Shipmoor

Sign in & licensing

Shipmoor Team
June 11, 2026
3 min read

Shipmoor’s licensing is built around one principle: the license lives on your machine, and your code never leaves it. Sign in once; after that, every paid feature is unlocked by a locally verified token — no per-scan license server, no phoning home with your work.

Signing in

shipmoor login      # device-flow auth against your account
shipmoor whoami     # who am I, what plan, what's unlocked
shipmoor logout     # remove the local session

login runs a device flow: it opens the Console (accounts.shipmoor.dev), you approve the device, and a signed license token is stored locally. The free Community scan never requires any of this — sign in only when you want the IC features.

The local license model

The CLI reads a signed license token from, in order:

  1. SHIPMOOR_LICENSE_TOKEN (the token itself, in an env var)
  2. SHIPMOOR_LICENSE_FILE (a path to it)
  3. ~/.shipmoor/license.jwt (where login puts it)

Verification is offline: the token is checked against signing keys embedded in the binary (Ed25519 signatures), so a scan on a plane, in an air-gapped CI runner, or behind a strict proxy works identically. Validation sends nothing to Shipmoor — no source, no file contents, no diffs, no repo paths, and not even the token itself.

The env-var forms exist for CI: inject SHIPMOOR_LICENSE_TOKEN as a secret and the runner is licensed without any interactive step.

Checking your state

shipmoor whoami --json
{
  "schema_version": "shipmoor.identity.v1",
  "authenticated": true,
  "account_id": "acct_…",
  "user_email": "dev@example.com",
  "plan": "ic",
  "entitlements": ["cli_pro", "ide_extension_pro", "agent_harness", "agent_skills", "intent_scan", "repair_guidance"],
  "expires_at": "2027-06-11T00:00:00Z",
  "grace_until": "2027-06-14T00:00:00Z",
  "source": "file",
  "reason": "valid"
}

reason is always a stable code, never null — valid when active, missing when no token is loaded, expired_in_grace / expired_past_grace around renewal, and specific verification-failure codes (invalid_signature, wrong_audience, …) that all degrade to unauthenticated. source reports only a category (none / env / file), never a path.

Expiry and grace

A license carries an expiry and a grace window:

  • Within grace (expired_in_grace): paid features keep working; the CLI nudges you to refresh with shipmoor login.
  • Past grace (expired_past_grace): the binary drops cleanly back to Community behavior — authenticated: false, plan: community, paid features hidden. Nothing breaks; structural scans continue as before.

There is no separate “lapsed” build or mode — it’s the same universal binary at every state. See Capabilities & entitlements for the per-feature view that tools consume.

Next

Last updated on June 11, 2026

Was this article helpful?

Your response is saved on this device.

Related Articles