Skip to main content
Manage the local license used for paid runtime-coverage features.
Verification is offline against an Ed25519 public key compiled into the binary. Only the trial and refresh flows make network requests to api.fallow.cloud.

Subcommands

activate

Activate a local JWT or start a 30-day email-gated trial.
JWT input precedence is:
  1. positional JWT argument
  2. --from-file <path>
  3. --stdin
Whitespace is normalized before verification, so copied multiline tokens still work.

Flags

status

Print the current license status, tier, seats, enabled features, and expiry state.
Example output:
If the token is expired but still in the grace window, fallow reports that explicitly and tells you to refresh it. If no token is present, the command suggests starting a trial. If the JWT includes a refresh_after claim (issued at iat + 15 days by api.fallow.cloud) and that timestamp has already passed, status appends a one-line refresh hint. This is a proactive nudge while the license is still valid, not an error.

refresh

Fetch a fresh JWT for the currently active license.
This is the preferred way to renew a token before the hard-fail window is reached.

deactivate

Remove the local license file.

Storage and precedence

By default, the local token is stored at ~/.fallow/license.jwt. On Unix, fallow writes the file with mode 0600 (owner read/write only) so other users on the same host cannot read the bearer token. Windows relies on the ACL of the containing directory. Lookup precedence is:
  1. FALLOW_LICENSE
  2. FALLOW_LICENSE_PATH
  3. ~/.fallow/license.jwt
Use FALLOW_LICENSE on shared CI runners where writing to a user home directory is not desirable.

Exit behavior

Common outcomes:

Actionable error messages

When the backend returns a structured error envelope, fallow maps known code values to targeted hints instead of printing the raw HTTP body: For unknown codes, fallow surfaces the backend’s message field if present, otherwise the raw body.

Clock skew

License verification rejects JWTs whose iat (issued-at) claim is more than 24 hours in the future relative to the local system clock. The same check catches both directions of skew: a JWT signed against a forward-shifted clock and a local machine whose clock is behind reality. Rejection surfaces as a license appears to be issued <duration> in the future error and exits non-zero so paid features fail closed instead of silently honoring a license the local clock cannot validate against. Common non-user causes:
  • CI containers booted without NTP.
  • Machines with a dead BIOS battery.
  • A laptop’s clock drifting after a long sleep.
After confirming the system clock is correct, the default 24h window can be overridden via FALLOW_LICENSE_SKEW_TOLERANCE_SECONDS=<seconds> for environments with predictable drift. Parsing is lenient: unset, empty, unparsable, or negative values all fall back to the default so a typo in a runner env block cannot fail license verification on its own.

See also

Runtime coverage

Understand what the paid runtime-coverage layer adds on top of health analysis.

Coverage setup

Guided first-run workflow that bootstraps the sidecar and writes a collection recipe.