is downloaded, using it is fully offlineck tokens reads baked-in manifest counts (or recounts local files with --live), ck whoami reads the local config, and Claude Code runs the installed commands without any network calls back to us. Only fetching new or updated kits requires connectivity. If you are behind a proxy, see the proxy notes in Installation.