Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

self-hosting

Licensing and activation

On-prem entitlements come from a signed offline .vtlic file verified locally against a built-in vendor public key — air-gapped, with grace-window expiry and hot-reload renewal.

Updated Jun 23, 2026

A self-hosted VaultTerm reads its entitlements — tier, seat count, and term — from a signed offline license file instead of the hosted billing catalog. It is verified locally, so it works fully air-gapped: nothing phones home to activate.

How licensing works on-prem

Set DEPLOYMENT_MODE=onprem (the default for the bundle) to read entitlements from a signed .vtlic file. The file is verified locally against a built-in vendor public key, so there is no activation call and no license server to reach.

VariablePurpose
DEPLOYMENT_MODE=onpremread entitlements from the offline license; saas opts out
LICENSE_PATHpath to the .vtlic file (mounted into the container, e.g. /data/license.vtlic)
LICENSE_STATE_PATHdurable store for the monotonic anti-rollback counter; point at a persistent volume

Place the issued license.vtlic in the host directory bind-mounted to /data (by default deploy/onprem/license/); the anti-rollback counter state persists alongside it.

Signature: Ed25519, optionally quantum-safe composite

The .vtlic is signed by the vendor and verified locally. Two signature algorithms are supported:

  • Ed25519 — the baseline signature, verified against the built-in vendor public key.
  • Ed25519 + ML-DSA-65 composite — a quantum-safe option (alg=ed25519+ml-dsa-65) that verifies only if both signatures hold. Ed25519-only licenses still verify, so moving to the composite is a key rotation, not a flag day.

Override the built-in verification keys (LICENSE_PUBLIC_KEY, LICENSE_MLDSA_PUBLIC_KEY) only for key rotation. See Keys and licensing config for the full variable set.

Boot enforcement and expiry

Under NODE_ENV=production the server refuses to boot if the license is missing, malformed, forged, or rolled back — that is, presenting an older counter than the last one seen. The anti-rollback counter in LICENSE_STATE_PATH is monotonic, so a replayed or downgraded license is rejected even offline.

An expired license is not a hard outage. It is honoured through a shared grace window, then lapses to free-tier limits — a late renewal degrades gracefully rather than taking the install down. The distinction is deliberate: a forged or rolled-back license is fatal at boot; an honestly expired one degrades.

Installing a renewal

There are two ways to install a renewal:

  1. Admin console (preferred, no restart). Sign in to the admin app and open the License view. It shows the current lease — tier, seats used and sold, days to expiry, grace — and accepts the renewed .vtlic pasted in. The server re-verifies the signature and the anti-rollback counter before writing the file, then hot-reloads entitlements with no SSH and no restart. The action is step-up gated and audited.
  2. File drop. Copy the renewed .vtlic into the license directory and restart the app container.

Issuing is a vendor operation

Issuing and renewing a license is a vendor-side offline operation — the signing private key never leaves the vendor’s signer. Operators receive an issued .vtlic file; they do not generate one. This keeps the trust root off every customer host while letting verification happen entirely offline.

Next

All docs · Ask a question