License Model
CLAIIM is deployed inside your environment. The license validates locally. There is no phone-home, no license server, and no network call to Nivaya at any point -- including on startup, on each gate request, or during air-gap operation.
TOKEN_SECRET and TIER configuration as described in the install guide.No phone-home, by design
Phone-home licensing contradicts the sovereign deployment model. A CLAIIM deployment running in an air-gapped environment must continue operating indefinitely without network access to Nivaya. License validation therefore happens entirely locally using an embedded public key.
This is not a cost constraint. It is a product requirement. The customer can verify the no-phone-home guarantee by inspecting the binary and watching network traffic.
What Nivaya does NOT do:
- No license server or HTTP call home
- No usage metering via network
- No reading of Chron data, agent data, or gate traffic
- No telemetry and no usage reporting
No license file required
If no license file is present, CLAIIM runs in evaluation mode. This is the default for Docker Compose installs.
| Limit | Value |
|---|---|
| Max agents | 3 |
| Max AI Orgs | 1 |
| Chron retention | 90 days |
| Production use | No |
| Data residency | Customer-owned database |
| Expires | 60 days from first start (persisted to database) |
| Features included | gate, chron, pim, aiorg, skills, policies, docker_compose |
Gate decisions in evaluation mode log evaluation_mode: true. The admin UI displays a banner: "Running in evaluation mode. Not licensed for production use."
Signed JSON, verified locally
For Professional and Sovereign tiers, Nivaya delivers a signed JSON license file to the customer at purchase. The customer stores it at the path configured by LICENSE_PATH (default: /etc/claiim/license.json).
| Field | Type | Description |
|---|---|---|
| version | int | License format version |
| tier | string | evaluation, professional, or sovereign |
| customer | string | Customer name, shown in admin UI |
| issued_at | RFC 3339 | When Nivaya issued this license |
| expires_at | RFC 3339 | License expiry. CLAIIM warns from 30 days out, denies after expiry. |
| max_agents | int | Maximum active agents. 0 means unlimited (Sovereign only). |
| max_aiorgs | int | Maximum AI Orgs. 0 means unlimited. |
| production_use | bool | If false, gate decisions log evaluation_mode: true |
| data_residency | string | Always "customer-owned-database". Displayed in admin UI. |
| features | string[] | Feature flags unlocked for this license |
| signature | string | Base64 Ed25519 signature over canonical JSON of all other fields |
What each tier unlocks
| Flag | Description |
|---|---|
| helm_chart | Kubernetes Helm chart deployment |
| saml_oidc | SAML / OIDC federation |
| ha | Active-active high availability |
| mssql | MSSQL database support |
| mtls_mesh | mTLS agent mesh (Sovereign) |
| airgap_bundle | Signed air-gap update bundles (Sovereign) |
| compliance_pack | Compliance evidence pack (EU AI Act, ISO 42001, DORA) |
How the signature is checked
CLAIIM embeds the Nivaya license public key as a compile-time constant. No key download, no key rotation endpoint.
| Property | Value |
|---|---|
| Algorithm | Ed25519 |
| Public key | Embedded in binary at build time |
| Canonical form | JSON with keys sorted alphabetically, no whitespace, all fields except signature |
On startup, CLAIIM:
- 1
Reads the license file from LICENSE_PATH
- 2
Reconstructs canonical JSON from all fields except signature
- 3
Verifies the signature field using the embedded Nivaya public key
- 4
Checks expires_at against the server clock
- 5
Logs:
license verified tier=professional customer="..." expires=...
If verification fails: in evaluation tier, CLAIIM logs a warning and starts in limited mode. In professional or sovereign tier, CLAIIM refuses to start and exits with a clear error.
Where limits are enforced
Enforcement is at the control plane layer, not the gate. Gate throughput is not affected by license checks.
- Create agent -- if active agents exceed max_agents, returns HTTP 402 with agent_limit_reached
- Create AIORG -- if AIORGs exceed max_aiorgs, returns HTTP 402 with aiorg_limit_reached
- Feature gate -- if a feature endpoint is called and the flag is not in the license, returns HTTP 402 with feature_not_licensed
Offline delivery
The license file is delivered out-of-band (secure email, USB bundle, or procurement portal). No network connectivity to Nivaya is required at any point.
For Sovereign deployments, the license is included in the signed air-gap bundle alongside Docker images, Helm charts, and migration files. The bundle verification script also verifies the license signature before installation proceeds.
Sovereign licenses have max_agents: 0 and max_aiorgs: 0 (unlimited) and include all feature flags.