Licensing
All Align deployments require a valid license. Self-hosted deployments use signed JWT license files that are validated locally with no phone-home requirement.
How Licensing Works
Align uses cryptographically signed JWT license files:
- Offline Validation - License is validated locally using an embedded public key. No phone-home or internet access required
- Cryptographically Signed - JWT signed with RSA-4096 for tamper-proof validation
- Grace Period - 14-day grace period after expiry to allow renewal
- Feature-Based - Licenses enable specific features and set usage limits
- No Source Code - Self-hosted deployments use pre-built container images; no repository access is provided
Deployment Model
Align follows a registry-based distribution model (no source code distribution):
1. Customer purchases license at align.tech/pricing or via sales
2. Receives license key for container registry access + license.jwt for validation
3. Pulls pre-built images into their own infrastructure
4. Services validate the license.jwt locally on startup (no network calls)
5. All customer data stays in the customer's environment
Why this model?
- Enterprise-friendly: works in air-gapped and restricted network environments
- Consistent seat-based billing across all deployment types
- Feature entitlements (connectors, analytics, compliance modules) controlled per license
- Automatic access to new container image versions during your subscription
- No risk of unauthorized redistribution since source code is never distributed
Obtaining a License
Contact sales@align.tech to obtain a license for your organization.
You'll receive:
- Registry credentials for pulling container images
- A
license.jwtfile for local service validation - License terms and expiration date
- Support contact information
Installation
Step 1: Authenticate to Container Registry
# Log in to Align's container registry (AWS ECR) using your AWS credentials
aws ecr get-login-password --region eu-west-2 | \
docker login \
--username AWS \
--password-stdin 869633161172.dkr.ecr.eu-west-2.amazonaws.com
Step 2: Create License Secret
kubectl create secret generic align-license \
--namespace align \
--from-file=license.jwt=./license.jwt
Step 3: Enable in Helm Values
# values.yaml
license:
enabled: true
secretName: align-license
secretKey: license.jwt
Step 4: Apply Configuration
helm upgrade align oci://869633161172.dkr.ecr.eu-west-2.amazonaws.com/align/charts/align \
--namespace align \
--values values.yaml
Verification
Check that the license is loaded:
# Check gateway logs
kubectl logs -l app.kubernetes.io/component=gateway -n align | grep -i license
# Expected output:
# License validated successfully: Acme Corp (Enterprise)
# License expires: 2026-12-31
License File Contents
Your license file (license.jwt) is a signed JWT containing:
{
"iss": "https://align.tech",
"sub": "lic_abc123",
"aud": "align-self-hosted",
"iat": 1704067200,
"exp": 1798761600,
"nbf": 1704067200,
"customer": {
"id": "cust_abc123",
"name": "Acme Corp",
"email": "admin@acme.com"
},
"plan": "enterprise",
"limits": {
"users": 500,
"decisions": null,
"connectors": ["slack", "github", "jira", "linear", "teams"],
"features": ["sso", "auditLog", "customBranding", "apiAccess"]
},
"deployment": {
"type": "self-hosted"
}
}
License Limits
| Limit | Description |
|---|---|
users | Maximum number of users (null = unlimited) |
decisions | Maximum decisions per month (null = unlimited) |
connectors | List of allowed connectors (e.g., slack, github, jira) |
features | List of enabled features (e.g., sso, auditLog, gpuModels) |
Proprietary Model Distribution
Enterprise licenses include access to Align's fine-tuned decision models. These are distributed as container images via the same registry used for all Align services:
registry.align.tech/align/llm-server:v1.0.0 # vLLM + Align model weights
How it works:
- Your license JWT grants pull access to the model server image
- You pull the image to your cluster (or mirror to your internal registry)
- The model runs locally via vLLM - no inference data leaves your infrastructure
- No phone-home, no telemetry, no network calls during inference
Air-gapped deployments: Mirror the model image alongside all other Align images. See Installation - Mirror to Your Registry.
The proprietary value is in the model weights (trained on anonymized decision patterns), not the serving infrastructure (vLLM is open source). Weights are gated behind your Enterprise license and registry authentication.
When limits are exceeded:
- New users cannot be invited
- New connectors cannot be connected
- Warning banners appear in the UI
License Expiry
Grace Period
When your license expires, you have a 14-day grace period:
- Days 1-14: All features work, warning banners displayed
- After 14 days: Read-only mode (can view, cannot create)
Renewal
To renew your license:
- Contact sales@align.tech
- Receive new
license.jwt - Update the Kubernetes secret:
kubectl create secret generic align-license \
--namespace align \
--from-file=license.jwt=./new-license.jwt \
--dry-run=client -o yaml | kubectl apply -f -
- Restart gateway pod to pick up new license:
kubectl rollout restart deployment/align-gateway -n align
License Plans
| Plan | Users | Features |
|---|---|---|
| Starter | Up to 25 | Core features |
| Team | Up to 100 | + SSO, Audit log |
| Enterprise | Unlimited | + Custom branding, API access, Priority support |
Network Requirements
License validation is fully offline. The only network requirement is pulling container images during initial deployment or upgrades:
| Endpoint | Purpose | When |
|---|---|---|
869633161172.dkr.ecr.eu-west-2.amazonaws.com | Container image pulls | Deployment/upgrade only |
registry.align.tech | Model server images (Enterprise) | GPU model deployment only |
For fully air-gapped environments, images can be mirrored to an internal registry. Contact sales@align.tech for air-gapped deployment support.
Troubleshooting
License not found
Error: License file not found at /etc/align/license/license.jwt
Solution: Verify the secret exists and is mounted correctly:
kubectl get secret align-license -n align
kubectl describe pod -l app.kubernetes.io/component=gateway -n align
Invalid license signature
Error: License signature verification failed
Solution: Your license file may be corrupted. Contact support for a new copy.
License expired
Warning: License expired on 2026-12-31. Grace period ends 2027-01-14.
Solution: Contact sales to renew your license.
Security
- License files are cryptographically signed (RSA-4096) and cannot be modified
- The public key for verification is embedded in the application
- All validation happens locally - no external network calls for license checks
- License files should be treated as sensitive (contain customer info)
Support
For licensing questions:
- Email: sales@align.tech
- Existing customers: Contact your account representative