Skip to content

Buy a Commercial License

Ready to scale your JSON Schema management? Our commercial licensing ensures you have the tools and support needed for enterprise deployments while contributing to the continued development of industry-leading JSON Schema technology.

Sourcemeta One is publicly available on GitHub with full source code transparency, enabling comprehensive auditing and community contributions.

Editions

Sourcemeta One is available in two editions:

  • Community: Licensed under the Business Source License 1.1. You may use it as if under the terms of AGPL-3.0, provided that you may not use it for a hosting solution that competes with Sourcemeta. After four years from each release, the code transitions to AGPL-3.0.

  • Enterprise: Includes additional features and supply chain security capabilities not available in the Community edition. Requires a commercial license from Sourcemeta.

Supply Chain Security

Starting with v4.2.2, the Enterprise container image ships with built-in supply chain security and regulatory compliance capabilities:

  • Signed Container Images. Every Enterprise image is cryptographically signed using Cosign and the Sigstore transparency log, allowing you to verify image authenticity and integrity before deployment.

  • Software Bill of Materials (SBOM). Each release includes an SPDX SBOM attached as a signed attestation to the container image, providing full visibility into all vendored, npm, and system-level dependencies for vulnerability management and audit purposes.

  • FIPS-Ready Cryptography. The Enterprise image is built with the OpenSSL FIPS provider (openssl-provider-fips) for all cryptographic operations, supporting organizations that require FIPS 140 compliance.

Verifying Image Signatures

You can verify that an Enterprise container image was built and signed by Sourcemeta's official GitHub Actions pipeline using Cosign. For example:

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/sourcemeta/one/" \
  ghcr.io/sourcemeta/one-enterprise:v4.2.2

Retrieving the SBOM

The SPDX SBOM is attached as a signed in-toto attestation. You can verify and extract it using Cosign. For example:

cosign verify-attestation --type spdx \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/sourcemeta/one/" \
  ghcr.io/sourcemeta/one-enterprise:v4.2.2 \
  | jq -r '.payload' | base64 -d | jq '.predicate'

Our Commitment to Excellence

Sourcemeta is led by a member of the JSON Schema Technical Steering Committee, ensuring our solutions meet the highest industry standards and remain aligned with JSON Schema ecosystem developments. As an independent, bootstrapped company without venture capital backing, we maintain complete focus on delivering nothing less than exceptional JSON Schema tooling.

Next Steps

Interested in a commercial license? Contact us at hello@sourcemeta.com to discuss further.