Licensing
All Align deployments require a valid license. Self-hosted deployments use signed JWT license files that are validated locally with no phone-home requirement.
How Licensing Works
Align uses cryptographically signed JWT license files:
- Offline Validation - License is validated locally using an embedded public key. No phone-home or internet access required
- Cryptographically Signed - JWT signed with RSA-4096 for tamper-proof validation
- Grace Period - 14-day grace period after expiry to allow renewal
- Feature-Based - Licenses enable specific features and set usage limits
- No Source Code - Self-hosted deployments use pre-built container images; no repository access is provided
Deployment Model
Align follows a registry-based distribution model (no source code distribution):
1. Customer purchases license at align.tech/pricing or via sales
2. Receives license key for container registry access + license.jwt for validation
3. Pulls pre-built images into their own infrastructure
4. Services validate the license.jwt locally on startup (no network calls)
5. All customer data stays in the customer's environment
Why this model?
- Enterprise-friendly: works in air-gapped and restricted network environments
- Consistent seat-based billing across all deployment types
- Feature entitlements (connectors, analytics, compliance modules) controlled per license
- Automatic access to new container image versions during your subscription
- No risk of unauthorized redistribution since source code is never distributed
Obtaining a License
Contact sales@align.tech to obtain a license for your organization.
You'll receive:
- Registry credentials for pulling container images
- A
license.jwtfile for local service validation - License terms and expiration date
- Support contact information
Installation
Step 1: Authenticate to Container Registry
# Log in to Align's container registry (AWS ECR) using your AWS credentials
aws ecr get-login-password --region eu-west-2 | \
docker login \
--username AWS \
--password-stdin 869633161172.dkr.ecr.eu-west-2.amazonaws.com
Step 2: Create License Secret
kubectl create secret generic align-license \
--namespace align \
--from-file=license.jwt=./license.jwt
Step 3: Enable in Helm Values
# values.yaml
license:
enabled: true
secretName: align-license
secretKey: license.jwt
Step 4: Apply Configuration
helm upgrade align oci://869633161172.dkr.ecr.eu-west-2.amazonaws.com/align/charts/align \
--namespace align \
--values values.yaml
Verification
Check that the license is loaded:
# Check gateway logs
kubectl logs -l app.kubernetes.io/component=gateway -n align | grep -i license
# Expected output:
# License validated successfully: Acme Corp (Enterprise)
# License expires: 2026-12-31
License File Contents
Your license file (license.jwt) is a signed JWT containing:
{
"iss": "https://align.tech",
"sub": "lic_abc123",
"aud": "align-self-hosted",
"iat": 1704067200,
"exp": 1798761600,
"nbf": 1704067200,
"customer": {
"id": "cust_abc123",
"name": "Acme Corp",
"email": "admin@acme.com"
},
"plan": "enterprise",
"limits": {
"users": 500,
"decisions": null,
"connectors": ["slack", "github", "jira", "linear", "teams"],
"features": ["sso", "auditLog", "customBranding", "apiAccess"]
},
"deployment": {
"type": "self-hosted"
}
}
License Limits
| Limit | Description |
|---|---|
users | Maximum number of users (null = unlimited) |
decisions | Maximum decisions per month (null = unlimited) |
connectors | List of allowed connectors (e.g., slack, github, jira) |
features | List of enabled features (e.g., sso, auditLog) |
When limits are exceeded:
- New users cannot be invited
- New connectors cannot be connected
- Warning banners appear in the UI
License Expiry
Grace Period
When your license expires, you have a 14-day grace period:
- Days 1-14: All features work, warning banners displayed
- After 14 days: Read-only mode (can view, cannot create)
Renewal
To renew your license:
- Contact sales@align.tech
- Receive new
license.jwt - Update the Kubernetes secret:
kubectl create secret generic align-license \
--namespace align \
--from-file=license.jwt=./new-license.jwt \
--dry-run=client -o yaml | kubectl apply -f -
- Restart gateway pod to pick up new license:
kubectl rollout restart deployment/align-gateway -n align
License Plans
| Plan | Users | Features |
|---|---|---|
| Starter | Up to 25 | Core features |
| Team | Up to 100 | + SSO, Audit log |
| Enterprise | Unlimited | + Custom branding, API access, Priority support |
Network Requirements
License validation is fully offline. The only network requirement is pulling container images during initial deployment or upgrades:
| Endpoint | Purpose | When |
|---|---|---|
869633161172.dkr.ecr.eu-west-2.amazonaws.com | Container image pulls | Deployment/upgrade only |
For fully air-gapped environments, images can be mirrored to an internal registry. Contact sales@align.tech for air-gapped deployment support.
Troubleshooting
License not found
Error: License file not found at /etc/align/license/license.jwt
Solution: Verify the secret exists and is mounted correctly:
kubectl get secret align-license -n align
kubectl describe pod -l app.kubernetes.io/component=gateway -n align
Invalid license signature
Error: License signature verification failed
Solution: Your license file may be corrupted. Contact support for a new copy.
License expired
Warning: License expired on 2026-12-31. Grace period ends 2027-01-14.
Solution: Contact sales to renew your license.
Security
- License files are cryptographically signed (RSA-4096) and cannot be modified
- The public key for verification is embedded in the application
- All validation happens locally - no external network calls for license checks
- License files should be treated as sensitive (contain customer info)
Support
For licensing questions:
- Email: sales@align.tech
- Existing customers: Contact your account representative