Skip to content

License activation

License activation

A self-hosted deployment that installs a consume-license can optionally refresh it — and the revocation list — through the activation heartbeat.

GET /api/v1/license/activate

Unauthenticated by design

The heartbeat is not bearer-token authenticated, and that is deliberate: a self-hosted deployment holds no operator token. The opaque deployment id is the credential; an unknown one gets a generic 404 (never a hint that it was close). The endpoint is rate-limited with an inline throttle:30,1 so it cannot be probed.

Offline installs must not depend on it

On-prem licensing is offline-first. An air-gapped install verifies its license artifact locally against the bundled public key and unlocks capabilities with no call home. The activation heartbeat is a convenience for connected deployments to pull a renewed artifact or a fresh revocation list — it is not required, and offline installs neither call it nor depend on it.

Where it fits

Path Auth Purpose
POST /api/v1/licenses (+ /renew, /revoke) Operator bearer token The issuer mints/renews/revokes a license. See Management API.
GET /api/v1/license/activate Deployment id (unauthenticated) A downstream deployment refreshes its own license + revocation list.

The issuer side (this app minting licenses) and the consume side (a deployment refreshing its own) are separate flows on separate auth models.