How Craft License Enforcement Works
Note: This article does not cover the legalities of Craft’s license; only the technical features we’ve put in place to go along with it.
License Key Creation #
The act of downloading Craft binds you to Craft’s License Agreement, but your Craft license actually begins its life without a valid license key. It doesn’t get a valid one until you have finished installing Craft and it has made its first call to our web service to check for updates. Our web service will detect that the request was not accompanied by a license key, so it will create one and include it in its response. Craft will then save its new license key in craft/config/license.key.
Single Website Enforcement #
You’re allowed to run a single Craft license on multiple domains (e.g. example.com and example.fr), so long as they’re all a part of the same website. In order to enforce that, Craft does have one technical limitation: you may only access Craft’s control panel from one public domain per Craft license. (There is no such restriction on non-public domains, though.)
Each time Craft’s CP sends a request to our web service, our web service checks which domain it’s coming from. The first time it appears that Craft is being used on a public domain, the license is tied to that domain. (This can happen as early as the same request where the license key gets created, if you’re installing Craft on a public server.) On subsequent requests, the web service will ensure that Craft is still being accessed via the same domain.
In the event that your Craft license is being used on a new public domain, our web service will tell Craft about that in its response, at which point the CP will begin to display an alert notifying the user that Craft isn’t licensed to be run on the current domain. If the current user is an admin, they will have the option to transfer the license to the current domain.
How do we determine Craft is running on a public domain? #
Our web service checks the following when determining if a domain is public. If any of these checks pass, we determine that the domain is not public:
- Does it only consist of one segment (e.g. “localhost”)?
- Is it an IP address?
- Does it have a port, and is it something besides 80 or 443?
- Does it have a dev-sounding subdomain (e.g. ‘craftdemo’, ‘dev’, ‘local’, ‘loc’, ‘test’, ‘testing’, ‘sandbox’, ‘stage’, ‘staging’, ‘acc’ or ‘acceptance’)?
- Does it have a non-standard TLD?
- Does is live on a PaaS domain like amazonaws.com, frb.io, elasticbeanstalk.com, herokuapp.com, etc.?
- Does it live on a wildcard DNS service like ngrok.io, xip.io, nip.io, etc.?
Edition Enforcement #
Each time Craft phones home to check for updates, we check the incoming license to see which edition it should be running. That “licensed edition” is included in the response, which Craft compares against what is actually installed. If there’s a discrepancy, the Control Panel will display a modal window that provides options for correcting the situation.
Don’t worry! #
Craft will not automatically adjust its edition for you in the event of a discrepancy. The front-end of your website will continue to operate normally unless you choose to downgrade your Craft edition.