License Management

A Sovereign install runs against a signed license issued by the Novantra control plane. The license proves your install is entitled to be running, and it names the organizations and apps it covers. Without a valid license, you cannot create new organizations; existing organizations may also fall back to read-only.

License management lives in the system console under System → License. It requires the install-admin role.

What a license carries

Every license bundles:

• Customer identity (customerId) — the commercial party the license belongs to.
• Install identity (installId) — the specific install instance the license is bound to. You cannot use one customer’s license on another install.
• App keys — which Novantra apps this license enables.
• Per-organization entitlements — the list of organization IDs the license covers, each with their plan, feature flags, limits, and validity window.
• Validity window (validFrom, validUntil) — when the license is in effect.
• Maximum organizations — the cap on how many organizations the install may host.

The license is signed with Novantra’s release key. The install verifies that signature on every load; an altered license will not pass verification and the system will refuse to start in that state.

Viewing your license

System → License shows:

• Your customer and install identifiers.
• The list of apps included.
• All organizations covered, with each one’s plan, features, and validity window.
• The license’s overall validity window.
• The current license state (see below).
• The time of the last successful refresh.

You don’t need to “decode” anything — the page is the authoritative view of what the signed license actually grants.

License states

The system tracks the license through four states:

There is no “service shut down” state. A lapsed license never deletes data, never disables key material, never blocks read access. It only blocks new state changes.

Renewing — connected installs

If your install can reach the Novantra control plane over HTTPS (the most common setup), renewal is automatic:

• A scheduled job (reconcile-license-state) runs hourly. It contacts the control plane, fetches the freshest signed license for your install, verifies it, and updates the local copy.
• You see the refresh result in System → License.
• If renewal fails (network blip, control plane outage), the job retries on the next interval. The license you currently hold remains valid until its own expiry.

When your commercial team renews the contract upstream, the new license appears in your install on the next refresh window — typically within an hour, no operator action required.

Renewing — offline installs

If your install cannot reach the control plane, renewal is a manual three-step exchange:

1. From the install (in System → License), click Generate activation request. The system creates a signed file describing your install’s current state (install ID, app keys, last license fingerprint).
2. From an internet-connected machine, upload that file to the Novantra control plane portal. The portal returns a refreshed signed license, also as a file.
3. Back at the install, import the refreshed license through System → License → Import. Provide a reason (audited). The system verifies the signature and replaces the previous license.

Both files are signed end-to-end, so you can carry them across an air gap on a USB stick without exposure to tampering.

Adding a new organization to the license

Whether you’re a connected or offline install, the flow is the same: organizations are added on the commercial side first, then your license reflects them.

• Connected: add the org to your subscription with your account team. On the next hourly refresh, the new organization appears in your entitlements and the protected organization wizard will accept its creation.
• Offline: generate an activation request, upload it, get a refreshed license that names the new org, import it. Then create the org through the protected wizard.

When a license expires

If renewal lapses, the system walks the state diagram:

1. Warning banner appears about a configurable window before validUntil. Now is the time to renew.
2. At validUntil, the state moves to Grace. Operations continue with louder banners.
3. When the grace window closes, the state moves to Read-only. Writes start failing with a clear “license expired” error. Sign-ins still work; existing data is fully readable; you can still investigate and export. You cannot create or change anything.
4. Applying a fresh valid license returns the install to Active immediately — no restart needed.

What’s not handled by license management

A few things the license deliberately does not control:

• Encryption keys. Customer-managed keys (Self Managed Secret Keys) live in your own KMS and are not part of the license. A license lapse doesn’t lock or unlock keys.
• Storage bindings. Self Managed Storage continues to function regardless of license state. A read-only install can still read and write your own bucket because file I/O is part of “reading existing data.”
• Backups. Backup runs continue in any license state.

Permissions & evidence

• Viewing the license requires the license view permission (install admin by default).
• Importing a license requires the license import permission and an audit reason.
• Every import is recorded with the actor, the timestamp, the new license fingerprint, and your provided reason.

Related

• Sovereign Installation — the first license is applied during setup.
• Updates & Upgrades — license state is independent of the running version; both can change without affecting the other.