EULA Enforcement

Cloudsmith provides the ability for all Raw format files, if enabled, to require End-User License Agreement (EULA) when a user attempts to download it.

Adding a Custom EULA

Create a EULA

To create a EULA, click "EULA Enforcement" on the left-hand menu in a repository, and then click the green "Create Revision" button:



You will then presented with the Create EULA Revision form, where you can add the content/terms that you wish to display to the user before they can download the file:


Create a EULA Revision

You then click the green "Create Revision" button to create the EULA. You can repeat this process if you need to create subsequent revisions of the EULA.

How do users view and accept a EULA?

View and accept via WebsiteUI

The first time a user attempts to download a raw package using a download link, they will instead see the EULA:


Once the user has clicked the "Yes, I Agree + Download File" button, the download will start.

Accept via URL / Command Line

If a user wishes to accept the EULA without visiting the HTML page, ?accept_eula=1 can be suffixed onto the URL link for the raw package (which would otherwise display the EULA) to accept it. The number appended to the accept_eula parameter specifies the revision of the EULA that is being accepted:



TOKENYour Cloudsmith Entitlement Token (see Entitlements for more details)
OWNERYour Cloudsmith account name or organisation name (namespace)
REPOSITORYYour Cloudsmith Repository name (also called "slug")
FILENAMEThe name of the raw file

For Example:


EULA for Entitlement Tokens


EULA for Entitlement Tokens is currently in Early Access. If you'd like to be included in early access to this feature please contact us.

You can specify that a EULA must be accepted before an Entitlement Token can be used. This will allow you to enforce EULA acceptance for any package format, as Entitlement Tokens are used to provide controlled, read-only access to any artifact in a repository.

To require EULA acceptance for an Entitlement Token, you need to select the option when editing an Entitlement Token:

If checked, then a client will be compelled to go to the token-based URL for EULA acceptance, before they are able to use the token to download files. Note that this also requires EULA enforcement to be enabled on the repository.

How do I track what my customers have downloaded?

You can see them in "Download Logs" within a repository. These are processed asynchronously so they don't appear immediately after a download happens, but within a short-time (usually within 5 minutes). If EULA enforcement is enabled, then each Raw package file has gone through the EULA acceptance before download. In other words, it's not possible to download without accepting the latest revision of the EULA.

Hovering over the EULA icon provides detail on which revision was accepted for it, and clicking it brings you to the EULA overview. It will show the name of the entitlement token you've created for that specific customer (or group of customers). E.g. "Microsoft (Token)" if a customer at Microsoft had downloaded it. In summary, we show which customer downloaded which file, when, and having accepted what EULA revision to do so.

Can you change a EULA?

Once a EULA has been created, you (a person with privileges) has exactly one hour to make modifications, then it gets locked. Afterwards you'll no longer be able to edit the EULA revision again. It's only possible to edit the most recent EULA revision within this one hour window. Any previous EULA revisions are never editable.

How do you prevent EULA entities from being lost or deleted?

Any EULAs are covered by the same strong guarantees for data sanctity as the rest of the system; as described in our Security Policy. You cannot directly delete a EULA revision.

How long are EULA entities stored in database?

Permanently until the repository or account is deleted; this can only be done by Admin of a repository, or an Owner of the account. See RBAC question later.

What happens if I unsubscribe?

As per the Privacy Policy we'll keep your data in-tact for a period of time, "Cloudsmith will retain Personally Identifiable Information on your behalf whilst either a) valid grounds for processing exist; or b) a maximum of seven (7) years following termination of your account.". Usually we don't delete customer information early unless specifically requested by you (as the data owner), or for some legal reason.

Will we still be able to have access to the data?

If you want to export your data out of the system, we are happy to help with that. We don't believe in vendor lock-in or restricting the portability of customers. :)

How do you ensure that only authorised persons can manage EULA?

Only users (or users in a team) with Admin access on a repository, or Owner access on the account, can modify EULA revisions. As mentioned previously, they can't edit or delete earlier EULA revisions. What they can do: Add a new EULA revision, enable/disable EULA enforcement for that repository.

Is it possible to restrict access to EULA to certain roles?

As above, EULA are restricted to specific roles already, but it's possible to define your own roles (as such) by creating Teams with the appropriate privileges. For example, you could create a team of users that specifically has Admin access to the repositories (to manage the repository), and then another one that has Write access (for adding new packages). Our recommendation would be to ensure that only appropriate employees have the Admin access, and to greatly restrict who has Owner access on the account itself.

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial Now
Cookie Declaration (Manage Cookies)