Aurea License Portal

Aurea License Integration

A public contract describing how Aurea on-premise environments obtain and verify signed license files for licensed organizations.

License scope Organization Licenses are assigned to Aurea organizations, not to VMs, installations or workspaces.

License delivery Signed JSON file The same license file can be downloaded automatically or manually.

Verification Local verification Aurea verifies the signature, organization, environment, validity and entitlements locally.

Overview

What this integration does

Aurea License Portal provides a signed license file for a licensed Aurea organization. An on-premise Aurea environment uses this file to determine which licensed features, limits and validity period apply to the organization.

The license file can be obtained in two equivalent ways: Aurea may download it through a read-only API by using a license download token, or an administrator may download the same file from the portal and upload or paste it into Aurea.

The license file is verified locally by Aurea. A temporary network issue does not invalidate an already downloaded and still valid license file.

Transparency

What data is exchanged

The license download API is intentionally narrow. It is used to retrieve the current signed license file for one organization.

Direction	Data	Purpose
Aurea → License Portal	`organizationId` in the URL	Identifies the licensed Aurea organization.
Aurea → License Portal	`Authorization: Bearer ldt_...`	Authenticates license download for that organization only.
License Portal → Aurea	Signed JSON license file	Provides plan, validity period, environment type and entitlements.

Diagnostic and telemetry data

The license download endpoint described here returns a license file. Aurea may also exchange limited diagnostic data required to confirm license compliance, such as environment type, active user count or usage counters relevant to licensed limits.

Broader product telemetry is optional and intended to be based on customer consent. It should be limited to technical or statistical information and should not include business documents, form contents, process payloads or other customer business data.

The license format, API description and JSON Schema are public by design. Security depends on the license download token and on the private signing key, not on hiding the file format.

Concepts

Core license model

Account: Customer account in Aurea License Portal. It groups subscriptions, licensed organizations and portal users.
Organization: Licensed tenant in Aurea, identified by organizationId. The license is assigned to an organization, not to a VM, installation or workspace.
License: Commercial and technical grant for one organization. It defines the plan, validity period and entitlements.
License file: Signed JSON document issued by Aurea License Portal and verified locally by Aurea.
License download token: Secret token used only to download the license file for one organization. It starts with ldt_, is shown only once, and is stored by the portal only as a hash and fingerprint.
Environment type: One of production, staging, test or development. Aurea verifies that the license matches the current organization environment.

API contract

License retrieval endpoint

This endpoint returns the current signed license file for one licensed organization. It does not grant access to account management, billing, users, subscriptions or other portal APIs.

Request

GET /api/v1/organizations/{organizationId}/license

Authorization: Bearer <license-download-token>
Accept: application/json

Example

curl -fsS \
  -H "Authorization: Bearer ldt_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Accept: application/json" \
  "https://license.aurea.software/api/v1/organizations/org_01k2n7pmv9y4z6c5r8f2wq3hda/license" \
  -o aurea-license.json

Status	Meaning	Recommended Aurea behavior
`200`	Signed license file returned.	Verify the file locally and store it as the latest valid license.
`401`	Missing, malformed or invalid license download token.	Report configuration/token error to the administrator.
`404`	Organization not found or token does not belong to this organization.	Check the configured `organizationId` and token pairing.
`409`	License is not currently available for this organization.	Keep using the last valid local license if it is still within validity or grace period.

License file

Signed JSON format

The top-level document contains payload and signature. The payload contains license data. The signature proves that the payload was issued by Aurea License Portal.

{
  "payload": {
    "schemaVersion": 1,
    "licenseId": "lic_01k2n8a7c6m5t4x3z2p1q0w9er",
    "licenseType": "subscription",
    "plan": "standard",
    "account": {
      "accountId": "acct_01k2n70av9q2e8j4s6r1m5t3yw",
      "name": "Tecna Sp. z o.o."
    },
    "organization": {
      "organizationId": "org_01k2n7pmv9y4z6c5r8f2wq3hda",
      "name": "Tecna",
      "environmentType": "production"
    },
    "validity": {
      "issuedAt": "2026-06-15T12:00:00Z",
      "validFrom": "2026-06-15T12:00:00Z",
      "validUntil": "2026-07-17T12:00:00Z",
      "graceUntil": "2026-07-31T12:00:00Z"
    },
    "entitlements": [
      {
        "code": "users.active",
        "type": "limit",
        "metric": "active_users",
        "value": 50
      },
      {
        "code": "aurea.core",
        "type": "feature",
        "value": true
      }
    ]
  },
  "signature": {
    "algorithm": "Ed25519",
    "canonicalization": "jcs-rfc8785",
    "keyId": "aurea-license-signing-2026-01",
    "value": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  }
}

Important payload fields

organization.organizationId binds the license to one Aurea organization.
organization.environmentType binds the license to one environment type.
validity.validUntil defines the normal validity period.
validity.graceUntil defines the grace period.
entitlements define limits and enabled features.

Signature fields

algorithm: Ed25519.
canonicalization: jcs-rfc8785.
keyId: identifier of the signing key.
value: Ed25519 signature over canonical payload bytes.

Verification

How Aurea verifies the license

Aurea verifies the license file before trusting any payload field.

Verification rules

Parse the JSON document.
Read payload and signature.
Verify supported schemaVersion.
Verify signature.algorithm and signature.canonicalization.
Canonicalize payload using JCS / RFC 8785.
Verify the Ed25519 signature over canonical payload bytes.
Verify organizationId and environmentType.
Verify validity period and apply entitlements.

Pseudo-code

document = parseJson(licenseFile)
payload = document.payload
signature = document.signature

require(payload.schemaVersion == 1)
require(signature.algorithm == "Ed25519")
require(signature.canonicalization == "jcs-rfc8785")

canonicalPayload = canonicalizeJcs(payload)
require(verifyEd25519(
  publicKey(signature.keyId),
  canonicalPayload,
  base64urlDecode(signature.value)
))

require(payload.organization.organizationId == currentOrganizationId)
require(payload.organization.environmentType == currentEnvironmentType)
require(now >= payload.validity.validFrom)
require(now <= payload.validity.graceUntil)

applyEntitlements(payload.entitlements)

The signature covers only the payload object. It does not cover the top-level wrapper or the signature object itself.

Canonical JSON

Signature input

Before signing and verifying, the payload object is canonicalized using JCS / RFC 8785. This makes the signature independent of whitespace, pretty-printing and JSON object field order.

For schema version 1, the payload uses only JSON types safe for canonicalization: object, array, string, boolean, integer values in Java Integer range and null if present. Floating point numbers are not used in the license payload.

Validity

Validity and offline behavior

Field	Meaning
`issuedAt`	Timestamp when the license file was issued by License Portal.
`validFrom`	Timestamp from which the license file is valid.
`validUntil`	End of the normal validity period.
`graceUntil`	End of the grace period. Aurea may continue operating in grace mode until this time.

Aurea should keep the last successfully verified license file locally. A temporary API error should not remove or invalidate a local license file that is still within its validity or grace period.

Entitlements

Limits and features

Entitlements describe what the licensed organization can use. Aurea evaluates them locally after the license signature and validity checks pass.

Limit entitlement

{
  "code": "users.active",
  "type": "limit",
  "metric": "active_users",
  "value": 50
}

Feature entitlement

{
  "code": "aurea.core",
  "type": "feature",
  "value": true
}

Resources

Machine-readable contract

These files are provided for implementation, integration testing and security review.

OpenAPI YAML HTTP contract for license download. License JSON Schema Schema for signed license file v1. Example license file A realistic sample document.