Documentation

BoltHash Developer Docs

Everything you need to protect your Node.js application, issue and manage licenses, and ship protected software to clients.

Quick Start

Install bolt and protect your first app in 5 minutes

User Workflow

Full workflow for project owners and developers

Client Workflow

How end-users receive and run protected apps

CLI Reference

All bolt commands and options

Quick Start (5 minutes)

  • Install: Download the bolt binary from the Download page for your OS. Double-click to install.
  • Set your license: bolt set license BH-XXXX-XXXX-XXXX-XXXX — get your key from the Dashboard.
  • Protect your project: cd my-app && bolt protect --yes — obfuscates source, generates __bolt_manifest.json with SHA-256 hashes.
  • Run with protection: bolt start — verifies license, checks file integrity, and auto-detects your framework to launch.
  • Ship to clients: Send the protected output + a license key. Clients run bolt set license KEY then bolt start.
Your protected app will refuse to run if the license is expired/revoked, files are tampered with, or the device is not authorized.
Shortcut (v2.3): Use bolt init for interactive setup, then bolt up — it auto-detects whether to protect or start.

Installation

Prerequisites

  • Node.js 18+ (for your app — the bolt CLI is a standalone binary)
  • A BoltHash account (free tier available)

Option A: Download binary (recommended)

# Windows — double-click the .exe, or from terminal:
.\bolt-hash-premium-win-x64-v*.exe
# macOS / Linux
chmod +x ./bolt-hash-premium-*-v*.bin
./bolt-hash-premium-*-v*.bin

Option B: npm install

npm install -g bolt-hash
After install: Open a new terminal window, then verify: bolt --version

User Workflow (Project Owner / Developer)

Full workflow for developers who build and ship protected Node.js apps.

Step 1 — Install & Activate

bolt set license BH-XXXX-XXXX-XXXX-XXXX
bolt status

Step 2 — Protect your project

cd my-node-app
bolt protect --yes   # protect current directory
bolt up              # auto-detect: no manifest → protect, has manifest → start

Step 2b — Protect SPA build output (React / Vue / Angular)

npm run build
bolt protect-dist
bolt start-spa --port=3000

Step 3 — Test locally

cd protected_output
bolt start

Step 4 — Ship to clients

  1. Send the protected output directory (not your original source)
  2. Generate a license key from the Dashboard
  3. Give the client the key — they run bolt set license KEY then bolt start

Client Workflow (End User / Licensee)

Workflow for people who receive a protected app and a license key from a developer.

  • Install bolt: Download from /download or npm i -g bolt-hash.
  • Set your license key: bolt set license BH-XXXX-XXXX-XXXX-XXXX
  • Run the app: cd protected-app && bolt start — verifies license online, checks integrity, launches app.
  • Check status: bolt status — shows license info, plan, expiry, device count.
Runtime protection: bolt periodically verifies the license (heartbeat). If your key is revoked or expired, the app will shut down after a grace period.

Security Warnings

Disable Source Maps in Production Builds

Source maps expose your original, unobfuscated source code. Ship without them.

Build ToolHow to Disable
Vitebuild: { sourcemap: false }
Webpackdevtool: false
Create React AppGENERATE_SOURCEMAP=false
Next.jsproductionBrowserSourceMaps: false (default off)
Nuxtsourcemap: false in vite.build
Angularng build --source-map=false
Secrets and .env Handling

bolt does not encrypt .env values. For sensitive secrets (API keys, DB creds), use a dedicated config module backed by a secret manager or platform-level environment injection.

  • Never commit .env to source control.
  • Never include .env in distributable client artifacts.
  • Use CI secret stores for BOLT_LICENSE_KEY / BOLT_HASH_SECRET.
  • Rotate secrets immediately if leakage is suspected.

CLI — bolt protect

Obfuscates source files, computes SHA-256 hashes, and creates a signed integrity manifest.

cd my-app
bolt                   # interactive
bolt protect --yes     # non-interactive (CI-friendly)
What it doesDetails
ObfuscationIdentifier renaming, string encryption, control flow flattening, dead code injection
Integrity manifestSHA-256 hash of every file → __bolt_manifest.json
HMAC signingManifest signed with auto-generated secret in ~/.bolt/config.json
Server signatureManifest hash sent to server, Ed25519 signature returned

CLI — bolt protect-dist

Hash a pre-built SPA output directory. Use after npm run build.

npm run build
bolt protect-dist     # auto-detects framework and build output dir

CLI — bolt start / start-spa / run

bolt start                 # Node.js app
bolt start-spa --port=3000 # SPA static server
bolt run dev               # npm script with protection
Runtime checkDetails
License verificationOnline check — validates key, plan, expiry
File integrityRe-computes SHA-256 and compares against manifest
HeartbeatPeriodic ping — detects key sharing / revocation
Device bindingHardware fingerprint bound to license key

CLI — bolt set / config / status

CommandDescription
bolt set license BH-XXXXSet license key
bolt set server https://...Set custom server URL (self-hosted)
bolt set secretGenerate/rotate manifest signing secret
bolt config --showShow all settings including manifest secret
bolt statusCheck license status, plan, expiry, device count
bolt installInstall bolt binary to PATH

CLI — BGit (Version Control)

Built-in version control for protected source, stored on the BoltHash server.

CommandDescription
bolt git init PROJECT_IDInitialize BGit for this directory
bolt commit -m "message"Commit + push snapshot to server
bolt push -m "message"Alias for commit
bolt pullDownload + extract latest HEAD snapshot
bolt logShow commit history
bolt rollback --hash HASHRoll back to a previous commit
bolt branch list / create / switch / deleteBranch management
bolt git storageShow storage usage

Node.js version pinning per commit

bolt commit -m "release v2.0" \
  --node-version-win 22.14.0 \
  --node-version-linux 22.14.0 \
  --node-version-mac 22.14.0

CLI — bolt up / init (v2.3)

CommandDescription
bolt initInteractive project setup wizard
bolt upAuto-detect: no manifest → protect; manifest exists → start
Fastest workflow: bolt init once, then bolt up every time.

BGit API — GET /api/bgit/node-versions

Returns live Node.js releases fetched from nodejs.org. No authentication required.

GET /api/bgit/node-versions

// Response
{
  "latest":    "22.14.0",
  "latestLts": "22.14.0",
  "versions": [
    { "version": "22.14.0", "lts": "Jod", "date": "2025-02-11", "security": false },
    ...
  ]
}

BGit API — POST /api/bgit/projects/:id/commits

{
  "message":          "release v2.0",   // required
  "branch":           "main",           // optional
  "manifestHash":     "sha256hex...",   // required
  "snapshot":         "base64zip...",   // required
  "nodeVersionWin":   "22.14.0",        // optional
  "nodeVersionLinux": "22.14.0",        // optional
  "nodeVersionMac":   "22.14.0"         // optional
}

BGit API — GET /api/bgit/projects/:id/commits

{
  "id":                "a1b2c3d4...",
  "branch":            "main",
  "message":           "release v2.0",
  "node_version_win":  "22.14.0",
  "node_version_linux":"22.14.0",
  "node_version_mac":  null
}

CI/CD Integration

GitHub Actions

- name: Protect with BoltHash
  env:
    BOLT_LICENSE_KEY: ${{ secrets.BOLT_LICENSE_KEY }}
  run: |
    curl -sSL "${{ secrets.BOLT_DOWNLOAD_URL }}" -o bolt && chmod +x bolt
    ./bolt set license $BOLT_LICENSE_KEY
    cd my-app && ../bolt protect --yes

GitLab CI

protect:
  stage: build
  script:
    - curl -sSL "$BOLT_DOWNLOAD_URL" -o bolt && chmod +x bolt
    - ./bolt set license $BOLT_LICENSE_KEY
    - cd my-app && ../bolt protect --yes
CI best practice: Inject secrets from your CI vault. Never store long-lived credentials in repo-level .env files.

REST API Overview

All endpoints are under your server URL (default: https://hash.boltopen.com/api/). Authenticate with X-API-Key header.

EndpointDescription
GET /api/projectsList projects
POST /api/projectsCreate a project
GET /api/projects/:id/licensesList license keys for a project
POST /api/projects/:id/licensesGenerate a new license key
PUT /api/licenses/:id/toggleEnable or disable a license key
POST /api/verifyVerify a license key server-side
POST /api/signSign a source hash with your project key
GET /api/versionGet server version
GET /api/bgit/node-versionsList Node.js releases (live from nodejs.org, cached 1h)
POST /api/bgit/projects/:id/commitsPush a BGit commit
GET /api/bgit/projects/:id/commitsList commits
See Production Hardening Checklist for a pre-release self-audit workflow.

Desktop apps provide a graphical interface for the full BoltHash workflow. Bolt Dev is for developers; Bolt Client is for end users.

Bolt Dev

For developers — manage projects, licenses, BGit, and deployment

 Download

Installation

  • Download Bolt Dev from the Download page. Windows installer (.exe).
  • Run the installer — double-click the .exe and follow the setup wizard.
  • Sign in with your BoltHash account on first launch.

First-Time Setup

On first launch, Bolt Dev will prompt you to connect your BoltHash account. Enter your email and password, or use the "Open in browser" flow to authenticate. Your session is stored securely on your device.

Managing Projects

The Projects tab lists all your BoltHash projects. Each project has a unique ID and Ed25519 signing key pair.

  • Click New Project to create one. Choose a name and select your source directory.
  • Click Protect on any project to run bolt protect — Bolt Dev shows real-time output in the build log panel.
  • The Status badge shows the last build result: Success / Warning / Error.

License Key Management

The Licenses tab for each project lets you generate, view, toggle, and revoke license keys.

  • Click Generate Key to create a new BH-XXXX-XXXX-XXXX-XXXX license. Set max devices and expiry date.
  • Toggle the switch to enable or disable a key instantly.
  • The Active Devices column shows how many machines are currently using this key.
  • Click Revoke to permanently disable a key — the associated app will stop running within the heartbeat interval.

BGit Deployment

The BGit tab manages version-controlled deployments. Each commit is a snapshot of the protected output pushed to the BoltHash server.

  • Click Commit & Push to create a new release snapshot. Add a commit message and optionally pin a Node.js version per OS.
  • The Commits list shows hash, message, date, Node.js versions, and download count.
  • Click Rollback on any commit to make it the current HEAD — clients pulling the latest will receive this version.
  • Click Branch to manage deployment channels (e.g., main, beta).
Clients using Bolt Client will automatically receive the latest BGit HEAD on next launch (if auto-update is enabled by the developer).

Bolt Client

For end users — activate, download, and run protected apps

 Download

Installation

  • Download Bolt Client from the developer who sold you the software, or from /download. Windows installer (.exe).
  • Run the installer — double-click and follow setup. No BoltHash account needed.

Activating a License

On first launch, Bolt Client shows a license activation screen.

  • Enter the BH-XXXX-XXXX-XXXX-XXXX key provided by your software developer.
  • Click Activate. Bolt Client connects to the BoltHash server to validate the key and register your device.
  • If the key is valid, the app library is unlocked.
Each license key has a device limit set by the developer. If you exceed it, activation will fail. Contact the software developer for an additional seat.

Running Protected Apps

The main screen of Bolt Client shows all licensed apps available to you.

  • Click Launch next to an app to start it. Bolt Client verifies the license and integrity before launch.
  • The Update badge appears when the developer has pushed a new BGit commit. Click to download and install.
  • If an app fails to launch (invalid license, tampered files, revoked key), a clear error message explains the reason.

Sharing Bolt Client with Your Customers

Bolt Client is free and can be distributed to any number of customers. As a developer, share the Bolt Client installer directly or link to /download.

No BoltHash account is needed to use Bolt Client. Your customers just need their license key and the app.

Security Warnings

Disable Source Maps in Production Builds

Source maps expose your original unobfuscated source. Always disable before shipping.

Secrets and .env Handling

bolt does not encrypt .env values. Use a secret manager for sensitive credentials. See Production Hardening Checklist.

Hardware Fingerprinting Limits

Hardware fingerprinting raises the cost of attack but is not unbreakable. A sophisticated attacker with kernel-level access can spoof hardware identifiers.

Security Whitepaper

The full security whitepaper covers BoltHash's threat model, security architecture (with diagram), cryptographic design (SHA-256, HMAC, Ed25519), and a complete attack surface analysis.

Threat Model

Source exfiltration, license bypass, unauthorized redistribution

Security Architecture

Full pipeline diagram: developer → server → customer

Cryptographic Design

SHA-256 integrity, HMAC manifest signing, Ed25519 server signature

Attack Model

What BoltHash protects — and what it does not
 Read Full Security Whitepaper

Production Hardening

Use the Production Hardening Checklist to run a pre-release self-audit before shipping to customers.

 Open Hardening Checklist