← back|Architecture Case Study
damiandelmas.com
DOCUMENT 01

License-Key Fulfillment Engine

A provider-agnostic system for assigning digital license keys to orders across multiple regions and certification providers.

AuthorDamian Delmas
RoleSole architect & engineer
Period2025 – 2026
StatusIn production
Scope3 regions · 4 providers
NamesAnonymized
Abstract

This document describes a system that assigns digital license keys to customer orders across several storefronts, financing partners, and regions. It supports multiple certification providers without encoding any of them in its schema or code — provider behaviour is expressed as data and configuration. The system guarantees exactly-once delivery, atomic seat allocation, and region isolation, and records an audit trail for every assigned key.

1

System overview

An order originates in one of five sources: three regional storefronts and two financing channels. Orders are received by an orchestration layer, which sequences calls to a stateless key engine. The engine resolves the ordered product to a set of entitlements, allocates keys from inventory, and confirms the result before delivery.

Keys are stored in a database separate from the business data and are reached only through the engine. The order channel never accesses them directly. A control plane — an operator-facing admin surface and a sync layer — configures the catalogue and imports inventory, but plays no part in the live order path.

Integrations
Storefront · orders & catalogue Financing partner · plans Automation bus · routing Scripting layer · sync jobs Team chat · alerts
Control Plane
Admin surface Sync layer Catalogue ↔ inventory
Configuration only — outside the order path.
Sources
Store · Region A
Store · Region B
Store · TEST
Financing · LNPL
Installments · PAYL
order
Orchestration
Webhook router
Counts payments, sequences calls, gates delivery.
stateless
POST
Key Engine
resolve-product
assign-keys
validate-fulfillment
FIFO
Data Layer
Business DB
products · orders
config · logs
FDW VIEW
Keys DB
keys TABLE
IP-isolated
keys
Delivery
CRM workflow
Sends the keycode email; records a delivery audit entry.
→ Customer inbox
Figure 1.  System topology. The live order path runs left to right; dashed connectors are configuration, not real-time.
2

Problem & constraints

The system serves four certification providers, each selling different products under different codes. Keys exist in three shapes — combined, content-only, and exam-only — and delivery timing differs by channel: immediate for full payment, milestone-staged for installment plans. Keys are partner intellectual property and are imported separately from the product catalogue.

The obvious approach models this diversity directly in the schema. That couples storage to business rules, and every commercial change becomes a migration or a deployment. The table below sets the constraints against the failure modes of a direct model.

Constraints
01
Each provider sells different products under different codes.
02
Keys exist in three shapes: combined, content-only, exam-only.
03
Delivery timing differs: immediate, or staged across payments.
04
Keys are partner IP, imported separately from the catalogue.
Why a direct model fails
Provider enums require a migration for every new provider.
A foreign key from keys to products orphans keys on catalogue rebuild.
Per-channel branching couples business rules to storage.
Catalogue rebuilds churn product rows constantly.
Table 1.  Constraints in play, and the failure modes of modelling them directly.

The schema therefore models none of this. Providers are data, business rules are configuration, and keys are addressed by value, not reference.

3

Design decisions

Three decisions follow from that principle. Together they let the commercial surface — providers, regions, bundles — change without touching the engine or the schema.

3.1 Keys use a natural key, not a reference to products

A key is identified by the natural tuple (region, provider, product_code) and holds no foreign key to a product row. The catalogue is rebuilt from the storefront on a regular cycle; because nothing references a product, a rebuild cannot orphan a key. The two need only agree on a value, so adding a provider or product is an insert with no migration.

Cataloguerebuilt
CERT-A
CERT-B
CERT-A (new id)
join by value
no FK
Keysdurable
A·NASM·CPT
A·NASM·CPT
A·NASM·CPT
Figure 2.  Products may be deleted and recreated; keys persist because they reference no product row.

3.2 Availability is derived from entitlements

Each product declares the access it grants as an entitlement string. There is no separate product-to-key mapping table — the entitlement is the source of truth, parsed at order time into the keys to assign, and the same entitlement drives the live availability count shown on the storefront. If a product has no entitlement, or the keys it points to are exhausted, availability resolves to zero and the product cannot be ordered. The chain fails closed.

SKUwhat is sold
grantaccess it confers
N keyslive availability
No grant configured → availability resolves to 0 → the storefront shows the product out of stock.
Figure 3.  The SKU → entitlement → availability chain. A missing link drives availability to zero.

3.3 Keys are stored behind a data boundary

License keys are partner intellectual property and are held in a database project separate from the business data. The business database exposes them through a foreign-data-wrapper view, so the key engine queries a single table name and does not distinguish local from remote storage. Isolation is structural rather than a matter of discipline — order and product data never share a database with the keys.

Business DBproject A
products orders config keys (view)
FDW · transparent
Keys DBproject B · partner IP
keys TABLE (real)
Figure 4.  Keys live in their own project; the business DB reads them through a view over a foreign data wrapper.
4

Fulfillment flow

The path for a fully-paid order runs through five steps. Every step is stateless and idempotent, so the orchestration layer may retry any call without risk of issuing a key twice.

1
Order placed. A paid order triggers a webhook to the orchestration layer.
source
2
Resolve. The SKU is looked up and its entitlements parsed into items with access levels.
resolve-product
3
Assign. An idempotency check runs, then keys are allocated FIFO under a row lock.
assign-keys
4
Validate. The result is confirmed, the order marked fulfilled, and storefront inventory refreshed.
validate-fulfillment
5
Deliver. The CRM emails the keycodes and records a delivery audit entry.
crm

Installment plans reuse the same engine, releasing access in step with payments rather than all at once: content keys at the first milestone, the exam key on final payment. Intermediate payments deliver nothing.

Payment 1no delivery
Payment 2content key
Payments 3…n−1no delivery
Payment nexam key
Figure 5.  Staged delivery for installment plans. Access is released in step with payment milestones.
5

Reliability & safety

The system handles money and a finite, valuable inventory. The following properties hold regardless of retries, concurrency, or duplicate webhooks.

Property
Mechanism
Guarantee
Exactly-once delivery
Idempotency key per order, payment, and item
A repeated call returns the same keys
No double-allocation
FOR UPDATE SKIP LOCKED
Concurrent orders never share a key
No partial fulfilment
Order fails if any item is unavailable
Customers never get an incomplete order
Region isolation
All lookups scoped by region
A region resolves only its own keys
Auditability
Structured events from every function
Any order reconstructable end to end
Early warning
Alerts on unknown SKUs, missing grants, duplicate webhooks
Operators notified with full context
Table 2.  Correctness and safety properties, with the mechanism enforcing each.
6

Outcomes

The architecture turns several formerly manual or risky operations into routine ones.

A
Onboard a provider with a row insert
No schema migration and no deployment; provider behaviour is configuration.
B
Enable a region with a toggle
Inventory sync and fulfillment marking are per-store flags, changed without code.
C
Keys cannot be oversold
Availability is derived from real inventory; allocation is atomic and idempotent.
D
Every delivery is auditable
Each assigned key and sent email is recorded and queryable by order.
E
Compose arbitrary product bundles
Any combination of entitlements can be packaged as a sellable product without schema changes or inventory modification. The engine resolves the bundle to its component keys at order time.
7

Business impact

The system was designed to decouple revenue growth from operational overhead — built for a $1M → $4.5M ARR expansion across multiple regions and markets. New providers and regions come online through configuration. Custom product bundles require no engineering involvement and are accessible through a mobile interface for the sales team. 20–30 hours of weekly manual operations collapse into a single monitoring surface requiring only periodic inventory imports. The pattern applies to any digital product business with the same shape: multiple suppliers across multiple regions. Commercial velocity, decoupled from engineering capacity.

END OF DOCUMENT Damian Delmas · Systems Architecture · 2025–26