View the Demo
View the Demo

How Craft License Enforcement Works

This article does not cover the legalities of Craft’s license; only the technical features we’ve put in place to go along with it.

License Key Creation #

The act of downloading Craft binds you to Craft’s License Agreement, but your Craft license begins its life without a valid license key. It doesn’t get a valid one until you have finished installing Craft and it has made its first call to our web service to check for updates. Our web service will detect that a license key did not accompany the request, so it will create one and include it in its response. Craft will save its new license key in config/license.key.

Single Website Enforcement #

You’re allowed to run a single Craft license on multiple domains (e.g., example.com and example.fr), so long as they’re all a part of the same website. To enforce that, Craft does have one technical limitation: you may only access Craft’s control panel from one public domain per Craft license. (There is no such restriction on non-public domains, though.)

Each time Craft’s CP sends a request to our web service, our web service checks which domain it’s coming from. The first time it appears that Craft is being used on a public domain, the license is tied to that domain. (This can happen as early as the same request where the license key gets created if you’re installing Craft on a public server.) On subsequent requests, the web service will ensure that Craft is still accessed via the same domain.

If your Craft license is being used on a new public domain, our web service will tell Craft about that in its response, at which point the CP will begin to display an alert notifying the user that Craft isn’t licensed to be run on the current domain. If the current user is an admin, they will have the option to transfer the license to the current domain.

How do we determine Craft is running on a public domain? #

Our web service checks the following when determining if a domain is public. If any of these checks pass, we determine that the domain is not public:

  1. Does it only consist of one segment (e.g., localhost)?
  2. Is it an IP address?
  3. Does it have a port, and is it something besides 80 or 443?
  4. Does it have a dev-sounding subdomain?
    Exhaustively: acc, acceptance, ci, craftdemo, dev, integration, loc, local, preprod, preview, qa, sandbox, sit, stage, staging, stg, systest, test, testing, and uat.
  5. Does it have a non-standard TLD?
  6. Is it on our list of known development domains? i.e. ddev.site, gitpod.io, herokuapp.com, ngrok.io, etc.

Edition Enforcement #

Each time Craft phones home to check for updates, we check the incoming license to see which edition it should run. That “licensed edition” is included in the response, which Craft compares against what is installed. If there’s a discrepancy, the Control Panel will display a modal window that provides options for correcting the situation.

Don’t worry! #

Craft will not automatically adjust its edition in the event of a discrepancy. The front end of your website will continue to operate normally unless you choose to downgrade your Craft edition.

Applies to Craft CMS 4, Craft CMS 3, Craft Commerce 4, and Craft Commerce 3.

New to Craft CMS?

Check out our Getting Started Tutorial.

Community Resources

Our community is active and eager to help. Join us on Discord or Stack Exchange.