Apply an edition license
This guide walks you through activating the Enterprise edition on a self-hosted SupaCloud instance. Enterprise is unlocked by supplying a valid HS256 license token and a matching signing secret. The instance is otherwise fail-closed: any missing, expired, or invalid token resolves to the Community edition.
Prerequisites
Section titled “Prerequisites”- A running self-hosted SupaCloud instance (see Self-host with Docker Compose).
- The license token string (
SUPACLOUD_EDITION_LICENSE). - The HMAC signing secret used to sign the token (
SUPACLOUD_EDITION_SECRET). The secret must be at least 32 bytes long; shorter secrets are rejected at boot and the instance falls back to Community.
Apply the license
Section titled “Apply the license”-
Set the two environment variables in the location your deployment reads from —
.envfor Docker Compose, your secrets manager, or OpenBao (supacloud/app— see Secret provisioning):Variable Value SUPACLOUD_EDITION_LICENSEThe HS256 JWT license token. SUPACLOUD_EDITION_SECRETThe signing secret, ≥ 32 bytes. For a Docker Compose deployment add both to your
.env:Terminal window SUPACLOUD_EDITION_LICENSE=<your-license-token>SUPACLOUD_EDITION_SECRET=<your-signing-secret> -
Restart the server so the new values are read. The edition is resolved once at startup and cached for the process lifetime:
Terminal window docker compose -f docker-compose.yml -f compose.standalone.yml restart server -
Verify the edition by checking the startup logs for the resolved edition or by navigating to Admin → Features in the operator console. Enterprise features (for example, BYO-OIDC single sign-on) should now be available.
How the license is verified
Section titled “How the license is verified”The server reads SUPACLOUD_EDITION_LICENSE and SUPACLOUD_EDITION_SECRET via
resolve_secret — env var first, then the OpenBao supacloud/app map when the
openbao secret backend is active. It then:
- Checks that the secret is at least 32 bytes; shorter secrets are refused.
- Decodes and verifies the token with algorithm HS256.
- Validates the
expclaim (expired tokens are rejected). - Checks that the
editionclaim equalsenterprise(case-insensitive).
Any failure — wrong secret, expired token, missing claim, or malformed JWT — silently resolves to Community. No error is surfaced to end-users; a warning is written to the server log.
Developer bypass (non-production only)
Section titled “Developer bypass (non-production only)”On a local development instance you can skip the license token entirely by setting:
MODE=devSUPACLOUD_EDITION=enterprise