Licensing

After the reporter activates your key, it caches a signed JWT on disk at ~/.reportforge/license.json. Subsequent runs verify the JWT against an Ed25519 public key bundled into the reporter package; no network call required.

The JWT is refreshed automatically when fewer than 24 hours of TTL remain. If the refresh call fails but the cache is still valid, the cache wins and the run proceeds normally. If the server explicitly denies the key (HTTP 4xx), the cache is cleared and PDF generation is skipped on that run.

The reporter verifies the JWT's Ed25519 signature and expiry at every PDF generation run. A corrupted cache file, a mismatch between the bundled public key and the JWT's issuer, or a JWT whose TTL has passed all cause PDF generation to be skipped with a clear error rather than producing an artifact from an unverified license.

1. You subscribe at reportforge.org/pricing. A RFSU-XXXX-XXXX-XXXX-XXXX key is emailed and stored in your dashboard.
2. You set RF_LICENSE_KEY in your environment or config. The reporter validates the key format offline (HMAC check); no network needed for this step.
3. On first run, the reporter calls /api/license/activate with the key and a machine fingerprint. The server checks your subscription status and the 25-machine cap, then returns a signed JWT.
4. The JWT is cached. Future runs verify it offline.
5. When your subscription renews, your key continues to work; no action needed.
6. When your subscription ends or is cancelled, the next refresh is denied and PDF generation stops after the cached JWT expires.

If your key is exposed or you need to revoke CI access, rotate it from your dashboard under the License tab. The old key is invalidated immediately; all machines using it will fail to refresh and stop generating PDFs after their cached JWT expires (within 24 hours).

After rotating, update RF_LICENSE_KEY in all CI environments and on developer machines.