What SubSovereign is

Sovereign, self-hosted subscription & entitlement infrastructure. You validate purchases from any app store β€” Apple, Google, Amazon, Roku, Stripe β€” grant the right access, and keep your own billing data. No revenue share, no third party holding your customers.

What it does

  • Validates store receipts and keeps entitlements live via store server-notifications.
  • Builds, serves and A/B-tests paywalls across every platform.
  • Bring-your-own billing bridge for any payment provider.
  • Multi-tenant back office, GDPR tooling, and AI insights via Merlyn.

Core concepts

πŸ“±

Apps & API keys

Each app gets an SDK key (shipped in the app, runtime only) and a dashboard login (you, org-scoped). The SDK key can never read business data.

🎚️

Access levels (tiers)

Define the tiers you sell β€” e.g. Free, Pro, Lifetime. An entitlement grants one tier.

πŸ”—

Product β†’ tier mapping

Map each store product ID to the tier it unlocks. A validated purchase then grants the right tier automatically.

🎨

Paywalls

Build paywall configs (or generate one with Merlyn), served to the app at runtime and rendered by the SDK on every platform.

🎫

Entitlements

The source of truth for who has access. Look any user up in the Entitlements explorer.

πŸ”‘

Store credentials

Enter your own Apple / Google / Amazon / Roku / Stripe keys per app (encrypted at rest). Validation then uses your own store account.

πŸ§ͺ

Experiments

Launch paywall experiments from a 50-template library, let Merlyn suggest the next test, and promote a winner once it is statistically significant.

πŸŒ‰

Billing bridge

Bring your own billing provider: grant entitlements over a signed HMAC bridge for any payment source we do not natively validate.

πŸ›‘οΈ

Privacy (GDPR)

Handle erasure / export / do-not-sell requests per user. Billing records are retained for tax; PII is pseudonymised past the retention window.

Integrate the SDK (3 calls)

The app-side SDK only ever needs three endpoints. Full per-platform code is on the Getting Started page.

1. configure(apiKey, appId, userId) β€” once at launch
2. GET /config/:appId β€” fetch the paywall to show
3. POST /receipts/validate β†’ GET /entitlements/:userId β€” validate a purchase, then check access

Open Getting Started β†’

Deeper docs

Full API reference lives in docs/API.md; per-platform integration guides (iOS, Android, Roku, Web/JS, React, React Native, Flutter, Web Component) and a "how it works" overview are in docs/guides/. Security posture is documented in docs/SECURITY.md.