View the Demo
View the Demo

How Craft License Enforcement Works

This article does not cover the legalities of Craft’s license; only the technical features we’ve put in place to go along with it.

License Key Creation #

The act of downloading Craft binds you to Craft’s License Agreement, but a license key is not assigned to your installation until Craft and it has made its first call to our web services to check for updates. When we see a request without a license key, one is created and sent with the response. Craft saves this new key to config/license.key.

Single Website Enforcement #

You’re allowed to run a single Craft license on multiple domains (e.g., example.com and example.fr), so long as they’re all a part of the same installation. To enforce this, Craft does have one technical limitation: you may only access Craft’s control panel from a single public domain per Craft license. There is no such restriction on non-public domains, however.

Each time Craft’s control panel sends a request to our web services, we look at which domain it’s coming from. The first time we see a key being used on a public domain, we tie it to that domain. This can happen as early as the same request where the license key gets created, if you’re installing Craft on a public server with the web GUI. On subsequent requests, we check that Craft is still accessed via the same domain.

If a Craft license is used on a public domain other than it was last associated with, our web service includes a warning in its resposes, which Craft displays in the control panel. If the current user is an admin, they will have the option to transfer the license to the current domain.

How do we determine Craft is running on a public domain? #

Our web service checks the following when determining if a domain is public. If any of these checks pass, we determine that the domain is not public:

  1. Does it only consist of one segment (e.g., localhost)?
  2. Is it an IP address?
  3. Does it have a port, and is it something besides 80 or 443?
  4. Does it have a dev-sounding subdomain?
    Exhaustively: acc, acceptance, ci, craftdemo, dev, integration, loc, local, preprod, preview, qa, sandbox, sit, stage, staging, stg, systest, test, testing, and uat.
  5. Does it have a non-standard TLD?
  6. Is it on our list of known development domains? i.e. ddev.site, gitpod.io, herokuapp.com, ngrok.io, etc.

Edition Enforcement #

Each time Craft phones home to check for updates, we check the incoming license to see which edition it should run. That “licensed edition” is included in the response, which Craft compares against what is installed. If there’s a discrepancy, the Control Panel will display a modal window that provides options for correcting the situation.

Don’t worry! #

Craft will not automatically adjust its edition in the event of a discrepancy. The front end of your website will continue to operate normally unless you choose to downgrade your Craft edition.

Applies to Craft CMS 4, Craft CMS 3, Craft Commerce 4, and Craft Commerce 3.

New to Craft CMS?

Check out our Getting Started Tutorial.

Community Resources

Our community is active and eager to help. Join us on Discord or Stack Exchange.