Key lists vs. on-demand provisioning: which license delivery model scales?

Every store that sells software licenses eventually lands on one of two delivery models. Both give the customer a key within seconds — which is why the difference is easy to miss until it costs you. It shows up not at checkout but in your working capital, your 2am failure modes, and your security posture.

The two models, defined

  • Key lists: you buy keys from your distributor in bulk, upload them to a delivery app, and each order pops the next key off the list.
  • On-demand provisioning: no keys exist in advance. Each order triggers an API call to the vendor or distributor, which mints a license for that exact purchase.

Side by side

DimensionKey listsOn-demand provisioning
Working capitalCash tied up in unsold keysCost incurred only when a sale happens
StockoutsLists run dry — often silently, often on weekendsNothing to run out of
Security at restPlaintext keys sitting in a databaseNo unsold keys exist; sold keys can be hashed
Catalog changesOld keys for old versions linger in listsVendor API always provisions the current product
Refund handlingKey already exposed; hard to reclaimEntitlement can often be revoked upstream
Audit trailWhich key went where lives in app logs, if anywhereOrder → provisioning call → license, recorded end to end
Setup effortLow — upload a CSVHigher — needs vendor/distributor API access

Where key lists genuinely make sense

Honesty over marketing: key lists are a reasonable choice when your vendor offers no provisioning API, when volume is tiny, or when you're validating a product line before committing to distributor integrations. A short list you refill weekly is not a crisis.

Where they break

Scale and seriousness. The failure pattern is always the same: the list empties during your best sales weekend, orders queue up behind an empty spreadsheet, and a refund wave follows. Add the security angle — a breach that exfiltrates a key list is immediate, liquid loss — and the model caps how big your software shelf can safely get.

The migration path

Most stores run both during a transition: on-demand provisioning for vendors with API access, key lists for the long tail. If you're choosing tooling, choose for where you're going — an architecture built around provisioning can tolerate a key-list stopgap; the reverse is a rewrite. For the wider context on how provisioning fits the software supply chain, see the plain-English ESD guide.

KeyVolt is the provisioning side

Real keys minted from vendor APIs per order — McAfee and Norton today, Microsoft coming soon.

Request early access