afAxonatorExt 0.9.4

Encrypts and obfuscates Axon source code

Axonator is an extension for SkySpark v3.0.12+ that encrypts and obfuscates Axon source code.

  • Fed up of people stealing your Axon code?
  • Want to distribute your hard work in a format that's not plain text?
  • Then encrypt it with Axonator!

Axontator is free to download and evaluate but a licence must be purchased for production use. See Licensing for details.


See the presentation Protect Your Code With Axonator on YouTube, given to the SkyFoundry SkyPosium event in Dulles, Virginia, USA on Thursday, 15th November 2017.

Axonator on YouTube

Axonator takes Axon source code and a pass phrase, and generates encrypted code and a secret key. The encrypted code can only be decrypted and run with the secret key.

.                 ____________                            ____________
                 |            |                          |            |
Axon Source ---> |  Axonator  | ---> Encrypted Code ---> |  Axonator  | ---> Decrypted
                 |            |                          |            |     Axon Source
Pass Phrase ---> |            | -----> Secret Key -----> |            |
                 '------------'                          '------------'

For example, this Axon source code:

(name) => do
  return "Hello " + name + "!"

is encrypted into this:

(name) => do
  axonCode :
    "AxD:mvUjtIFWCMNZV1HuOAxMMg::jc84ZwXVBPzw3vfg2rLl1NIZx8eemoG_pYZEnnZfSvYZElURNjU4" +
    "c62cfYTMHGMf2HFsjYn0V8Kagb8hj8nBN9lkRUryYUxojI6zuWCnNef1LIqJ7fDdwcC43dpXsMunsHH_" +
    "6U7eKhTxJWzF0A32SLsdnotcjOwOyRKfUI91n-QHma9mEi2Ri4mRhGW805ISTU5Ut_LiwdImXL-qnqHQ" +
    "FUuWwiV-53ZSFnyUi_uAybEJBxNbiFiSRSptuTsrO5SQd6Np2V4iGM25b0Rc_WRP09LYbuo4Qo0w_Dqu" +
  keyFunc : (fnName) => ... fn that returns a secret key ...
  return afAxonatorCallFunc("hello", axonCode, [name], keyFunc)

Note that Axonator never reveals the decrypted Axon source, but instead holds a reference to the compiled function; which you may call like any other.

Running the function automatically decrypts axonCode back to its original source, compiles it, and invokes it; just as if you had called the original function! Decrypted and compiled functions are then cached for performance reasons.

Note the encrypted functions have a dependency on Axonator and any extensions containing Axonated functions should express a dependency on axonator.

Quick Start

This complete working example shows how to encrypt an Axon function and run it:

funcRec    : {
    "name" : "hello",
    "src"  : """(name) => "Hello " + name + "!" """

// encrypt the funcRec
passPhrase : "Fantom Rocks!"
keyFuncStr : "(fnName) => return \"gm8v8MePNgSRhVRZ-2zogw\""
axonated   : afAxonateFunc(funcRec, passPhrase, keyFuncStr)

// keep this safe!
secretKey  : axonated["secretKey"]

// compile the encrypted code...
helloFn    : axonated["funcRec"]["src"].eval()

// ...and run it!
helloFn("Mum")  // --> Hello Mum!

Note the keyFunc function that returns the secret key used for decryption. It is a string of axon code that is embedded in the generated axon function. The above example just returns a hard coded secret key.

The keyFunc may be customised on a function by function basis, by passing in a func that returns a string. This allows for highly customisable keyFuncs that are able to retrieve the secret from a REST API, a StackHub licence file, or anywhere! See Obfuscation for an example.

Entire .trio files of Axon functions may also be encrypted:

passPhrase : "Fantom Rocks!"
keyFuncStr : "(fnName) => return \"gm8v8MePNgSRhVRZ-2zogw\""
axonated   : afAxonateFile(`io/funcs.trio`, passPhrase, keyFuncStr)

// keep this safe!
secretKey  : axonated["secretKey"]

afAxonateFile backs up your .trio file and replaces it with a version where all the src tags have been encrypted. This encrypted file contains function definitions that may be used in place of the original.

Note you should always keep a copy of your original .trio files as they can not be restored.

StackHub Integration

Axonator may be used to create StackHub products of obfuscated Axon functions - and when doing so, Axonator is FREE!

Let's say you've created some Axon functions, and you'd like to sell them on StackHub. The problem is, Axon is distributed as plain text files. StackHub licensing may disable your extension, but there's nothing preventing people from opening up your .pod file and simply copy pasting the Axon source into their own functions.

Until now!

Encrypt your Axon passing in the afAxonatorStackHubKeyFunc key func, and not only are your resultant Axon functions encrypted, but they also require a valid StackHub licence of your product to run!

Worked Example

Create a product on StackHub and note its ID. Use this product ID to create a keyFunc, then use the keyFunc to encrypt your Axon functions. Here we encrypt with the pass phrase, Fantom Rocks!:

productId : "12345678-12345678 My Awesome Product"
keyFunc   : afAxonatorStackHubKeyFunc("product", productId)

axonated  : afAxonateFile(`io/funcs.trio`, "Fantom Rocks!", keyFunc)
secretKey : axonated["secretKey"]
            // --> gm8v8MePNgSRhVRZ-2zogw

Note the secret key, which for our example is gm8v8MePNgSRhVRZ-2zogw. Now edit your product on StackHub and add the following extra property:

axonatorKey = <secretKey>

which, in the case of our example, is:

axonatorKey = gm8v8MePNgSRhVRZ-2zogw

When someone buys your product, the generated licence will contain the above property, meaning the only people with access to the secret key are those who have purchased your product!

If you package your Axon functions up as a SkySpark extension, don't forget to add a dependency to Axonator in your ExtMeta:

@ExtMeta { name="myAwesomeExt"; depends=["afAxonator"] }
const class MyAwesomeExt : Ext {

If you look at your encrypted Axon functions, they will look similar to this:

() => do
  axonCode :
    "AxD:P1zRc8HaNn_zCUS-Y2hF3g::HUPMZZn9Ak0OT9qwa39UmHcznvFFMNvdDQEfXcjEART7wc293JB1" +
    "L6WonvjJBw9l9lY9Z_MNcWhnRXWsU5ahtJhHW9BbwUnp_BHAnuPbQza6CHw7ZMBomsxPSsoeC5Itu8So" +
    "oxWX1EPXbwymqQDu31_GuVnEZV6C1b_mC-03O-RROJm7dAe9F_-jPiCwaaAa8wOU0zmkRIWGDtk_UOAU" +
  keyFunc : () => afAxonatorGetKeyFromStackubLic("product", "12345678-12345678 My Awesome Product", "xxxxxxxx")
  return afAxonatorCallFunc("fnName", axonCode, [], keyFunc)

The generated keyFunc calls a hidden function that looks for a StackHub licence that matches the product 12345678-12345678 My Awesome Product. If such a licence is found, and if the licence is valid, the function returns the axonatorKey property, which is the secret key you setup earlier!

This means that only people with a valid purchased licence have access to the secret key, and only people with a valid purchased licence can run your Axon functions. And if anyone tries to look at your Axon source code, they'll only find your encrypted and obfuscated Axon code!

All functions encrypted with the afAxonatorStackHubKeyFunc key func are unrestricted, making Axonator FREE for creating StackHub products.

Note that StackHub licences may also be found via the packages key, see afAxonatorStackHubKeyFunc for details.

Axon Functions

Reference documentation for Axonator Axon functions.

afAxonateFunc(funcRec, passPhrase, keyFunc, options: null)

Encrypts the given function record by obfuscating the src field.

passPhrase is a seed string that's used to generate the actual secretKey used to encrypt the axon source code. keyFunc may either be a Str or an Fn that returns a Str of Axon code, that when executed, should return the secretKey. options defaults to null and is not used at this time.


afAxonateFunc({func, "name": "fnName", "src": "() => ..."}, "<passPhrase>", keyFunc)

Returns a Dict which contains, amongst other fields, the secret key needed to run the function.

afAxonateFile(funcFile, passPhrase, keyFunc, options: null)

Encrypts the given Axon trio file by obfuscating the src fields.

passPhrase is a seed string that's used to generate the actual secretKey used to encrypt the axon source code. keyFunc may either be a Str or an Fn that returns a Str of Axon code, that when executed, should return the secretKey. options defaults to null and is not used at this time.


afAxonateFile(`io/funcs.trio`, "<passPhrase>", keyFunc)

Returns a Dict which contains, amongst other fields, the secret key needed to run the functions.

afAxonatorStackHubKeyFunc(stackHubKey, stackHubVal)

Returns a keyFunc function that finds a StackHub licence that matches the given key and value, and returns the axonatorKey property from that licence.




a matching product ID, example:. xxxx-xxxx productName


a package version, example:. pkg 1.0

The returned keyFunc can only be used in axonate functions.


keyFunc : afAxonatorStackHubKeyFunc("product", "xxxx-xxxx productName")
axonate : afAxonateFile(`io/funcs.trio`, "<passPhrase>", keyFunc)


Axonator may be used to obfuscate Axon source code by openly supplying and embedding the secret key in the encrypted functions. Do this by encrypting with the following keyFunc:

keyFunc : (fnName, secretKey) => "() => \"" + secretKey + "\""

This results in Axon code similar to:

(name) => do
  axonCode :
    "AxD:pl1PC1upIIiJZ0KtC_i_SQ::LZerFuPcRnnzUaKrxqr2yZamAvo08QsmVQSfze_MdYXLrS030of9" +
    "mbYrhxMwXRqXFktcj-qcrmLcs3NK0J2dsZWUcr8XjTqQ4xGYtBLRrwmtpsXVvjuZ8pWfRqoKnWFHUv9F" +
    "m8sLNGlM2iON_xqo_uTcWTMCAF11Yq0v2r3n3rrtSjOr5DZ_sgkRA0cjZ1whwaciNHLsLpdCu66DZS0T" +
    "HHN6ekt38qJbjyWYWE4TLjeQBrQZno6SJ61qDFF4wzXDonAcm0tGFCcv_p6G7wXKFz5qmkXTLabqmnYe" +
  keyFunc : () => "gm8v8MePNgSRhVRZ-2zogw"
  return afAxonatorCallFunc("hello", axonCode, [name], keyFunc)

Whilst not 100% secure (see Notes on Security) it is extremely obfuscated and is probably good enough for most use case.

Command Line Encryption

Axonator may be invoked from the command line to encrypt .trio files. This is useful if you wish to encrypt many files in a batch, or in a non-SkySpark environment.

Examples have new lines added for clarity.

Use Axonator with a valid Axonator licence and custom key func:

fan afAxonatorExt
    -axonIn      lib/myFuncs.trio
    -axonOut     lib/myEncyptedFuncs.trio
    -passPhrase  "Axonator Protects"
    -skysparkLic lic/lic-skyspark.props
    -axonatorLic lic/lic-axonator.props
    -keyFunc     "(fnName) => return \"gm8v8MePNgSRhVRZ-2zogw\""

Use Axonator, distributing the secret key via a StackHub licence:

fan afAxonatorExt
    -axonIn      lib/myFuncs.trio
    -axonOut     lib/myEncyptedFuncs.trio
    -passPhrase  "Axonator Protects"
    -stackhubKey "product"
    -stackhubVal "12345678-12345678 My Awesome Product"

Use the -help option for details:

fan afAxonatorExt -help

Notes on Security

Axonator encrypts using the Advanced Encryption Standard; which is pretty strong.

Note that export laws in the United States prohibit Oracle from selling very strong encryption. This limits the encryption strength of the standard Java installation, and hence Axonator, to 128 bits. Stronger encryption is possible in Java but requires the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy to be installed.

Decrypting and running Axonated functions require the use of a secret key. While Axonator itself does not reveal the original Axon source code, anyone with the secret key (including the end user) and enough programming knowledge may be able to reveal the original Axon code.

For this reason, source code encrypted with Axonator should not be considered secure and Axonator itself should be considered an obfuscator. The only way to truly keep your functions secure, is to not distribute them in the first place.

But for anyone who does not have the secret key, note that a basic brute force attack running against Axonator on my development computer gave an estimate of 100 septillion (10^24) years to crack.


Axonator is a Commercial product and requires a licence to be purchased (see below) to run unhindered.

Axonator is provided free of charge for use in products sold on StackHub.

Licences for Axonator are tied to an SkySpark organisation. This means it is valid for and will work on, any SkySpark installation within your organisation, but will not work on SkySpark installations for other organisations. You will need to enter your SkySpark organisation ID when purchasing, see Where is my SkyArc Organization ID? for details.

Purchased licences expire after 1 year. After this period all previously encrypted functions will continue to work as usual, but a valid licence will be required to encrypt further functions.

Purchased licences are available from the My Licences page and should be downloaded to the /var/lic/ directory of your SkySpark installation.

Minor updates to Axonator may be provided free of charge, but major updates will require a new licence to be purchased.

Although free to download, Axonator enters into an Evaluation Mode if it does not find a valid licence; whereby encrypted functions may only be invoked a maximum of 5 times and expire after 1 day.

For support, comments, and refunds, please email [email protected].


The software is provided "AS IS" and the author disclaims all warranties with regard to this software including all implied warranties of merchantability and fitness. In no event shall the author be liable for any special, direct, indirect, or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of this software.

Release Notes


  • New: Axonator may now be invoked from the command line to encrypt .trio files


  • New: Created alien ext icon.
  • Chg: Renamed extension from axonator to afAxonator for consistency with other Alien-Factory products.


  • New: Added src code compression.
  • Chg: Axonator out on general release.


  • Preview release.

Related Products & Services

Related Packages