Dependencies
Before setting up the License service, ensure you have the following dependencies in place:- Organization Manager for organization lifecycle events and realm resolution
- PostgreSQL database for storing license and usage data
- Kafka for event-driven communication with other FlowX.AI services
- Redis for caching and master election
- Keycloak (or compatible OAuth2 provider) for authentication and authorization
- SpiceDB for fine-grained authorization
Infrastructure prerequisites
Configuration
Authorization configuration
PostgreSQL configuration
The License service uses its own dedicated PostgreSQL database.PostgreSQL and Redis credentials: plain env vars still work. The License service is a standard Spring Boot service β it reads the
SPRING_DATASOURCE_* and SPRING_DATA_REDIS_* environment variables shown here. The postgresql.servers/credentials and redis.servers/credentials blocks in the FlowX Helm chartβs values.yaml are the chartβs own secret-to-env-var mapping; they exist to template the same plain env vars from your secrets. You can keep injecting credentials through plain environment variables exactly as before.Redis configuration
The License service includes Redis in its configuration for caching and master election. Configure Redis connection using the standard Redis environment variables. Quick reference:Both
SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.
Redis is configured but not actively used by the License service at this time. It is included as part of the standard Spring service setup and may be used in future versions.
Kafka configuration
Core Kafka settings
Topic naming configuration
Kafka topics
The License service consumes events from the following topics:Kafka consumer threads
CAS lib configuration (SpiceDB)
FlowX SaaS connection (self-hosted only)
Usage upload tuning
The License service periodically uploads usage records to FlowX SaaS. These defaults work for most deployments and only need tuning for very large organizations:Logging configuration
Secrets management
The License service requires several secrets to be configured. These should be stored securely and referenced via Kubernetes secrets or a secrets management solution.Deployment
Helm values example
Below is an example Helm values configuration for deploying the License service:Network policies
The License service requires network access to the following services:Monitoring
The License service exposes Prometheus metrics for monitoring. Turn on scraping by setting the pod label:Health endpoints
Verify your setup
The License service pod is running and healthy:
kubectl get pods -l app=licenseThe health endpoint returns HTTP 200:
curl http://license:8080/actuator/healthDatabase migrations completed successfully β check pod logs for
Liquibase: Update has been successfulSpiceDB connection is established β check pod logs for successful CAS client initialization
Kafka topics
ai.flowx.license.usage.v1 and ai.flowx.organization.events.v1 exist and the service can consume from themIngress and CORS
The License service is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.Service route
The path is set through
services.license.ingress.admin.path (or services.license.gateway.admin.paths) in the chart values.
CORS configuration
Allowed methods, allowed headers (including
Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the serviceβs application.yaml with safe defaults. Override these only if you have a non-standard requirement.
For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.
Troubleshooting
Database connection failures
Database connection failures
Symptoms: Service fails to start with database connection errors.Solutions:
- Verify the
licensedatabase exists in PostgreSQL - Check that the database user has appropriate permissions
- Ensure network connectivity between the pod and PostgreSQL service
- Verify the JDBC URL format is correct
SpiceDB connection failures
SpiceDB connection failures
Symptoms: Authorization errors or service fails to initialize CAS client.Solutions:
- Verify SpiceDB is running and reachable at the configured host and port
- Check that the SpiceDB token is correct
- Ensure network policies allow gRPC traffic to SpiceDB on port
50051 - Review pod logs for specific CAS client error messages
Kafka consumer issues
Kafka consumer issues
Symptoms: License usage events or organization events not being processed.Solutions:
- Verify Kafka bootstrap servers are reachable
- Check that the
ai.flowx.license.usage.v1andai.flowx.organization.events.v1topics exist - Ensure the service has consumer permissions on the topics
- Check consumer group offsets for lag
Service account authentication errors
Service account authentication errors
Symptoms: 401/403 errors when communicating with other FlowX services.Solutions:
- Verify the Keycloak service account
flowx-license-sais properly configured - Check that client secrets match between configuration and Keycloak
- Ensure the service account has the
view-usersclient role assigned - Verify the service account realm UUID is correct
Related resources
Redis Configuration
Complete Redis setup including Sentinel and Cluster modes
Access Management
Configure roles and access rights
SpiceDB Configuration
Fine-grained authorization setup
IAM Configuration
Identity and access management setup including License service account

