Skip to main content
The CertForge license is a signed JSON Web Token (JWT) stored as license.jwt. It is verified cryptographically on every startup — the signature cannot be forged or modified.

Verification

On startup, CertForge:
  1. Reads license.jwt from storage.base_path
  2. Verifies the RS256 signature using the CertForge public key embedded in the binary
  3. Reads the exp claim (expiry timestamp) from the verified payload
  4. Applies the expiry — even with no network access, the correct expiry is always enforced
This means blocking outbound traffic or deleting the call-home cache cannot extend license validity. The expiry is anchored to the signed JWT.

JWT payload claims

Feature flags

Feature flags in the features array enable capabilities beyond the base tier:

Inspecting a license

Or view current license details in the CertForge dashboard at /license.

Call-home refresh

Every 24 hours, CertForge contacts app.certforge.xyz and receives an updated license state (in case of renewal, upgrade, or limit change). The signed JWT remains the ground truth for the expiry date — call-home can extend or modify other claims by returning a new signed JWT.

Grace period behavior