# Decrypt enc_key = HKDF(...).derive(master_key + lic_id.encode()) raw = base64url_decode(payload_b64) nonce, ciphertext = raw[:12], raw[12:] claims_json = AESGCM(enc_key).decrypt(nonce, ciphertext, None) claims = json.loads(claims_json)

# 4. Sign payload signature = signing_key.sign(payload.encode()).signature sig_b64 = base64url_encode(signature)

LIC-2026-001,eyJhbGciOiJFUzI1NiIsImVuYyI6IkEyNTZHQ00ifQ.eyJleHAiOjE5M..., 3f8a9b2c...,2 The payload column contains a JWE-like encrypted JSON object. After decryption, the JSON MUST have the following schema: