How it works
The control plane issues a signed license with plan, workspace, instance allowance, expiration, grace, and key id.
The install token activates one runtime instance and binds it to a workspace and plan allowance.
The runtime validates the license locally and reports heartbeat metadata without sending call media.
A local agent renews the signed lease while the subscription and registry access are active.
Runtime behavior
ActiveRuntime can start, validate the signed lease locally, and pull allowed stable updates.Offline windowRuntime keeps operating until the signed expiration if the license service is temporarily unreachable.GraceRuntime enters grace after expiration and should surface operator warnings before stopping new activations.ExpiredRegistry access and license renewal stop. Customer data remains in customer infrastructure.Signature format
It is reasonable to expose the license signature family in technical documentation, but not as a headline marketing claim. The current design uses Ed25519 public-key signatures with a key id for rotation: the runtime needs only the public verification key, while the private signing key stays in the license service.
What the license should not do
A professional infrastructure product should not lock customers out of their own data, delete their configuration, or silently exfiltrate media. Enforcement should focus on activation, updates, and signed runtime authorization.
Token types
Install token
Short-lived, one-time deployment credential used by the installer to activate an instance.
Registry token
Short-lived pull credential for signed runtime images and updates.
License lease
Signed runtime authorization that can be validated offline until expiration.
Runtime API key
Customer-owned key for private API access to the deployed runtime.