Skip to main content

Licensing

IdentSphere is proprietary software distributed as a closed-binary container image. It is not open source, not source-available, and not under any permissive or copyleft license. The terms under which you may run it are the End User License Agreement shipped in the repository's LICENSE file (also rendered as EULA.md).

This page explains the model, why we chose it, and what each tier actually contains. For the mechanics of installing a license, see license-keys.

Distribution model

We ship a single OCI image. Inside that image:

  • identsphere-server — the auth server binary.
  • IdentSphere — the CLI for migrations, exports, and operational tasks.
  • The React SDK as compiled assets you can pull from /static/sdk/.

There is no public source tree, no cargo install, and no npm install of the server. We do not publish to crates.io or npm for the core auth binary. The published artifacts are the Docker image, signed release notes, and (for Enterprise) attested binaries delivered through a private channel.

This is the same distribution shape used by FusionAuth, Auth0 on-premises, Okta on-prem, Tableau Server, and most commercial DBMSs. It is the industry default for security-sensitive enterprise software outside the open-source ecosystem.

Why we don't publish source

We considered the BSL ("source-available with a use limitation"), and decided against it for four reasons:

  1. Reverse engineering risk asymmetry. Source-available code can be lifted, lightly modified, and rehosted with no enforcement leverage until lawsuits resolve — at which point the damage is done. Closed binaries don't eliminate this risk, but they raise the bar high enough that nobody attempts it casually.

  2. License-bypass attacks. With source visible, every customer sees the embedded public key and the verification code. Stripping the check is a five-line patch. With closed binaries, the same attack requires Ghidra and patience — and any redistribution of a patched binary is a clear-cut EULA violation.

  3. Sales conversations. When buyers ask "is the source open?", a yes answer almost always triggers a follow-up "...so we'll just fork it." A no answer ends that conversation. The deal closes on features and SLA, not on philosophy.

  4. Where industry actually went. Auth0, Okta, FusionAuth, Ping Identity, ForgeRock, Microsoft Entra — all closed. The source-available auth vendors that exist (Keycloak under Apache 2, Authentik under MIT) compete on a different axis and don't sell to the same customers we do.

We respect the open-source ecosystem and use it heavily for dependencies. We are not adding to it for the auth server itself.

What you can audit

The closed-binary model does not mean "trust us".

  • Crypto primitives are standard. Argon2id passwords, RS256 / ES256 JWTs, ed25519 license signatures, W3C WebAuthn. Every primitive is spec-compliant and independently testable.
  • No data leaves your infrastructure. The binary has no callback URL to identsphere.com. License verification is offline against an embedded public key. Telemetry is opt-in and goes to your own collector. Run the container with no egress and everything still works.
  • REST API is fully documented. Every paid endpoint behaves the same way as if you had implemented it yourself, and our docs describe every request and response. There is no hidden tier of functionality.
  • Source review under NDA. Enterprise customers can request read-only access to the source tree (and to the build pipeline) for the purpose of security audits, compliance review (SOC 2, HIPAA, ISO 27001), or due diligence. Contact sales@identsphere.com.

Tiers and what's in each

The runtime enforces tier limits using the features encoded in your license JWT. If a feature isn't in your license, the corresponding endpoint returns 402 Payment Required with {"error":{"code":"feature_requires_paid_license", ...}}.

Community (free)

Bundled with the image. No license key required. Suitable for any project, including commercial production deployments.

  • Email + password auth (Argon2id, with bcrypt portability for imports).
  • Passkeys (WebAuthn / FIDO2).
  • TOTP MFA with recovery codes.
  • Email OTP login + email verification.
  • OAuth 2.1 / OIDC, with Google and GitHub built in.
  • Refresh-token rotation, theft detection, DPoP, httpOnly + CSRF cookies.
  • Sessions, trusted-device remember-me, step-up re-auth.
  • Organizations, teams, invitations.
  • Baseline RBAC.
  • API keys with scopes, IP / referrer allowlists.
  • Audit logging to Postgres.
  • Outbound webhooks for auth events.

Trial (30 days, free)

A time-bounded license enabling every paid feature, single Instance, non-production. Useful for proofs of concept. Request one with sales@identsphere.com.

Pro

Adds:

  • Custom RBAC roles beyond the built-in matrix.
  • Branded transactional emails (your domain, your templates).
  • The built-in admin dashboard for user / org management.

Scale

Adds:

  • SAML 2.0 SSO connector for upstream IdPs.
  • SCIM 2.0 directory provisioning.
  • Streaming audit export to S3 and (separately) to SIEM endpoints.

Enterprise

Adds:

  • Org-wide SSO enforcement (block non-SSO logins).
  • Source review under NDA.
  • Signed, attested release binaries via Sigstore.
  • Dedicated support contact + 24/7 P1 channel.

Subscription pricing and contract terms are quoted per customer. Contact sales@identsphere.com.

Where the protections live

Real security in a closed-binary commercial product comes from four places, none of which rely on the source being secret to a determined attacker:

1. Customers sign with their own keys

Every IdentSphere deployment generates its own JWT signing material. The maintainers have never seen and will never see your IDENTSPHERE_JWT_SECRET or your RSA private key. Reverse-engineering the binary teaches nothing about how to forge tokens against any particular deployment.

2. License keys are offline-signed JWTs

The license is an ed25519-signed JWT. The corresponding public key is embedded in the binary; the private key is held offline by the maintainers. The verifier inside the binary parses the JWT, checks the signature, checks expiry, and only then enables paid features.

A motivated reverse-engineer could swap the embedded public key for their own and sign their own license, but at that point they're distributing a tampered binary and breaking the EULA — and shipping that tampered binary creates clear-cut legal liability.

3. The EULA

The EULA explicitly forbids reverse engineering, redistribution, license-key sharing, hosting IdentSphere as a third-party service, and benchmarks-for-publication. Violations are actionable in Delaware courts, with equitable relief available for the kinds of breach that can't be unwound by money damages (Section 14.3 of the EULA).

4. Symbol-stripped, LTO'd release builds

Release builds run with lto = "thin", codegen-units = 1, and strip = "symbols". The result is a binary without function names, without source paths, and with significant cross-function inlining. Recovering a faithful representation of the original code is possible in principle and slow in practice.

Compliance

We can support common compliance audits:

  • SOC 2 / ISO 27001. Source review under NDA for the auditor's technical evaluator; documented build pipeline; signed release notes. Enterprise tier.
  • HIPAA. IdentSphere never moves PHI off your infrastructure. A Business Associate Agreement is available; ask sales@identsphere.com.
  • GDPR. IdentSphere is a data processor on behalf of you (the controller). All processing is in-region in your own infrastructure. Data subject requests are handled by your application — the binary exposes the necessary export and erasure APIs.
  • FedRAMP / IL5. Talk to us; this requires the signed-binary delivery path and an authority-to-operate-track plan.

No phone-home

We mean this literally:

  • License verification: offline, against a key shipped in the binary.
  • Update checks: none. You pull a new image when you choose to.
  • Crash reporting: not enabled by default. Opt in to your own Sentry / Datadog endpoint if you want it.
  • Usage telemetry: not enabled by default. Opt in to your own Prometheus / OpenTelemetry endpoint if you want it.

Run IdentSphere on a network with no egress to identsphere.com and everything keeps working forever.

See also