Show pageBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== The AGPL License: An Ultimate Guide for Developers and Businesses ====== **LEGAL DISCLAIMER:** This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation, especially when making decisions about software licensing for your business. ===== What is the AGPL License? A 30-Second Summary ===== Imagine a community potluck where everyone brings a dish made from a shared, central cookbook. The rules are simple: you can use any recipe, modify it, and even serve it at your own for-profit restaurant. However, there's one huge condition. If a customer at your restaurant asks for the recipe for the dish you served them, you **must** give them a copy of your exact recipe, including any secret ingredients or improvements you made. You can't just point them back to the original community cookbook; you have to share your own version. This is the core idea behind the **AGPL License**. It's a "free software" license designed for the internet age. It ensures that if you use AGPL-licensed software to provide a service over a network (like a website or a cloud application), anyone who uses that service has the right to get a copy of the software's complete source code, including your modifications. It closes a loophole that existed in older licenses, ensuring that the "freedom to share" extends to the world of online services. * **Key Takeaways At-a-Glance:** * **The Ultimate Share-Alike License:** The **agpl_license** is a "strong copyleft" license, meaning any software you create that is based on or combined with AGPL code must also be licensed under the AGPL. [[copyleft]]. * **It Triggers Over the Network:** Unlike its cousin, the [[gpl_license]], the **agpl_license**'s core sharing requirement is triggered when users interact with the software over a network, not just when you distribute the software itself. This is its most critical and misunderstood feature. * **Crucial for SaaS and Web Businesses:** If your business is a Software as a Service ([[saas]]) provider, using **agpl_license** code in your backend is a major legal decision that requires you to be prepared to share your entire application's source code with your users. ===== Part 1: The Legal Foundations of the AGPL License ===== ==== The Story of the AGPL: Closing the "SaaS Loophole" ==== The story of the **AGPL License** is a direct response to the evolution of the internet. To understand it, we must first look at its famous predecessor, the GNU General Public License, or [[gpl_license]]. The GPL, created by the [[free_software_foundation]] (FSF), pioneered the concept of **copyleft**. Its goal was to ensure that software remained free—meaning users had the freedom to run, study, share, and modify it. The GPL achieved this by stating that if you distribute a program containing GPL code, you must also distribute it under the GPL and make the source code available. This worked perfectly in the age of desktop software, where programs were physically distributed on disks or downloaded as executables. However, the rise of the internet created a new paradigm: the Application Service Provider (ASP), now known as Software as a Service ([[saas]]). Companies could now take powerful GPL-licensed software (like the Linux kernel or a database), modify it heavily, and then run it on their own servers to power a website or web application. Users would interact with the software over the network, but the company never "distributed" the software to them. This became known as the **"ASP loophole"** or **"SaaS loophole."** A company could benefit from the world's collective work on a GPL project without ever having to share their own improvements back with the community, directly subverting the spirit of the GPL. To address this, the FSF released the Affero General Public License in 2002, which eventually became the GNU Affero General Public License, Version 3 (**AGPLv3**) in 2007, designed to work seamlessly with the [[gpl_license]] version 3. The AGPL added one crucial clause that acts as the "network" trigger, ensuring that the freedoms of open source extend to the cloud. ==== The Law on the Books: Copyright and the Network Clause ==== The **AGPL License** is not a statute or a law passed by a legislature. It is a legally binding contract that operates under the principles of [[copyright_law]]. The author of a piece of software automatically holds the copyright to it. A license is simply the author granting you permission to use their copyrighted work under a specific set of conditions. If you violate those conditions, you are committing [[copyright_infringement]]. The most important condition in the AGPLv3 is **Section 13: Remote Network Interaction**. > "Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version..." Let's break this down into plain English: * **"If you modify the Program..."**: This applies if you make any changes, bug fixes, or additions to the original AGPL code. * **"...prominently offer all users interacting with it remotely..."**: This is the trigger. "Users" means anyone using your web app, API, or online service. "Prominently offer" means you can't hide it; it should be reasonably easy for a user to find the offer for the source code. * **"...an opportunity to receive the Corresponding Source..."**: This means the complete, buildable source code for the entire program, including your modifications. This single section is the heart of the AGPL and what makes it fundamentally different from almost every other open-source license. ==== Open Source Showdown: AGPL vs. Other Major Licenses ==== Choosing a software license can feel overwhelming. To understand the AGPL's unique position, it's essential to compare it to other popular licenses. Each one represents a different philosophy on sharing and commercial use. ^ **Feature** ^ **AGPLv3** ^ **GPLv3** ^ **LGPLv3** ^ **Apache 2.0** ^ **MIT License** ^ | **License Type** | Strong Copyleft | Strong Copyleft | Weak Copyleft | Permissive | Permissive | | **Primary Obligation** | Share source code for distributed or network-used software. | Share source code for distributed software. | Share source code only for the LGPL library itself, not your whole app. | Keep original copyright notices. | Keep original copyright notices. | | **Network Use Trigger?** | **Yes (Core Feature)** | No | No | No | No | | **"Viral" Effect** | High. Affects the entire combined program. | High. Affects the entire combined program. | Low. Only affects the library itself. | None. | None. | | **Patent Grant** | Explicit grant of patent rights from contributors. | Explicit grant of patent rights from contributors. | Explicit grant of patent rights from contributors. | Explicit grant of patent rights from contributors. | None. | | **Best For...** | Community-driven web services, APIs, and databases where you want to prevent commercial "freeloading." | Standalone applications, operating systems, and developer tools. | Creating libraries that can be used in proprietary software without forcing the whole app to be open source. | Business-friendly open source, foundation-backed projects. | Maximum freedom for developers with minimal restrictions. | **What does this mean for you?** * If you're building a **web service for public use**, using an AGPL component means your entire service's backend source code likely needs to be made available under the AGPL. * If you're building a **desktop application**, the AGPL and GPL function almost identically. * If you want other companies to build proprietary products using your library, the AGPL is the **wrong choice**; the [[lgpl_license]] or a permissive license like [[mit_license]] would be better. ===== Part 2: Deconstructing the Core Obligations ===== The AGPL, like its GPL parent, is built on a foundation of specific rights and obligations. Understanding these components is critical for compliance. ==== The Anatomy of the AGPL: Key Components Explained ==== === Obligation: The 'Copyleft' Principle === At its core, the AGPL is a **copyleft** license. This is a clever use of [[copyright_law]] to enforce sharing. Instead of using copyright to restrict users (the traditional model), copyleft uses it to grant freedoms with the condition that those same freedoms are passed on to subsequent users. It's often called a "share-alike" or "viral" license. If your code links to or incorporates AGPL code to form a single, derivative work, your entire work must be licensed under the AGPL. This prevents someone from taking AGPL code, adding a small proprietary feature, and closing off the source to the whole project. * **Example:** You use an AGPL-licensed charting library to create a new financial analysis application. Because your application is a [[derivative_work]] of the library, your entire application must be released under the AGPL. === Obligation: The Source Code Conveyance === When the AGPL requires you to provide the "Corresponding Source," it is very specific about what that entails. It's not enough to just dump your code somewhere. You must provide everything another developer would need to build and run the exact version of the software you are providing. This includes: * All source code for all modules and subroutines. * Any build scripts, configuration files, and installation instructions. * Interface definition files. The goal is to ensure the user receives not just a pile of code, but a functional blueprint to recreate and modify the software. === The 'Network' Trigger: Section 13 Explained in Depth === This is the clause that terrifies corporate lawyers and is the reason the AGPL exists. Let's look at practical scenarios: * **Scenario 1 (Triggered):** A company, "SaaS-Corp," takes an AGPL-licensed database, modifies it for performance, and uses it as the backend for their paid project management tool at `app.saas-corp.com`. **The AGPL is triggered.** Any paying customer of SaaS-Corp has the right to request the full source code for the modified database and the project management application built on it. * **Scenario 2 (Not Triggered):** An employee at SaaS-Corp installs the same AGPL database on their work computer to analyze internal company data. The database is never exposed to the public or even to other employees over the company network as a service. **The AGPL is likely not triggered.** This is considered personal/internal use, not providing a remote network service. * **Scenario 3 (Gray Area):** SaaS-Corp uses an AGPL-licensed code-checking tool as part of its internal, automated build process on its private servers. Does this count as "interaction"? The legal interpretation here is less clear and is a subject of much debate. This is where you need a lawyer. === Obligation: Patent Licensing === Like GPLv3, the AGPLv3 contains an explicit patent license. This means that if you contribute code to an AGPL project and you hold a patent that reads on your contribution, you automatically grant a royalty-free license to anyone using that code. This is a defensive measure to prevent someone from contributing code to an open-source project and then suing users for patent infringement—a practice known as patent trolling. ===== Part 3: Your Practical Playbook ===== ==== AGPL Compliance: A Checklist for Your Project ==== Facing an AGPL compliance issue can be daunting. This step-by-step guide is designed to help developers and small businesses navigate the process methodically. === Step 1: Audit Your Codebase === You cannot comply with a license if you don't know it's there. - **Use Automated Tools:** Employ software composition analysis (SCA) tools like Snyk, Black Duck, or FOSSA. These tools scan your project's dependencies and generate a "Bill of Materials" (BOM) that lists all open-source components and their licenses. - **Manual Review:** For smaller projects, manually check the `LICENSE` file in the root directory of every third-party library you use. Look for any mention of "AGPL" or "Affero." - **Track Dependencies of Dependencies:** The biggest risk is often a sub-dependency. Your project might use a permissive MIT-licensed library, but that library might, in turn, depend on an AGPL library. You are still bound by the AGPL's terms. === Step 2: Determine Your 'Use Case' === This is the most critical step. Ask yourself: **How will users interact with the AGPL code?** - **Purely Internal Use:** Is the software only used by employees on internal systems, with no public-facing network interaction? If so, your obligations are minimal. You don't need to offer the source code to the public. - **Distribution:** Are you packaging the software and sending it to customers to install on their own machines? If so, your obligations are the same as the [[gpl_license]]. You must provide the source code along with the application. - **Network Service (SaaS):** Is the AGPL code running on your server and powering a website, API, or other service that users interact with over the internet? **This triggers Section 13.** You must be prepared to offer the source code to all users. === Step 3: Fulfill Source Code Distribution Requirements === If you've determined you need to provide the source code, you must do it correctly. - **The Prominent Offer:** For a web application, a common method is to add a "Source Code" or "Open Source" link in the footer of the web application. This link should lead to a page explaining the user's rights under the AGPL and providing a clear way to get the code. - **Provide the Code:** The easiest way is to provide a link to a public source code repository like GitHub or GitLab where the exact version of the code is tagged. You can also offer it as a `.zip` or `.tar.gz` download. The key is that it must be the **exact source** for the running version of the software. === Step 4: Check for License Compatibility === Not all open-source licenses work together. The AGPL, being a strong copyleft license, has strict compatibility rules. - **Compatible:** The AGPLv3 is one-way compatible with the GPLv3. You can combine GPLv3 code into an AGPLv3 project (the combined work will be AGPLv3), but you cannot go the other way. - **Incompatible:** You generally cannot combine AGPL code with code under a permissive license that has additional restrictions (like some older versions of the Apache license with advertising clauses). This can create a legal contradiction that is impossible to resolve. ==== Essential Compliance Artifacts ==== When you distribute software under the AGPL, you must include a few key documents. * **The License Text:** You must include a full, verbatim copy of the GNU AGPLv3 license text, typically in a file named `COPYING` or `LICENSE`. * **The Copyright Notice:** You must preserve all original copyright notices from the software. You should also add your own copyright notice for any modifications you have made. * **The Offer for Source:** For network services, the "prominent offer" itself is a key artifact. This text should clearly state that the service is based on AGPL-licensed software and provide instructions for obtaining the source code. ===== Part 4: Real-World Impact: Disputes and Interpretations ===== While there have been few public court cases specifically litigating the AGPL, its impact is seen more in the business strategies and community debates it has created. ==== Case Study: The MongoDB License Change ==== MongoDB, a popular NoSQL database, was one of the most high-profile projects licensed under the AGPL. Their goal was to prevent large cloud providers (like Amazon Web Services) from taking their open-source code, offering it as a paid service, and contributing nothing back to the project. However, they found that cloud providers were finding ways to work around the AGPL's requirements. In 2018, MongoDB switched its license from the AGPL to its own custom-written license, the Server Side Public License (SSPL). The SSPL is even more explicit than the AGPL, stating that if you offer the database as a service, you must open source not just the database code itself, but **all** of the management software, APIs, and other infrastructure code used to provide that service. This move was controversial but highlights the commercial pressures that led to the AGPL's creation and the ongoing battle between open-source projects and cloud giants. ==== The 'Linking' Debate: What is a Derivative Work? ==== A central question for all GPL-style licenses is what constitutes a "combined" or "derivative" work. If your proprietary application merely calls an AGPL program through a command-line interface, is your application now subject to the AGPL? What if it links to an AGPL library? * **Static Linking:** The general consensus from the [[free_software_foundation]] is that statically linking your code with an AGPL library (where the two are compiled into a single executable) almost certainly creates a single, derivative work. The entire work is then governed by the AGPL. * **Dynamic Linking:** Dynamically linking (where your application calls a separate `.dll` or `.so` file at runtime) is more of a gray area. The FSF argues it still creates a derivative work, while others in the community disagree. This legal uncertainty is why many companies forbid their developers from using any GPL or AGPL libraries at all. For a business, the only safe assumption is that linking to an AGPL library in any form will subject your entire application to the AGPL's terms. ===== Part 5: The Future of the AGPL License ===== ==== Today's Battlegrounds: The Rise of "Source Available" ==== The controversy surrounding MongoDB and other companies has fueled the rise of new "source available" licenses like the Business Source License (BSL) and the Confluent Community License. These are not true [[open_source]] licenses as defined by the Open Source Initiative. They typically operate on a time-delay model: the code is available to view and use, but commercial use as a competing service is restricted for a period of years, after which the license converts to a true open-source license like Apache 2.0. Proponents argue this is a pragmatic middle ground that allows companies to build a sustainable business while eventually contributing back to the community. Critics argue it undermines the core freedoms of open source. The AGPL stands in stark contrast as the purest "freedom-first" approach to this problem. ==== On the Horizon: AI, Machine Learning, and the AGPL ==== The next legal frontier for copyleft is artificial intelligence. This raises complex new questions: * If you use an AGPL-licensed dataset to train a machine learning model, is the resulting model a "derivative work" of the data? * If you then offer that trained model as a service via an API, does the AGPL's network clause require you to release the model's weights, or even the training data itself? These questions are completely unresolved, and there is no legal precedent. As AI becomes more integrated into software services, we can expect the principles of the AGPL to be tested in ways its creators never imagined, potentially leading to new versions of the license or new court battles that will redefine "source code" for the modern era. ===== Glossary of Related Terms ===== * **[[copyleft]]:** A licensing mechanism that uses copyright law to ensure software remains free to use, modify, and distribute. * **[[derivative_work]]:** A legal term under copyright law for a new work based on one or more preexisting works. * **[[free_software_foundation]]:** (FSF) A non-profit organization founded by Richard Stallman to support the free software movement. * **[[gpl_license]]:** (GNU General Public License) The predecessor to the AGPL, a strong copyleft license that triggers on distribution. * **[[lgpl_license]]:** (GNU Lesser General Public License) A "weak copyleft" license designed for software libraries. * **[[mit_license]]:** A popular permissive open-source license with very few restrictions. * **[[open_source]]:** A software development model that makes source code publicly available for modification and enhancement. * **[[saas]]:** (Software as a Service) A software delivery model where software is licensed on a subscription basis and is centrally hosted. * **[[copyright_law]]:** The area of law that grants creators exclusive rights to their original works. * **[[copyright_infringement]]:** The use of works protected by copyright law without permission. * **Source Code:** The human-readable set of instructions written by a programmer. * **Permissive License:** A free software license with minimal requirements about how the software can be redistributed. * **Strong Copyleft:** A type of copyleft where the copyleft provisions apply to all derivative works. ===== See Also ===== * [[gpl_license]] * [[lgpl_license]] * [[mit_license]] * [[apache_license]] * [[copyright_law]] * [[intellectual_property]] * [[open_source_software]]