# Quota and offline licensing

Offline deployments use a signed JWT to enforce a daily scan quota. The token
is verified locally and does not require a network call.

Token claims (summary)
- sub: licensee id
- iat and exp: issuance and expiry times
- tier: max scans per UTC day
- tid: token id
- pkg: product edition

Enforcement
- Counters are tracked per UTC day.
- Invalid or expired tokens fall back to the anonymous quota.
- Optional policy can hard-fail on invalid tokens.

Supply paths
- Docker secret or bind-mounted file is preferred.
- Environment variable is supported with restart.

Threat model notes
- Optional host binding to prevent token reuse.
- Hash chain and monotonic clock guard against rollback.

Related references
- docs/license-jwt-quota.md
- docs/30_QUOTA_ENFORCEMENT_FLOW1.md
- docs/33_333_QUOTA_OVERVIEW.md