Skip to Content
AdministrationLicensing

Licensing

AtlasAI uses two different licensing models depending on how you deploy the platform. This page explains both models, how licenses are enforced, what happens when a license expires, and how to renew or upload a license for on-prem deployments.

Which licensing model applies to you?

DeploymentLicense modelAction required
Shared SaaSSubscription managed by AtlasAI CloudPay through the portal — nothing to install
Dedicated TP (Atlas-hosted)Same as SaaS — subscription managed centrallyNothing — Atlas handles it
On-Prem (air-gapped)Local JWT license file — validated entirely inside your networkAnnual renewal via AtlasAI support
BYOC (your VPC, reaches AtlasAI CP)JWT license — automatically renewed by phone-home every 24 hoursNothing routine — renew annually if phone-home fails

SaaS and Dedicated TP licensing

When you subscribe through the AtlasAI website (Core, Operations, or Enterprise plan), your subscription is managed by the AtlasAI Control Plane. You do not need to install or manage any license file.

What the subscription controls:

  • Which modules you can access (ITSM, compliance, automation, edge, etc.)
  • User count limits
  • Data volume and retention period
  • AI credit allowance

If payment fails:

  • Your subscription moves to past due status
  • A grace period begins: 7 days for monthly billing, 14 days for annual billing
  • During the grace period, write operations (creating incidents, running automation, etc.) are suspended but you can still read existing data
  • After the grace period, the account is suspended and all API access is blocked
  • You receive email notifications at each stage
  • To reactivate, update your payment method in the Customer Portal at atlastechlab.com/portal 

On-Prem and BYOC licensing

On-prem deployments validate a JWT license key locally — no network call to AtlasAI is required for validation. This means your platform continues working even in fully air-gapped environments.

How the license works

Your license is a cryptographically signed JSON Web Token (JWT) containing:

  • Your tenant ID
  • Your plan name and limits (users, data volume, AI credits, retention, enabled modules)
  • Expiry date
  • Deployment mode (on-prem or BYOC)
  • A 30-day grace period allowance

The Tenant Plane validates this token locally using AtlasAI’s RSA public key. The private key that signs licenses never leaves AtlasAI’s infrastructure, so the license cannot be forged or tampered with.

Getting your first license

  1. Contact support@atlasai.com or log in to cp.atlastechlab.com 
  2. Request a license for your tenant ID, plan, and deployment mode
  3. AtlasAI generates a signed JWT and sends it to you
  4. You also receive the RSA public key (CP_LICENSE_PUBLIC_KEY) required to validate the license — this is safe to store in your environment

Loading your license: three options

Option 1 — Environment variable (recommended for automated deployments)

Set these two environment variables before starting the Tenant Plane:

# The signed license JWT issued by AtlasAI
ATLASAI_LICENSE_KEY=eyJhbGciOiJSUzI1NiJ9...
 
# The RSA public key used to verify the license signature
CP_LICENSE_PUBLIC_KEY=-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----

For Docker Compose, add these to your .env file or directly to the service:

# docker-compose.yml
services:
  tenant-plane:
    environment:
      ATLASAI_LICENSE_KEY: ${ATLASAI_LICENSE_KEY}
      CP_LICENSE_PUBLIC_KEY: ${CP_LICENSE_PUBLIC_KEY}

The Tenant Plane reads the license at startup and logs the status:

[license] Loaded from env: status=active, days_remaining=365

Option 2 — Admin UI (upload without restart)

If you already have the Tenant Plane running, you can upload a new license without restarting:

  1. Log in to your Tenant Plane as an admin user
  2. Navigate to Settings → License
  3. Paste your license JWT in the “Upload new license key” field
  4. Click Activate License

The new license takes effect immediately. No restart required. The status badge at the top of the card updates to show the new plan and expiry.

Option 3 — Helm values (Kubernetes)

# values.yaml
license:
  # The RSA public key PEM — escape newlines with \n for single-line format
  publicKey: "-----BEGIN PUBLIC KEY-----\nMIIBIj...-----END PUBLIC KEY-----"
  # The signed license JWT
  key: "eyJhbGciOiJSUzI1NiJ9..."

Apply with:

helm upgrade atlasai-tp deploy/helm/atlasai-tp -f values.yaml

License status and what each state means

Your current license status is visible at Settings → License. The API also exposes it at GET /api/admin/license.

StatusWhat it meansWhat you can do
ActiveLicense is validFull access to all features in your plan
GraceLicense has expired, 30-day grace period runningRead-only — writes (create, update, delete) are blocked. Upload a new license immediately.
Read-onlyGrace period expired, 30 additional days of read-only accessOnly GET requests allowed. Upload a new license urgently.
LockedAll grace periods expiredOnly /api/health and the license upload API are accessible. Upload a new license or contact support.
InvalidThe JWT signature does not match the public keyCheck that CP_LICENSE_PUBLIC_KEY is the correct key for this license. Contact support if unsure.

Warning banners

When your license is in grace or read-only state, a yellow warning banner appears at the top of every page in the Tenant Plane UI showing the number of days remaining. When the license is locked, the banner turns red and no other UI is accessible.

BYOC phone-home (automatic renewal)

If your Tenant Plane can reach the AtlasAI Control Plane over the internet (BYOC mode), the license renews automatically:

  • Every 24 hours, the Tenant Plane sends the current license JWT to the AtlasAI Control Plane
  • The Control Plane verifies your subscription is still active and returns a freshly signed 365-day license
  • The Tenant Plane stores the new license and uses it for the next 24 hours
  • If the phone-home fails (network issue, CP temporarily down), the existing license continues — no disruption until the license physically expires

You can configure the renewal interval:

LICENSE_PHONE_HOME_INTERVAL_MS=86400000  # 24 hours (default)

For air-gapped on-prem deployments where phone-home is impossible, set:

ATLASAI_OFFLINE_MODE=1

See Offline & Air-Gapped Mode for the full offline configuration guide.

Renewing an expired license

Contact support@atlasai.com with your tenant ID. AtlasAI will issue a new signed JWT. Upload it using any of the three methods described above.

Tip: Set a calendar reminder 30 days before your license expiry date. The expiry date is shown on the Settings → License page and in the GET /api/admin/license response.

Checking license status via API

curl https://your-tenant-plane/api/admin/license \
  -H "Authorization: Bearer $ADMIN_TOKEN"

Example response:

{
  "licensed_deployment": true,
  "offline_mode": true,
  "tp_version": "1.3.0",
  "cp_license_public_key_configured": true,
  "license": {
    "status": "active",
    "valid": true,
    "plan_id": "operations",
    "plan_name": "Operations",
    "deployment_mode": "on_prem",
    "days_remaining": 312,
    "expires_at": "2027-02-14T00:00:00.000Z",
    "issued_at": "2026-02-14T00:00:00.000Z",
    "active_addons": ["automation_pro"],
    "last_phone_home": null,
    "key_hint": "eyJhbGciOiJSUzI..."
  }
}

Frequently asked questions

Can I run AtlasAI completely offline with no internet connection at all?

Yes. Set ATLASAI_OFFLINE_MODE=1, provide ATLASAI_LICENSE_KEY and CP_LICENSE_PUBLIC_KEY, and configure your own AI provider keys (BYOC_API_KEY etc.). See Offline & Air-Gapped Mode.

What happens to my data when a license expires?

Your data is never deleted due to license expiry. The grace and read-only periods ensure you can still export or view data while renewing. Only write access is blocked.

Can I have different licenses for different environments (dev, staging, prod)?

Yes. Request separate licenses from AtlasAI for each environment. Each license is tied to a specific tenant_id.

Is the license key a secret?

Treat your license JWT like a password — it encodes your plan entitlements and tenant ID. The public key (CP_LICENSE_PUBLIC_KEY) is safe to store openly; it cannot be used to generate licenses, only to verify them.

SlackHigh Availability