license.jwt. It is verified cryptographically on every startup — the signature cannot be forged or modified.
Verification
On startup, CertForge:- Reads
license.jwtfromstorage.base_path - Verifies the RS256 signature using the CertForge public key embedded in the binary
- Reads the
expclaim (expiry timestamp) from the verified payload - Applies the expiry — even with no network access, the correct expiry is always enforced
JWT payload claims
Feature flags
Feature flags in thefeatures array enable capabilities beyond the base tier:
Inspecting a license
Call-home refresh
Every 24 hours, CertForge contactsapp.certforge.xyz and receives an updated license state (in case of renewal, upgrade, or limit change). The signed JWT remains the ground truth for the expiry date — call-home can extend or modify other claims by returning a new signed JWT.