D3E License Management
D3E uses cryptographically signed license JWTs to verify that only authorized customers run D3E control plane components. All control plane components validate the license at startup — no network call is required.
How it works
Your D3E license is a signed JWT (JSON Web Token) using ECDSA P-256 (ES256). It contains:
| Claim | Description |
|---|---|
sub | Your organization name |
exp | License expiry timestamp |
iat | Issue date |
jti | Unique license ID |
iss | Issuer (diagrid.io) |
The public key used to verify license signatures is embedded in the D3E binaries at build time. Validation is entirely offline.
Providing the license to D3E
The license is passed as the diagrid.token Helm value at install or upgrade time:
helm install dapr oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr \
--set diagrid.token="${D3E_LICENSE}" \
...
The Helm chart automatically creates a Kubernetes secret (diagrid-image-token) in the D3E namespace and mounts it into all control plane pods at /var/run/secrets/diagrid.io/token.
License lifecycle
| State | Behavior |
|---|---|
| Valid | Components start normally. No output related to licensing. |
| Expiring soon (within 6 months of expiry) | A warning banner is printed at component startup. Contract renewal process. |
| Grace period (expired, within 90 days) | A warning banner is printed at every startup. Components continue to function. Contact Diagrid immediately. |
| Expired (90+ days past expiry) | Components refuse to start and exit with an error. A new license is required before restarting. |
Renewing your license
When your license is approaching expiry (or has entered the grace period), contact your Diagrid support team to begin the contract renewal process.
Once you receive the new license JWT:
# Update the Helm release with the new license
helm upgrade dapr oci://public.ecr.aws/diagrid/d3e-charts/d3e-dapr \
--reuse-values \
--set diagrid.token="${NEW_D3E_LICENSE}"
After upgrading with the new license, D3E components will restart automatically (Helm triggers a rolling restart when the diagrid-image-token secret value changes). No manual pod deletion is required.
Storing the license securely
The D3E license JWT should be treated as a sensitive credential:
- Store it in a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or 1Password)
- Do not commit the license JWT to source control
- If using GitOps (e.g., Flux, ArgoCD), use a secrets operator (e.g., External Secrets Operator) to inject the value from your secrets manager
Troubleshooting
Component fails to start with a license error:
- Check the component logs:
kubectl logs -n dapr-system deployment/dapr-operator - Verify the
diagrid-image-tokensecret exists:kubectl get secret diagrid-image-token -n dapr-system - Confirm the license JWT is not expired: decode the
expclaim at jwt.io