While the exact terms of your use of FusionAuth are spelled out in the license agreement and you should definitely have your lawyer read it, we wanted to provide a more human readable version.
(That said, if there is any conflict between this FAQ and the license agreement, the license agreement wins.)
The FusionAuth license applies to the FusionAuth bundle fusionauth-app which is used by all of our installation methods (ZIPs, DEBs, RPMs, Docker, K8s, etc).
The fusionauth-search bundle is vanilla ElasticSearch, and is covered by the version appropriate ElasticSearch license.
All other code such as client libraries and example applications are covered under their own licenses, which are usually Apache 2.0. Refer to each project for the correct license.
If you use the community plan, you typically won't have to pay us. However, there are some scenarios where you need to have an agreement with us.
You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.
You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.
You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.
We have a standard DPA (Data Processing Addendum) we can provide. However, we only execute DPAs with Enterprise plan customers with a contract in place. You should contact our sales team to discuss DPA options. They can be reached through our Contact Us page.
Besides a DPA, you can always reference our license and privacy policies in your documentation. Here are the URLs for those documents:
Custom contracts and legal reviews require various contract minimums. These include the fees and contract length. In most cases, we require a minimum of a 24-month agreement and fees of $15,000/month. We are happy to discuss your specific needs and figure out what will work in your budget. Feel free to contact our sales team.
If you prefer to use our standard pricing, we encourage you to purchase on our website and review our license agreement and privacy policies here:
We know that companies often require in-depth on-boarding processes, including security audits. We are happy to work with you to complete these tasks, but we require contract minimums in order to do so. In most cases, we require a minimum of a 24-month agreement and fees of $15,000/month. We are happy to discuss your specific needs and figure out what will work in your budget. Feel free to contact our team via our Contact Us page.
If you prefer to use our standard pricing, we encourage you to purchase on our website and review our license agreement and privacy policies here:
You do. You grant us a license to use this data solely for the purpose of fulfilling our obligations to you.
Absolutely. If you self host, you can use the APIs or access the underlying database. If you host with us, we can provide you with a secured database export; please open a support ticket with this request.
Yes!
In general, we guarantee that this software will work as outlined in the documentation.
If you have a plan which includes support, please file a ticket and we'll get it fixed. If you have found a bug, please open a GitHub issue.
Not currently. If you have a feature you'd like added, please let us know. The best way to do that is to file a support ticket if you have a plan with support. Otherwise, please open a GitHub issue detailing the feature request.
If you change anything within FusionAuth, we won't guarantee it will continue to work as expected, or at all.
Not currently. The source code for the fusionauth-app bundle and all closed source libraries owned by FusionAuth cannot be decompiled or reverse engineered. This prevents companies from forking FusionAuth and creating their own solution to sell to their customers (i.e. like Amazon has done with ElasticSearch).
Yes.
We release example apps, supporting libraries and documentation under the Apache2 license, and those are modifiable as specified by that license.
This FAQ only applies to the code distributed under the FusionAuth license.
If you log in to your account portal, you will see both a "Production license id" and a "Non-production license id" under the "Plan" section.
Use the latter for your non production environments.
We plan to be around for a long long time! But we understand your concerns.
We are happy to add contract provisions for source code release if FusionAuth dissolves. This is sometimes known as source code escrow.
This requires purchase of an Enterprise plan with a custom contract. You should contact our sales team to discuss options. They can be reached via our Contact Us page.
Yes. We love to promote our customers, but understand that sometimes you may be in stealth mode or otherwise averse to publicity.
Let us know this by filing a support ticket stating you wish to remain anonymous.
If we publish something and you need it to be removed, please contact us and we'll resolve the issue.
We're more than happy to chat about this topic, but the rule of thumb is: if you have more than one production instance of FusionAuth and are charging money to access it, you are reselling and need a reseller's license.
A few examples of reselling:
If you have one production instance and you are charging your users, you are not reselling FusionAuth. If you have multiple production instances but are not charging users for application access, you are not reselling either.
A few examples of what is not reselling:
If you have more questions about reselling, please feel free to contact us.
We can bill month-to-month or annually, your choice. You may also sign a multi-year agreement if you'd like. Such an agreement typically requires a contract and wire transfer. Please contact us for more details about this option.
Month-to-month billing occurs on actual MAUs of the preceding month. If you have 10,000 MAUs one month, 30,000 the next and then 10,000 the third, you'd be billed for the MAU count for each month (10,000, then 30,000, then 10,000).
If you'd like to be billed annually because you want a fixed monthly payment, we'll bill you on your estimated average MAUs. At the end of the year, we will settle up any differences from the estimate.
Monthly active users (MAUs) are calculated and reported nightly. An MAU is someone that uses your application in some fashion during the course of a calendar month. This could be a user registering, logging in, or opening your app. MAUs don't include failed logins or users imported with the Import API.
For example, if a user logs in 1,000 times during a month, they count as 1 MAU.
Since version 1.26, FusionAuth supports airgapped licensed deployments. You can install your license text in the administrative user interface or via the API. FusionAuth's advanced features will work without any internet access.
One limitation is the breached password feature. This relies on network access in order to retrieve the database, and so cannot be fully functional in an airgapped environment.
We do not collect VAT on FusionAuth purchases. If VAT applies to you, this is something you will need to ensure is handled correctly to comply with your local tax laws. If you want your VAT to show up on your invoice, please add it to your account using the Billing tab in the account portal.
Yes. Please open a support ticket with your preferred organization name and we'll change it.
However, we cannot modify any previously issued invoices.
Yes. Please open a support ticket with your preferred email address or email addresses and we'll update where the invoice is delivered.
Service level agreements (SLAs) document the availability of your FusionAuth instance. For full details, please review the license, including Exhibit C, which specifies how credits are applied. In particular, unexpected downtime counts against the SLA, but scheduled maintenance does not.
The applicable SLA depends on how you run FusionAuth.
If you have further questions about SLAs, contact our sales team. They can be reached at our Contact Us page.
Yes, in certain circumstances, we offer discounts to non-profits or educational institutions. You should contact our sales team to discuss this option further. They can be reached via our Contact Us page.
The simple answer is that there are pros and cons to making our intellectual property open source. At this point we have chosen a closed source model for the core product but open source many components as well. All of the docs, website, client libraries, JWT library, MVC framework, and domain objects are open source.
We continually discuss this strategy internally and evaluate what is best for the longevity and quality of the product. From our perspective there is a misconception that open source equates to longevity. While it is true that anyone could fork and maintain FusionAuth if it was open source, many open source projects die because there is no maintainer. It is also possible that a company such as IBM - that now owns KeyCloak/RedHat could choose to no longer support KeyCloak, or change the source code licensing model. In other words, the licensing model does not necessarily mean it will be supported or properly maintained.
We understand this is a sensitive topic for many and we do certainly see positive aspects of making the entire platform open source. However, there are no current plans to modify our licensing model.
Please see the license for details. In particular, exhibit C, section 3.
We're sorry to see you go! First, if applicable, migrate your data.
Next, in order to delete your FusionAuth account via an email request, you must follow these steps:
Once you have deleted all of your deployments and downgraded to the Community plan, your subscription will be canceled and you won’t be billed going forward.
If you would then like your user information completely removed, please follow these steps.
Historical payment information must be maintained and does not contain any PII.
In FusionAuth Cloud, all data is transparently encrypted at rest and in transit. It is stored in the region you select when creating your deployment.
Authorized support personnel, who are all background-checked full time employees and members of the engineering team, have access to the database. They would only do so when a support issue required it, and such access is logged. Only the engineering team is allowed to access the systems and the database. All commands which escalate privileges on a system are logged, including those which allow access to PII.
Please read these instructions which cover the license installation process in detail. If you have further questions, please contact us.
Nope, we don't hold that particular certification. We have SOC2 Type 2, which is similar, but not ISO 27001.
We generally limit sharing the SOC2 report to customers with an SLA and support because the requirements for compliance standards go hand in hand with the level of importance for a workload. You can request the SOC2 report as well as other security documentation from the FusionAuth Trust Center.
FusionAuth is a generic storage mechanism for user data, similar to MySQL, Oracle or PostgreSQL. Every organization has different integration strategies. Companies often store user data in many different places. Therefore, it's challenging for FusionAuth to determine where all of the user data for a particular user exists. However, the FusionAuth APIs allow you to collect all of the data you've stored in FusionAuth and combine it with any data stored outside of FusionAuth. Once the data is combined, you can provide it to the user however you wish.
If you use the User Import API, loaded users do not count towards your MAU. If, for some reason, your import process can't use the User Import API and you will have a one-time spike when you are running it, please open a support ticket with details. We'll investigate and, if appropriate, waive the MAU overages. This waiver is intended for one-time imports, not regular login spikes. It is also only applicable when you have a plan with a contract.
A FusionAuth contract is a binding agreement for a particular set of services for the full duration of the contract term. Such a contract often includes price concessions, custom terms, and price protection.
Sometimes customers want to increase their total contractual commitment mid-term. We consider this an early renewal and offer an updated contract with a new start date as of the date of the contract change. There are no penalties for an early renewal or expansion.
In other scenarios, customers need to shut down a portion of their service, such as one of their dedicated FusionAuth deployments. In this case we can generate a bill for the outstanding contractual commitment being terminated and draft a new contract for the remaining portion, if applicable. Our sales team is always happy to have a discussion about how best to offer value in this scenario, even if it's not an ideal situation for any of the parties to be in.
We're happy to work with you on custom licensing. (Our lawyers are too.)
Such changes are typically reserved for clients on the Enterprise plan. Please contact sales to discuss your needs.
FusionAuth follows a flexible release model, allowing customers to update at their own cadence. The scheduling of releases varies; however, all updates and new versions are communicated through the FusionAuth Release Notes, providing insight into the frequency of version updates.
FusionAuth has a public roadmap available on our Github tracker. Additional roadmap information is available on our website as well.
Because FusionAuth provides the freedom to upgrade whenever it aligns best with our customers' operations, maintenance windows for version updates can be scheduled according to your business needs. For customers on paid support plans, FusionAuth can also coordinate a planned maintenance window to monitor your deployment during an upgrade. This ensures that any changes or expected downtime are kept to a minimum to prevent disruptions.
We can run in any region Amazon Web Services (AWS) supports. Please contact sales to discuss how we can host your FusionAuth instance where you need it.
License costs do not change based on the number of instances. The license cost is related only to the production monthly active user count. However, if you are using FusionAuth cloud, you pay per running instance as well.
We do not have a dedicated Security Operations Center (SOC) for threat analysis. However, we do have a cross-disciplinary security team that meets regularly for security reviews, vulnerability analysis, and risk mitigation. We also employ various operational controls such as vulnerability scanning, third-party testing, and annual security training.
The FusionAuth software package is not FIPS validated, though we do offer algorithms that are FIPS approved. The version of Java we ship with (Java 21, as of version 1.53.0) is not FIPS compliant. Additionally, we don't use Bouncy Castle's FIPS-certified API, which is a common path for software to be FIPS validated. Additionally, FusionAuth is not FedRAMP authorized.
No. FusionAuth cannot sell our software or services to anyone who lives in a country currently under US sanctions.
The Family Educational Rights and Privacy Act (FERPA) specifies how parents and students can access and amend educational data. For an application to comply with FERPA, you need to build your system so the parent gets access and can amend student records. That is something FusionAuth can facilitate; the exact details depend on how you integrate with FusionAuth.
Additionally, FusionAuth has specialized functionality, including the the ability to gather consents and the ability to model children, teens and adults in a family, which can help ensure an application is FERPA compliant.
Yes, FusionAuth can be run in GovCloud. To do so you'll have to download, install and operate it yourself. FusionAuth Cloud deployments are not available in GovCloud.
Client credentials requests don't affect MAU. The rate of client credentials grant requests are limited by server resources, not by FusionAuth plans.
A renewal usually does not require updating the license key in your instances. The only time you would need to change is if you changed to or from an air-gapped license.
You can rotate your licenses on your schedule based on your security needs, and you can always access your license keys or create new ones in your account portal.
While AWS outages that affect an entire region are rare, they do occur. If FusionAuth (or AWS) experiences a full-region outage, your instance will be unavailable until AWS restores service in that region. FusionAuth Cloud is designed with high availability across multiple availability zones within a region, but a full-region outage would impact the service.
If you require disaster recovery capabilities that mitigate regional outages, we recommend purchasing FusionAuth Cloud Disaster Recovery, which supports cross-region failover for enhanced resilience. Let us know if you’d like to discuss how this solution can meet your availability needs.
We partner with a public accounting and consulting firm for our SOC 2 Type 2 audit. They administer and certify our examination. Our partner provides a comprehensive report within approximately six weeks of the examination period's completion. You can access our most recent SOC 2 report, bridge letter, and supporting documentation at trust.fusionauth.io.
Our focus is on web authentication: SAML, OIDC, and OAuth. We have some support for LDAP as well. You could probably support Kerberos using the Login APIs, but that would be an entirely bespoke solution that you would have to build (and maintain). If Kerberos is your jam, we suggest looking elsewhere.
