It's in-house. A license has some info tied to the user (which ultimately has to be the Twitter user connected via Twitter). Then all that is signed with a private key ECDSA. The app has the public key and can verify the signature. Many libraries are available for handling cryptographic signatures.

So basically a license is public info, the app enforces that the logged in user must match the user in the license.