Skip to main content

Licensing

Polygent uses offline ECDSA-signed license keys (ES256/P-256). There is no phone-home — all verification uses only the configured public key. Licenses are issued by your Polygent operator and delivered as .lic files.

License tiers

TierScopeMachine binding
StandardSingle API serverBound to one machine fingerprint
EnterpriseCluster / multi-nodeMachine-agnostic; optional domain binding

Both tiers enforce an expiration date, user limit, and feature flags.

Initial activation

When no valid license is installed, all pages redirect to the License Expired screen where admins can upload a license file.

Step 1 — Download machine info

As an admin, click Download machine info on the expired screen (or go to Settings → License). This downloads a machine-info.json file containing your server's machine fingerprint.

Step 2 — Send to operator

Email machine-info.json to your Polygent operator. Send it promptly — the operator validates its freshness before signing.

Step 3 — Receive and upload license

The operator signs a license and sends back a .lic file. Upload it via the Upload license button on the License page.

The API verifies:

  • Valid ECDSA signature
  • Machine fingerprint matches (standard tier)
  • License not expired
  • Issue date within the freshness window

On success, the app becomes fully operational immediately.

Renewal

Licenses have an expiration date. You will receive email alerts before expiry (typically at 30, 14, 7, and 1 day milestones), and a banner appears in the app for admins as the date approaches.

Renewal flow

  1. Contact your operator (no new machine-info.json needed — the operator retains your machine fingerprint)
  2. Receive the renewed .lic file
  3. Upload via Settings → License → Upload license

The renewal takes effect immediately. No restart required.

Enterprise renewal

Enterprise licenses renew the same way. The operator issues a new payload without a machine fingerprint. Upload to every API instance in your cluster.

Enterprise licenses

Enterprise licenses are machine-agnostic — the same .lic file can be installed on all nodes in a cluster. They are suited for:

  • Multiple API instances behind a load balancer
  • Blue/green deployments
  • Frequent OS reimaging

Domain binding (optional)

An Enterprise license may include an allowedDomain wildcard (e.g. *.acme.internal). The API checks every request's Host header against this pattern. If your hostname changes, contact your operator for a reissue.

Installing on a cluster

Upload the same .lic file to each API instance via Settings → License on each node. Each instance verifies the signature independently. No coordination required.

Enterprise-only features

Feature flagCapability
sso-samlSingle Sign-On with SAML
audit-exportAudit log export
multi-tenantMulti-tenant mode

Feature flags

Your license controls which modules are active. Missing a feature means endpoints return 403 and the UI hides the relevant navigation.

FeatureModule
workflowsWorkflow automation
automationsScheduled automations
plannerAI Planner
round-tableRound Table
insightsInsights
ticket-syncExternal ticket sync
deploymentsDeployment agents
code-reviewCode review
verificationVerification
memoryMemory module
botsBots
multiple-active-sessionsConcurrent sign-ins per user across devices (when off, a new sign-in revokes the user's other sessions and the Profile → Devices tab is hidden)

User limit

Your license sets a maximum number of active users. When the limit is reached:

  • Creating new users is blocked (400 error)
  • Activating deactivated users is blocked
  • Existing active users are unaffected

If a renewal reduces the user limit below your current count, existing users keep access — only new activations are blocked until you are under the new limit.

Expiration behavior

When a license expires:

  • All API endpoints return 503 except the ones needed to recover: license status, machine-info download, license upload, sign-in, sign-out, and the current-user lookup. Non-API routes (the web client, real-time connections) are not blocked, but agent hosts are refused at connect time with a license error.
  • The full-screen License Expired page appears for all users
  • Admins can still upload a renewed license
  • Background services (queue, automations, sync) pause automatically

Renewal takes effect immediately on upload — no restart needed.

Viewing license status

Go to Settings → License to see:

  • License ID and customer name
  • Tier (Standard / Enterprise)
  • Expiration date and days remaining
  • User usage (active / limit)
  • Session hosts (currently connected / max allowed)
  • Deploy hosts (currently connected / max allowed)
  • Active feature flags
  • Machine ID (standard tier)
  • Allowed domain (enterprise tier, if configured)
  • Audit log of installs (enterprise tier)

Concurrent host limits

Your license caps the number of session-agent and deploy-agent processes that can be connected to the API at the same time. When a new agent tries to connect and the cap is reached, the API refuses the new agent's connection with a "concurrent host limit reached" error until an existing agent of that type disconnects.

Reconnects of a host that already has a live connection are not counted twice — they always succeed.

Troubleshooting

"Machine identity changed"

After an OS reinstall or registry restore, the machine fingerprint changes and the existing license no longer matches. The expired page shows a machine identity changed message.

Resolution:

  1. Download a fresh machine-info.json from the License page
  2. Send it to your operator
  3. The operator reissues the license against the new fingerprint
  4. Upload the new .lic file

"License domain mismatch" (enterprise)

Your license has an allowedDomain restriction that does not match the current request's Host header. The wildcard pattern *.acme.internal matches a single subdomain levelapi.acme.internal matches, but api.v2.acme.internal does not.

Resolution: Contact your operator to reissue the license with the correct allowedDomain pattern that matches your actual hostname.

Expiration alert emails not arriving

  • Verify admin users have email addresses configured
  • Check system logs for mail delivery errors (Settings → System Logs)
  • Alerts fire daily at 09:00 server time; they are deduplicated so a missed run will not re-send old milestones

Clock-tamper detection

If the server clock is moved backward by more than 1 day, the license is treated as invalid until the clock advances past the last-seen timestamp. Restore the system clock to the correct time.