License FAQ

Answers to some commonly asked questions

While the exact terms of your use of FusionAuth are spelled out in the license agreement and you should definitely have your lawyer read it, we wanted to provide a more human readable version.

(That said, if there is any conflict between this FAQ and the license agreement, the license agreement wins.)

What does the FusionAuth license apply to?

The FusionAuth license applies to the FusionAuth bundle fusionauth-app which is used by all of our installation methods (ZIPs, DEBs, RPMs, Docker, K8s, etc).

The fusionauth-search bundle is vanilla ElasticSearch, and is covered by the version appropriate ElasticSearch license.

All other code such as client libraries and example applications are covered under their own licenses, which are usually Apache 2.0. Refer to each project for the correct license.

Do I have to pay you to use FusionAuth?

If you use the community plan, you typically won't have to pay us. However, there are some scenarios where you need to have an agreement with us.

What are scenarios where I don't have to pay you?

  • Using FusionAuth internally.
  • Using FusionAuth for your web or mobile application.

What are scenarios where I do have to pay you?

  • If you buy a plan to get access to our premium features.
  • If you host with us, you have to pay us for the hosting.
  • If you buy a support or professional services contract.
  • If you redistribute FusionAuth as part of your application (this is generally referred to as embedding or distributing).
  • If you resell, distribute, or provide FusionAuth hosting for your customers.

I am reselling FusionAuth to my customers. What type of license do I need?

You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.

I sell downloadable software that contains FusionAuth. What type of license do I need?

You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.

I provide private cloud hosting for FusionAuth for each of my customers. What type of license do I need?

You will need a reseller license for FusionAuth in order to resell it to your customers. This license is usually charged per customer rather than per monthly active user. You should contact our sales team to discuss licensing options. They can be reached via the Contact Us page.

What about the GDPR? Do you have a standard data processing addendum (DPA)?

We have a standard DPA (Data Processing Addendum) we can provide. However, we only execute DPAs with Enterprise plan customers with a contract in place. You should contact our sales team to discuss DPA options. They can be reached through our Contact Us page.

Besides a DPA, you can always reference our license and privacy policies in your documentation. Here are the URLs for those documents:

My organization requires vendors, such as FusionAuth, to use our license agreements, is that possible?

Custom contracts and legal reviews require various contract minimums. These include the fees and contract length. In most cases, we require a minimum of a 24-month agreement and fees of $15,000/month. We are happy to discuss your specific needs and figure out what will work in your budget. Feel free to contact our team at the Contact Us page.

If you prefer to use our standard pricing, we encourage you to purchase on our website and review our license agreement and privacy policies here:

My organization requires vendors, such as FusionAuth, to undergo security audits and vendor on-boarding, is that possible?

We know that companies often require in-depth on-boarding processes, including security audits. We are happy to work with you to complete these tasks, but we require contract minimums in order to do so. In most cases, we require a minimum of a 24-month agreement and fees of $15,000/month. We are happy to discuss your specific needs and figure out what will work in your budget. Feel free to contact our team via our Contact Us page.

If you prefer to use our standard pricing, we encourage you to purchase on our website and review our license agreement and privacy policies here:

Who owns my data in FusionAuth?

You do. You grant us a license to use this data solely for the purpose of fulfilling our obligations to you.

Can I migrate my data off of FusionAuth?

Absolutely. If you self host, you can use the APIs or access the underlying database. If you host with us, we can provide you with a database dump; please open a support ticket with this request.

Do you keep my information I share with you confidential?

Yes!

What if FusionAuth breaks my stuff?

In general, we guarantee that this software will work as outlined in the documentation.

If you have a support contract, please file a ticket and we'll get it fixed. If you have found a bug, please open a GitHub issue.

Can I modify the FusionAuth Software?

Not currently. If you have a feature you'd like added, please let us know. The best way to do that is to file a support ticket if you have a support contract. Otherwise, please open a GitHub issue detailing the feature request.

If you change anything within FusionAuth, we won't guarantee it will continue to work as expected, or at all.

Can I decompile the source code?

Not currently. The source code for the fusionauth-app bundle and all closed source libraries owned by FusionAuth cannot be decompiled or reverse engineered. This prevents companies from forking FusionAuth and creating their own solution to sell to their customers (i.e. like Amazon has done with ElasticSearch).

What about code or docs released as open source? Can I modify those?

Yes.

We release example apps, supporting libraries and documentation under the Apache2 license, and those are modifiable as specified by that license.

This FAQ only applies to the code distributed under the FusionAuth license.

I have a paid license for an Essential plan. Do I need a license key for my development/QA/UAT servers to access the Essential features?

If you log in to your account portal, you will see both a "Production license id" and a "Non-production license id" under the "Plan" section.

Use the latter for your non production environments.

How can we obtain FusionAuth source code should the business cease?

We plan to be around for a long long time! But we understand your concerns.

We are happy to add contract provisions for source code release if FusionAuth dissolves. This is sometimes known as source code escrow.

This requires purchase of an Enterprise plan with a custom contract. You should contact our sales team to discuss options. They can be reached via our Contact Us page.

Can our company be excluded from your customer list and other promotional materials?

Yes. We love to promote our customers, but understand that sometimes you may be in stealth mode or otherwise averse to publicity.

Let us know this by filing a support ticket stating you wish to remain anonymous.

If we publish something and you need it to be removed, please contact us and we'll resolve the issue.

Do I need a reseller's agreement?

We're more than happy to chat about this topic, but the rule of thumb is: if you have more than one production instance of FusionAuth and are charging money to access it, you are reselling and need a reseller's license.

A few examples of reselling:

  • Managed applications, each running in a customer's data centers with FusionAuth as the auth system.
  • An application running in a private cloud, with one instance of the application and FusionAuth per customer.

If you have one production instance and you are charging your users, you are not reselling FusionAuth. If you have multiple production instances but are not charging users for application access, you are not reselling either.

A few examples of what is not reselling:

  • A SaaS application where users may create their own tenants in FusionAuth. Even if these customers then have customers of their own who are logging in using FusionAuth and are charging money, this is not reselling.
  • A consulting company who buys FusionAuth on behalf of customers and builds their custom applications on top of it. Contact us if this is your situation, in certain situations we offer commissions if the customer purchases FusionAuth based on a recommendation.

If you have more questions about reselling, please feel free to contact us.

How often is billing done?

We can bill month-to-month or annually, your choice. You may also sign a multi-year agreement if you'd like. Such an agreement typically requires a contract and wire transfer. Please contact us for more details about this option.

Month-to-month billing occurs on actual MAUs of the preceding month. If you have 10,000 MAUs one month, 30,000 the next and then 10,000 the third, you'd be billed for the MAU count for each month (10,000, then 30,000, then 10,000).

If you'd like to be billed annually because you want a fixed monthly payment, we'll bill you on your estimated average MAUs. At the end of the year, we will settle up any differences from the estimate.

How are monthly active users calculated?

Monthly active users (MAUs) are calculated and reported nightly. An MAU is someone that uses your application in some fashion during the course of a calendar month. This could be a user registering, logging in, or opening your app. MAUs don't include failed logins or users imported with the Import API.

For example, if a user logs in 1,000 times during a month, they count as 1 MAU.

Here's a more technical description of an 'active' user.

I need to run my servers airgapped. How does licensing work in this scenario?

Since version 1.26, FusionAuth supports airgapped licensed deployments. You can install your license text in the administrative user interface or via the API. FusionAuth's advanced features will work without any internet access.

One limitation is the breached password feature. This relies on network access in order to retrieve the database, and so cannot be fully functional in an airgapped environment.

Can you add a VAT number to our invoices?

No. We do not collect VAT on FusionAuth purchases. If VAT applies to you, this is something you will need to ensure is handled correctly to comply with your local tax laws.

Can you change the company name on our invoice?

Yes. Please open a support ticket with your preferred organization name and we'll change it.

However, we cannot modify any previously issued invoices.

Can you change the email address to which our invoice is sent?

Yes. Please open a support ticket with your preferred email address or email addresses and we'll update where the invoice is delivered.

What kind of SLAs are available?

Service level agreements (SLAs) document the availability of your FusionAuth instance. For full details, please review the license, including Exhibit C, which specifies how credits are applied. In particular, unexpected downtime counts against the SLA, but scheduled maintenance does not.

The applicable SLA depends on how you run FusionAuth.

  • For FusionAuth HA Cloud with an Enterprise license, the SLA is up to 99.99%.
  • For any other FusionAuth Cloud instance, there is no SLA available.
  • If you self-host FusionAuth, no FusionAuth provided SLA is available. Please consult with your operations team to determine the appropriate service level agreement.

If you have further questions about SLAs, contact our sales team. They can be reached at our Contact Us page.

Do you offer non-profit discounts?

Yes, in certain circumstances, we offer discounts to non-profits or educational institutions. You should contact our sales team to discuss this option further. They can be reached via our Contact Us page.

Why isn't FusionAuth open source?

The simple answer is that there are pros and cons to making our intellectual property open source. At this point we have chosen a closed source model for the core product but open source many components as well. All of the docs, website, client libraries, jwt library, mvc, and domains are open source.

We continually discuss this strategy internally and evaluate what is best for the longevity and quality of the product. From our perspective there is a misconception that open source equates to longevity. While it is true that anyone could fork and maintain FusionAuth if it was open source, many open source projects die because there is no maintainer. It is also possible that a company such as IBM - that now owns KeyCloak/RedHat could choose to no longer support KeyCloak, or change the source code licensing model. In other words, the licensing model does not necessarily mean it will be supported or properly maintained.

We understand this is a sensitive topic for many and we do certainly see positive aspects of making the entire platform open source. However, there are no current plans to modify our licensing model.

What are the rebates or remedies if an SLA is not met?

Please see the license for details. In particular, exhibit C, section 3.

I'm not using FusionAuth any more. How can I close my account and cancel my subscription?

We're sorry to see you go! First, if applicable, migrate your data.

Next, in order to delete your FusionAuth account via an email request, you must follow these steps:

  1. Log into your account at https://account.fusionauth.io.
  2. Follow this guide to delete all deployments.
  3. Ensure that your account is on Community plan. If it isn’t click on "Plan" in the menu on the right and select Change Plan, then select Community and hit "Submit".

Once you have deleted all of your deployments and downgraded to the Community plan, your subscription will be canceled and you won’t be billed going forward.

If you would then like your user information completely removed, please follow these steps.

Historical payment information must be maintained and does not contain any PII.

What protections does my data have in FusionAuth Cloud?

In FusionAuth Cloud, all data is transparently encrypted at rest and in transit. It is stored in the region you select when creating your deployment.

Authorized support personnel, who are all background-checked full time employees and members of the engineering team, have access to the database. They would only do so when a support issue required it, and such access is logged. Only the engineering team is allowed to access the systems and the database. All commands which escalate privileges on a system are logged, including those which allow access to PII.

I have a paid license for FusionAuth. How can I install the license into my FusionAuth instance?

Please read these instructions which cover the license installation process in detail. If you have further questions, please contact us.

Do you have your ISO 27001 certification?

Nope, we don't hold that particular certification. We have SOC2 Type 2, which is similar, but not ISO 27001.

Can we get the FusionAuth SOC2 report?

We generally limit sharing the SOC2 report to customers with an SLA and support because the requirements for compliance standards go hand in hand with the level of importance for a workload. Please contact our sales team for more information.

Do you support GDPR's user data export requirements?

FusionAuth is a generic storage mechanism for user data, similar to MySQL, Oracle or PostgreSQL. Every organization has different integration strategies. Companies often store user data in many different places. Therefore, it's challenging for FusionAuth to determine where all of the user data for a particular user exists. However, the FusionAuth APIs allow you to collect all of the data you've stored in FusionAuth and combine it with any data stored outside of FusionAuth. Once the data is combined, you can provide it to the user however you wish.

How can we avoid MAU overages with a one-time import of users? We need to load our users into FusionAuth, and are worried about triggering an MAU overage during the one-time import and having to pay a lot of money.

If you use the User Import API, loaded users do not count towards your MAU. If, for some reason, your import process can't use the import API and you will have a one-time spike when you are running it, please open a support ticket with details. We'll investigate and, if appropriate, waive the MAU overages. This waiver is intended for one-time imports, not regular login spikes. It is also only applicable when you have a plan with a contract.

What happens if I want to change my service mid-contract?

A FusionAuth contract is a binding agreement for a particular set of services for the full duration of the contract term. Such a contract often includes price concessions, custom terms, and price protection. 

Sometimes customers want to increase their total contractual commitment mid-term. We consider this an early renewal and offer an updated contract with a new start date as of the date of the contract change. There are no penalties for an early renewal or expansion.

In other scenarios, customers need to shut down a portion of their service, such as one of their dedicated FusionAuth deployments. In this case we can generate a bill for the outstanding contractual commitment being terminated and draft a new contract for the remaining portion, if applicable. Our sales team is always happy to have a discussion about how best to offer value in this scenario, even if it's not an ideal situation for any of the parties to be in.

I can't use the standard license for my needs. How do I get it modified before I can use FusionAuth?

We're happy to work with you on custom licensing. (Our lawyers are too.)

Such changes are typically reserved for clients on the Enterprise plan. Please contact sales to discuss your needs.

What is the release model and cadence for the FusionAuth cloud product?

FusionAuth follows a flexible release model, allowing customers to update at their own cadence. The scheduling of releases varies; however, all updates and new versions are communicated through the FusionAuth Release Notes, providing insight into the frequency of version updates.

How do we learn about roadmap features and maintenance windows?

FusionAuth has a public roadmap available on our Github tracker. Additional roadmap information is available on our website as well.

Because FusionAuth provides the freedom to upgrade whenever it aligns best with our customers' operations, maintenance windows for version updates can be scheduled according to your business needs. For customers on paid support plans, FusionAuth can also coordinate a planned maintenance window to monitor your deployment during an upgrade. This ensures that any changes or expected downtime are kept to a minimum to prevent disruptions.

I want to host in AWS region <X> but you don't seem to support it yet.

We can run in any region Amazon Web Services (AWS) supports. Please contact sales to discuss how we can host your FusionAuth instance where you need it.

If I have a licensed plan, does it matter how many deployments a license is installed on? Does the license cost change based on whether I have 1, 2 or 100 instances?

License costs do not change based on the number of instances. The license cost is related only to the production monthly active user count. However, if you are using FusionAuth cloud, you pay per running instance as well.

Do you have SOC (Security Operations Center) for threat analysis?

We do not have a dedicated Security Operations Center (SOC) for threat analysis. However, we do have a cross-disciplinary security team that meets regularly for security reviews, vulnerability analysis, and risk mitigation. We also employ various operational controls such as vulnerability scanning, third-party testing, and annual security training.

Is FusionAuth FIPS compliant?

The FusionAuth software package is not FIPS validated, though we do offer algorithms that are FIPS approved. The version of Java we ship with (Java 21, as of version 1.53.0) is not FIPS compliant. Additionally, we don't use Bouncy Castle's FIPS-certified API, which is a common path for software to be FIPS validated. Additionally, FusionAuth is not FedRAMP authorized.

I live in a country currently under USA sanctions. Can I buy FusionAuth?

No. FusionAuth cannot sell our software or services to anyone who lives in a country currently under US sanctions.

Is FusionAuth FERPA compliant?

The Family Educational Rights and Privacy Act (FERPA) specifies how parents and students can access and amend educational data. For an application to comply with FERPA, you need to build your system so the parent gets access and can amend student records. That is something FusionAuth can facilitate; the exact details depend on how you integrate with FusionAuth.

Additionally, FusionAuth has specialized functionality, including the the ability to gather consents and the ability to model children, teens and adults in a family, which can help ensure an application is FERPA compliant.

Do you support GovCloud?

Yes, FusionAuth can be run in GovCloud. To do so you'll have to download, install and operate it yourself. FusionAuth Cloud deployments are not available in GovCloud.

How do machine to machine authentication requests using the client credentials grant affect MAU?

Client credentials requests don't affect MAU. The rate of client credentials grant requests are limited by server resources, not by FusionAuth plans.