---
title: "Entitlement Tokens | Cloudsmith"
description: "A walkthrough of Entitlement Tokens; how to create, restrict, and permission with the use of tokens using a Maven example."
canonical_url: "https://cloudsmith.com/blog/entitlement-tokens"
last_updated: "2020-11-23T00:00:00.000Z"
---
# Entitlement Tokens | Cloudsmith

Software delivery is often the last, yet frequently neglected, mile of the development lifecycle. For independent software vendors (ISVs), SDK providers, and teams shipping internal tools, the “how” of distribution is just as critical as the “what.” Too often, teams find themselves building and maintaining custom download pages, hosting infrastructure, and complex access controls that add zero value to their core product. These DIY systems are expensive to run, difficult to scale globally, and notoriously easy to misconfigure from a security standpoint.

When software downloads live on generic, third-party domains or lack clear, professional access controls, you risk losing the very thing your product depends on: developer trust. Distribution is an early trust checkpoint for many developers. If a developer hesitates to adopt your software because the delivery method feels disconnected or insecure, you’ve hit a roadblock that slows down your entire adoption funnel.

Software distribution should meet basic expectations for security, access control, and traceability without requiring you to become an infrastructure company. [**Cloudsmith Broadcasts**](https://cloudsmith.com/product/cloudsmith-broadcasts) does all this and more.

```json
{
  "_key": "60bb7241430c",
  "_type": "wistiaVideo",
  "id": "7x40osrcgn",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-94534a2d166efccdbcc87d438cdb60bd36a04dc9-1920x1080-png",
      "_type": "reference"
    }
  },
  "title": "Cloudsmith Broadcasts"
}
```

## **What is Cloudsmith Broadcasts?**

Broadcasts is Cloudsmith’s built-in, dedicated software distribution capability designed for delivering packages to customers and partners. It allows your team to publish software through secure, branded endpoints hosted under your own domain. Essentially, it acts as a professional front door for your artifacts, abstracting away the headache of building or maintaining custom download portals.

Built on Cloudsmith’s cloud-native architecture, Broadcasts handles the heavy lifting of global scaling and replication. Whether you are distributing a public CLI tool to thousands of developers or a proprietary SDK to a handful of enterprise partners, Broadcasts ensures your software delivery is available, secure, and on brand. It supports both open-source and commercial distribution, and manages access through granular entitlements and seamless integration with native developer tools.

## **Professional delivery with your own branding**

Your brand shouldn’t stop at your documentation page. Many teams struggle with package endpoints that feel disconnected from their identity, leading to confusion and reduced trust among the developer community. Broadcasts solve this by enabling teams to present their distribution experience with their own identity, featuring the same branding, domain, and look and feel that users expect.

### **Customization and trust**

By using custom domains and tailored presentation settings, you provide extra reassurance. When a user decides whether to install a package, seeing your company’s domain and branding reinforces that the software is authentic and supported.

### **Granular metadata control**

Beyond aesthetics, Broadcasts give you control over the technical presentation of your packages. You can configure how to display package information, download links, and license details to end-users. This flexibility ensures that you are providing the exact context a developer needs to successfully integrate your software, all without compromising Cloudsmith’s built-in security and reliability.

## **Secure and controlled access**

Not all software is meant for everyone. Whether you are protecting commercial IP or managing internal tools, Broadcasts provide a range of access models to fit your distribution strategy.

### **Public broadcasts**

For community tools or public-facing software, public Broadcasts make all packages from a repository openly accessible. This is ideal for increasing the reach of your software without forcing users through unnecessary authentication hurdles.

### **Private broadcasts**

Protecting proprietary content–like premium SDKs or internal artifacts–is a major challenge for many organizations. Setting up secure, access-controlled methods often requires significant engineering time.

Private Broadcasts provide a dedicated, access-controlled portal where you manage access through secure entitlement tokens. This ensures that only authorized partners or internal teams can view and download your packages. It guarantees robust security, compliance, and IP protection without compromising the end-user experience. You get the security of a private repository with the professional interface of a public one.

## **Integration with developer workflows**

The best distribution platform is the one developers don’t have to think about. Developers expect to fetch packages through native tools, whether it’s npm, pip, maven, or a system-level CLI. If your distribution method doesn’t align with these workflows, you create friction that slows down adoption.

Broadcasts are built to integrate directly with native developer tooling. Users can access artifacts through their preferred CLI or CI/CD tools, creating a smooth, workflow-friendly experience. By meeting developers where they already work, you remove the roadblocks that can stall the rollout of new software versions.

## **Actionable insights and analytics**

Distributing software shouldn’t be a black box. Many teams ship artifacts without knowing which versions users actually download, who is using them, or whether adoption is trending up or down.

### **Built-in analytics tools**

Broadcasts include built-in analytics that provide clear visibility into software distribution and adoption. You can track:

- **Download counts**: Understand the raw volume of software consumption.
- **Version adoption**: See which versions are popular and which are being phased out.
- **Geographic distribution**: Identify where in the world your users are located.
- **Access trends**: Monitor trends over time to predict infrastructure needs or marketing success.

### **Optimizing delivery**

These insights help teams optimize their delivery strategies and understand user behavior more deeply. This data is accessible through both the Cloudsmith web app and the API, allowing you to feed these metrics into your own internal business intelligence tools.

## **Getting started**

One of the primary differentiators of Broadcasts is its ease of use compared to DIY alternatives. You don’t need to spend weeks designing a portal or configuring web servers.

### **Enable broadcasts instantly**

You can enable a Broadcast instantly from any existing Cloudsmith repository. This immediately creates a professional interface for your end-users without the need for additional infrastructure.

### **Configuration basics**

The setup process is straightforward:

1. **Brand: **Upload your logo, set your brand colors, and configure your custom domain.
2. **Create**: Navigate to your repository and enable the Broadcast feature.
3. **Secure**: Choose between public or private access and generate entitlement tokens for your users if necessary.
4. **Analyze**: Monitor your performance through the built-in analytics dashboard.

For more information about specific settings, check out the [Cloudsmith Broadcasts documentation](https://docs.cloudsmith.com/software-distribution/broadcasts).

## **Ship value, not infrastructure**

The goal of Cloudsmith Broadcasts is to remove the burden of distribution infrastructure. By reducing operational overhead and security risks, Broadcasts help your team stay focused on what matters most: building your core product.

By aligning distribution with your brand identity and providing the tools for secure, manageable access, you can deliver a professional experience that reinforces trust and accelerates adoption. Stop building custom portals and start broadcasting your software with Cloudsmith.



**Streamline your software delivery **with Cloudsmith Broadcasts today. [Sign up for a free trial](https://app.cloudsmith.com/signup) or [book a demo](https://cloudsmith.com/book-a-demo) to discuss your unique distribution needs.

For organizations, distributing software artifacts effectively is crucial to building strong developer relationships and delivering a seamless experience. Yet, managing and personalizing the distribution of software packages—like SDKs or container images—can be challenging. Cloudsmith, a leader in cloud-native artifact management, has introduced **Broadcasts** to address these needs.

With Broadcasts, Cloudsmith customers can manage, brand, and personalize their software delivery, ensuring a developer-native experience that aligns with the organization’s identity and meets end users where they are.

“_Artifact management is, at its heart, about software distribution, and it’s a natural extension of Cloudsmith’s powerful package delivery network_,” said Alan Carson, co-founder and chief strategy officer at Cloudsmith. “_With Broadcasts, customers can take full control and deliver a branded, professional experience that fosters deeper, richer relationships with their customers._”

### **The New Standard for Artifact Distribution**

Broadcasts transforms software distribution with a streamlined, brandable interface that lets organizations control which software they publicly share. Cloudsmith has incorporated branding elements, custom domains, and analytics, enabling companies to present a unified, professional experience to developers and gain insights into usage.

### **Key Features and Benefits of Cloudsmith Broadcasts**

Broadcasts offers a cohesive, branded distribution experience through these features:

- **Intuitive Setup**: Set up and manage Broadcasts with an easy-to-use interface, providing exact control over which artifacts are distributed, reducing setup time and enabling faster delivery.
- **Custom Domain and Branding**: Organizations can use custom domains and branding elements to create a distribution page that reflects their brand, providing a recognizable and professional experience.
- **Advanced Usage Analytics**: Get insights from download data to understand usage trends, identify revenue opportunities, and enhance brand value.
- **Developer-Native Experience**: Broadcasts integrates with native developer tooling, allowing end users to access artifacts through their preferred CLI or CI/CD tool, creating a smooth, workflow-friendly experience.
- **Global, Lightning-Fast Distribution**: Powered by Cloudsmith’s extensive network, Broadcasts ensures reliable, fast distribution worldwide with over 600 points of presence, so users receive content instantly.

### **How Broadcasts Solves Distribution Challenges**

Cloudsmith’s Broadcasts tackles key software distribution challenges by providing tools to control, brand, and analyze distribution:

- **Branded, Professional Experience**: Customized distribution pages create a seamless, familiar experience for users and reinforce brand identity.
- **Data-Driven Insights**: Analytics provide actionable information on download trends and engagement, supporting marketing strategies and potential revenue growth.
- **Fast, Reliable Access**: Cloudsmith’s network offers high-speed, dependable distribution, allowing organizations to focus on engagement rather than infrastructure.

In a world where developer experience matters, Cloudsmith’s Broadcasts provides a powerful, flexible solution that simplifies software distribution, enhances brand presence, and delivers actionable insights.

Experience the future of artifact distribution with Cloudsmith Broadcasts. See firsthand how you can take control of your software delivery, personalize the experience for your end users, and gain powerful insights into your distribution channels. Schedule a personalized demo with one of our experts to explore how Broadcasts can elevate your organization’s developer engagement and streamline artifact management.

[Book a Demo Today](https://schedule.qualified.com/5ChEKW5) and transform your software distribution with Cloudsmith.

In 2023, Kong’s frustration with its self-hosted distribution solution, Pulp, had reached a breaking point. For some time, the open-source solution, which met Kong’s needs in its early years, had been under strain. As growth made Kong responsible for an increasing share of the internet’s traffic, the criticality of Kong’s distribution ramped up as well. Seamless delivery of its software updates, upgrades, and patches became essential for its clients to maintain their functionality online.

According to Kong’s SVP of Engineering, Saju Pillai, the consequences of a Kong distribution failure could be considerable. “A two-day delay on our side in distributing a patch could translate into millions of dollars lost for an unfortunate customer,” he explains. “So the impact would be unusually high.”

The number of product versions Kong was supporting had grown, the number of assets requiring distribution was increasing, distribution of those assets was becoming more complex, and the tooling and team responsible for it had reached their limits. Challenges and frustrations included:

- the cost and effort for three engineers to maintain their own instance of Pulp;
- frequent CI/CD disruptions;
- repeated complaints from customers; and
- impacts on project agility.

```json
{
  "_key": "2b73d1788941",
  "_type": "video",
  "id": "WbEQ6H8xsWA",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-771ef456a9fb6d937ee7b8a2be58093198ebac92-480x360-jpg",
      "_type": "reference"
    }
  },
  "title": "Cloudsmith x Kong",
  "url": "https://www.youtube.com/embed/WbEQ6H8xsWA?feature=oembed"
}
```

Kong’s VP of Engineering explains why Kong chose Cloudsmith and describes the impact of the switch.

## Cloudsmith Awes Engineers

By switching to Cloudsmith, Kong now enjoys specialized, fully-managed, high-volume software distribution on a global scale. “When you think about the amount of energy and time and money that companies spend solving the software distribution problem in-house," says Saju, "I don't think that can be properly justified, anymore, when Cloudsmith exists.”

With Cloudsmith, Kong has transformed its software distribution workflow and strengthened its operational efficiency and resilience. Notable improvements include:

- six-figure savings;
- continuous shipping with zero hiccups;
- agile delivery of custom solutions for design-partner clients;
- increased customer satisfaction; and
- infinite auto-scaling to support growth.

“Once we got the bulk of our assets moved from Pulp into Cloudsmith, we saw an instant drop in escalations,” Saju explains. “The complaints have literally gone to zero.

“Cloudsmith is key to our CI/CD and DevOps stack now,” he adds. “It should be a tool in the DevOps toolkit for everyone.”

For the whole story on why Kong chose Cloudsmith and how life has improved there since the switch, [<u>view the full Kong case study</u>](https://cloudsmith.com/customers/cloudsmith-and-kong).

Now you can go beyond [measuring your bandwidth usage](https://cloudsmith.com/resources/blog/vendors-rejoice-analyse-your-bandwidth-usage) and regain control via Cloudsmith's new bandwidth controls for Entitlement tokens. You can craft tokens with individual usage limits using the UI, API, and CLI, allowing you to decide the exact level of usage for each token.  
  
Combining the new and existing limits for entitlement token, allowances are configurable to provide fine-grained control for any combination of properties. For example, the total amount of bandwidth, number of unique clients using a token, or the maximum number of downloads a token can perform on an individual token basis. Also, you can also scope your [tokens by restrictions](https://help.cloudsmith.io/docs/entitlements-via-the-website-ui#visibility-restrictions) for advanced control of tokens.  
  
If you are a vendor, you may want to have tiered levels of token's for different users. Providing higher or even potentially unlimited allowances to your premium users is now possible, whilst maintaining control of your offering to free users with suitable limits.  
  
The best part is you can provide a lifetime limit for a token, or you can configure a refresh period to refresh the limits after the period has elapsed. For example, a token with a 1 GB daily limit, will allow up to 1 GB of daily usage and more more. After 1 day has passed, the token will be reset allowing another 1 GB of daily usage.  
**How it works**

Within the Cloudsmith UI for Entitlement tokens, you can edit individual tokens to provide visibility restrictions, usage limits, or even provide additional metadata on the token for your own internal requirements.

To provide a bandwidth restriction with a refresh period. You will need to select a unit of Bandwidth _e.g., GB_, and enter a corresponding unit of bandwidth you would like to restrict by (e.g., _1GB_ of bandwidth). A "_Monthly_" refresh may be more than enough for most users but may prevent misuse of tokens from users accidentally using many TB's of data per month.

In this example, fine-grained bandwidth controls will be configured for the amount of bandwidth usage that token is allowed to consume every month. This is accomplished by selecting a few preset values and entering a bandwidth amount within the Edit Entitlement Token form.

```json
{
  "_key": "5a583b8c0d3a",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:59:17Z",
    "_id": "image-22bde0fe1b05e32979892d7d388081528f36e456-984x707-png",
    "_rev": "gnJeqIUmT5gWK5E6lfoS0K",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:59:17Z",
    "assetId": "22bde0fe1b05e32979892d7d388081528f36e456",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V3SijY4p57_N.9tm9tRoD%a1-S^k%K?ao|~p?a-oi^$*",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.391796322489392,
        "height": 707,
        "width": 984
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsSAAALEgHS3X78AAABpUlEQVR4nG1T7Y7bIBDk/d+qfYL70VOr3I+LTm50vcQJ39gYmGqIN/JFRhqxsMswuyzK+QBtLIwxsNZ2aK07vPeIMSKE8Jif4deYeZ6xLAuUcR43rWGM7Y6UUg8iaE/T9ID4OYsdQui+UgpqrVCikA7ewplqSSi3MpigTeScO2jPawzJWmtQ2nmMNw3rHNI0wViHcRw7KRXIzVts91pr32z1/nnD6/Ef/nxccBodRm07IWvItETJnjohaRuol/czfvwa8PP1L34PV5yv90dxzvXaMCUhIbiWPSptz4QfXxpvwxnHzyvO2sNY319a1En9pIZCKArrE5TzsddLnp7KZE3CbbD4+WDbl63bGvoQYax9tIj0oaQsSniYa+lX6Yplra2kr+zaNiRkAG+XQ9zbpkZbepKx0ptxza6nHNOEuB5cSkGIsbcQFeT5XsO9WhEsSUrpLibPKLVAbfMnqbcOZqdl9lpESpGXjHmZsdQFCkB3chR+u9MJdhiQnP3WMjy8N2qr8NljjCNCDndCGYUf/e2AcDggW4v69CP2QFWXeMHRHKEnjf84MULmPlMUZwAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#486888",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#305c88",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3376ae",
          "foreground": "#fff",
          "population": 0.43,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9fb5c9",
          "foreground": "#000",
          "population": 0.03,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#8fc2ed",
          "foreground": "#000",
          "population": 0.14,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5ca65a",
          "foreground": "#fff",
          "population": 0.12,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3376ae",
          "foreground": "#fff",
          "population": 0.43,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot-2020-09-28-at-11.22.12.png",
    "path": "images/rafvlnhi/production/22bde0fe1b05e32979892d7d388081528f36e456-984x707.png",
    "sha1hash": "22bde0fe1b05e32979892d7d388081528f36e456",
    "size": 63647,
    "uploadId": "CudRrIev35hRfLteQRsz66B6pkGeeXw8",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/22bde0fe1b05e32979892d7d388081528f36e456-984x707.png"
  },
  "caption": null,
  "link": null,
  "markDefs": null
}
```

To configure a 1GB bandwidth limit that resets monthly.

1. Selecting R**efresh token **and choose **Monthly**

_Presets provide values from "Never Reset" to a range between "Daily" to "Annual"._

2. Enter a number to **Restrict by Bandwidth.**

_The number should be between 0 - 1000; you can go higher than 1000; however, the unit of bandwidth provides sensible defaults to keep values readable. (e.g. 1000000 bytes can instead be expressed as 1 Megabyte)._

3. Select a **Unit of Bandwidth.**

_Values range from a single Byte to an insanely large number of Petabytes._

Finally, select Edit to save your changes to the token. These restrictions will take effect almost immediately.

```json
{
  "_key": "df01c6fdc7b2",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:59:18Z",
    "_id": "image-01b44dcf6a8c171c4d51ca4e8b59736c98bd54c4-970x718-png",
    "_rev": "gnJeqIUmT5gWK5E6lfoSpF",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:59:18Z",
    "assetId": "01b44dcf6a8c171c4d51ca4e8b59736c98bd54c4",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V3SigR4o4:?w%#tm9tRoD%Vt-n^k%K?bo|_3.7-oV?xa",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.350974930362117,
        "height": 718,
        "width": 970
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsSAAALEgHS3X78AAABvUlEQVR4nI1TXW/bMAzU//9fG7aXPW7Y0AHt1ixuY+vbkmXZvoGs6SlBCswGQdtkTsfjRQ1+RG8DtAvQ1sMYA6015xACxnH8r0gpoZQCNbiA3lgY6+B3AAJyzh2NEvJOOcZ45JQS5nnGsixQ1kcGo0KeMhcJkGKaJj5VQt4p55w5p5Q4r+uKbdugfIjwziNToRRmSeN677mRTqVmCnmmfBurAHaDxel1wKv2sDHBOI9h0LDW8un3ACUIYLsJ9eXhBR++PuPT9zMe/hhcjDsY0lg0IulzG7VWBpXrH+DPF3z8dsLnHx0D9toyO9KURm5BRD/53rJcd9aqGxzOF4OLDXAxwTrPG5bNteMSoNiEnu/JoVyIcLQU3lrhUcUyt4DEjGoih4y9Npoq6wMsMdptIB4U27SbJVYkhXhP9K21XjMMMR5Fam4BhYXYo9WU6nE3uPSqwsW3H9W6IIwjXAhX7m/HaoPqKaU3N8wFdalQvKV99TMZe9BwfY9Ewr9jEbmY+bqg1IJxHjHVCaptqKTP4yPC0xOmGN713OE9urcNcY7oYgeTzTXgQlr8/oXp9IwlZ6x3/gn3IpSAczwz4F+5d4/e5BYGBQAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#506c7c",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#285c8c",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c24d4f",
          "foreground": "#fff",
          "population": 0.1,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#acc4d0",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#fa9f9f",
          "foreground": "#000",
          "population": 0.09,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6eb070",
          "foreground": "#fff",
          "population": 0.05,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c24d4f",
          "foreground": "#fff",
          "population": 0.1,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot-2020-09-28-at-11.23.46.png",
    "path": "images/rafvlnhi/production/01b44dcf6a8c171c4d51ca4e8b59736c98bd54c4-970x718.png",
    "sha1hash": "01b44dcf6a8c171c4d51ca4e8b59736c98bd54c4",
    "size": 64885,
    "uploadId": "gy1fwpVA9Nq2zoGBqgYXPkLkCDRJBZGG",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/01b44dcf6a8c171c4d51ca4e8b59736c98bd54c4-970x718.png"
  },
  "caption": null,
  "link": null,
  "markDefs": null
}
```

If you wish to set your limits programmatically, entitlement restrictions are configurable using the [Entitlements API](https://api.cloudsmith.io/#!/entitlements/entitlements_partial_update).  
  
Finally, the easiest way to get started with making programmatic changes to entitlement tokens and applying restrictions is via the [Cloudsmith CLI](https://help.cloudsmith.io/docs/cli). Using the following command, you can all visibility restrictions and usage limits for an entitlement token.

```json
{
  "_key": "970205774f4d",
  "_type": "code",
  "code": "cloudsmith entitlements restrict example/testing/1xYSdAxlIqIV \\\n        --limit-bandwidth=1 \\\n        --limit-bandwidth-unit=gigabyte \\\n        --limit-num-clients=10 \\\n        --limit-num-downloads=1000 \\\n        --limit-package-query=\"package-darwin-amd64\"  \\\n        --limit-path-query=tag:latest \\\n        --limit-date-range-from=2020-01-01T00:00:00Z \\\n        --limit-date-range-to=2077-01-01T00:00:00Z \\\n        --refresh-token=daily",
  "filename": null,
  "language": "text",
  "markDefs": null
}
```

cloudsmith entitlements restrict

```json
{
  "_key": "dac60a5e99f0",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:59:18Z",
    "_id": "image-684d4222509cc17e419fc51bd32486a9b3a3a67d-2000x299-png",
    "_rev": "2MVa2LY6RC9Yy6hPJdhc58",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:59:18Z",
    "assetId": "684d4222509cc17e419fc51bd32486a9b3a3a67d",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "400-S+*JyFpIRh",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 6.688963210702341,
        "height": 299,
        "width": 2000
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsSAAALEgHS3X78AAAAg0lEQVR4nJ2MSw6CMABEsQo1EMB7QAuB0B+i6IJ4/ws9A4YFWxcvk5lJXiTbkWJ4UtqZrJ9ImoCoLVFl/kO2gXwTvsiHmbRbpZ6zsojaICrzy529V+tvD3lahWl/JzNvCr9Qjh9uYaEwD7LOIRtLog3xAUesPIn2SB246oBUftsuteMLBhRVTVMjBegAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2c4d56",
          "foreground": "#fff",
          "population": 1.21,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#042c34",
          "foreground": "#fff",
          "population": 71.22,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#042c34",
          "foreground": "#fff",
          "population": 71.22,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0a788e",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#83e2f5",
          "foreground": "#000",
          "population": 0,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4d747f",
          "foreground": "#fff",
          "population": 0.07,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#12c8ec",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot-2020-09-28-at-11.43.45.png",
    "path": "images/rafvlnhi/production/684d4222509cc17e419fc51bd32486a9b3a3a67d-2000x299.png",
    "sha1hash": "684d4222509cc17e419fc51bd32486a9b3a3a67d",
    "size": 150089,
    "uploadId": "7gop2Q8khjXudelcc74RXBLSLiVL1Mvk",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/684d4222509cc17e419fc51bd32486a9b3a3a67d-2000x299.png"
  },
  "caption": null,
  "link": null,
  "markDefs": null
}
```

It's that simple to get started!

****The summary: ****Cloudsmith provides a way for vendors to sell, license and distribute software as packages. To any customer, anywhere in the world, across a reliable and performant infrastructure, and handling all licensing and invoicing / billing challenges.

## **The Detail**

As most of the readership of this blog will know, a huge proportion of the software developed around the world is dependent upon the third-party packages and libraries we integrate into our projects.

And whilst a lot of that will be open-source, a surprisingly large amount will be distributed on a commercial basis. Plenty of organizations generate revenue by selling packages and libraries, almost always on a business-to-business (B2B) basis, to clients looking to speed up their own development processes and deliver better software, faster.

Just by way of example, consider the following common use cases:

- The creator of fonts, icons or other similar libraries that may be integrated into web projects
- Creators and/or distributors of core network libraries
- Hardware companies needing to distribute drivers to customers

These organizations have a challenge. They need to sell and distribute the packages they create to customers all over the world, and they need to do so in a way that:

- Is convenient for their own customers
- Is easy and inexpensive to support for themselves, and
- Provides a reliable, performant service

The rest of this short piece will take a look at why that has been a challenge in the past, and how new approaches mean that distributing software packages on a commercial basis is now a piece of cake (clue: it involves Cloudsmith).

## **Commercial Package Distribution: A Short History Lesson**

For the sake of everyone’s sanity let’s not talk about prehistory: when software was shared on floppy discs, compact discs and other physical media. Instead, let us save a little time and jump ahead to the digital days.

Until pretty recently the standard way to distribute any form of software, or resources that a software developer might use, has been to ****put it up on an FTP server and allow customers to download them from there****.

There’s only three problems with that. Unfortunately, between them they make the whole process painful for all concerned:

- First, ‘dumb’ downloads are hard to integrate. Customers have to extract what they’ve bought and figure out how to get it into their own environment and tooling. That can require plenty of work, and things go wrong, which means calls to support and time and effort on all sides wasted.
- Second, it leaves licensing and access control entirely in the hands of the vendor, which is a challenge. It requires figuring out the easiest way to give customers access to the packages they are entitled to (and only those packages), and for the amount of time they are entitled to them.
- Last (and most certainly not least) it doesn’t support modern continuous integration and deployment processes that want to access up-to-date packages on demand rather than download once and use from an on-premises repository.

## **Another Approach: Package Repositories**

Faced with these challenges, many B2B software vendors took a new approach: ****distribute software and libraries as ‘packages’ from package repositories.****

The good news: this involves sharing content, libraries etc as software packages in the specific package format that allows for easy, effectively automated integration into the developer environment.

So for example, if I am a frontend developer working in Javascript, an npm package ‘speaks my language’, integrates directly into my environment and tooling.

Even better, I can connect to package repositories in this way and access them on demand. In other words, whenever a person or process needs them, they can connect and integrate - rather than downloading once and then being responsible for maintaining and updating hundreds or even thousands of packages, dependencies and libraries on-site.

****The problem with this approach, however, was equally simple.**** It requires the vendor building and setting up a private repository and sharing access to that repository with clients all over the world.

Modern development processes demand high levels of availability and performance, so that isn’t a trivial undertaking. It leads to significant amounts of resources just being put into managing and maintaining that infrastructure, resources that were hired to build software.

Oh, and you still have to handle all the complexities around licensing and managing granular access to specific packages and assets.

## **The Solution**

There is another way: let someone else handle the distribution and licensing of commercial software packages and libraries.

What would that service look like? Well, it has to solve the problems we’ve outlined above, so a checklist would look something like this:

1. Take responsibility for availability and scalability, or in other words ensure that packages are there when clients need them, and that the service scales to meet new requirements automatically.
2. Deliver high performance - to customers anywhere on the planet. As many packages are integrated into build processes directly from the repository, it is absolutely essential that this happens fast. And in an age of distributed teams and processes, ****not fast in one place, but fast in any place****.
3. Handle licensing and access controls. Whilst the repository is effectively private, the service will need to allow customers read-only access to the right packages and confirm license agreements without too much fuss.
4. Enable the vendor to share packages in multiple languages and formats as required by customers.

****That, in four brief points, is what we have built at Cloudsmith to support vendors.****

Cloudsmith is ultimately a platform supporting cloud-native, universal and secure public and private repositories. Of course we work with dozens of developer orgs who simply need a single source of truth for the software assets they use every day, and also need to share those assets across distributed teams.

But we also work with vendors sharing assets to clients outside their own organization.

For vendors, using Cloudsmith has a number of advantages, that largely correspond to the benefits of the approach already detailed above:

- We already have in place a fast, reliable, content delivery infrastructure that is used to meet any challenge (so far!), and trusted by thousands of businesses all over the world.
- We pay particularly close attention to performance. Again, as a tool used by distributed teams and processes: ****we have to****. To that end we have production instances in multiple locations around the globe and support configurable edge caching to ensure that a cloud-native distribution network means zero compromise when compared with storing packages on-premises.
- We ensure that all needs around licensing and access control are met in an intuitive way for both customer and vendor. Cloudsmith supports entitlement tokens that deliver access to specific packages across specific time periods, for specific numbers of downloads or clients, all generated and shared automatically via the Cloudsmith API. And we give ****control over access**** to our clients. Their customers don’t have to become Cloudsmith customers just to access packages!
- Lastly, Cloudsmith is universal. It doesn’t matter what you need to distribute in what format, we can almost certainly handle it. So there’s never any need to maintain more than one distribution network.

That isn’t everything of course. We are always working to ensure that our service gets faster, smarter, and more fully-featured. To give a few recent examples:

- We provide comprehensive analytics that show who has downloaded what and when, and macro trends in terms of which packages are proving popular (or unpopular).
- We integrate with Zapier to support no-code integration with leading payment platforms, automating order processing of assets stored on Cloudsmith.
- We support custom domains. From your customer’s perspective, they are always dealing with your business, and connecting to a repository branded in your name.

If you’re a vendor struggling with some of the challenges discussed in this piece, we’d love to talk. We’re pretty sure we can help you!

IoT is slowly, quietly taking over the world. A few years ago, self-ordering fridges, driverless cars, and fully automated homes seemed like the stuff of dreams. And while the technology exists, rollout and adoption is slower than anticipated, amidst security and privacy concerns. That said, IoT is the future, and growth is steady, as the challenges of building and maintaining hundreds of thousands of devices per vendor are getting solved.

Today, there are billions of devices online; with an ultra-wide and global dispersal pattern from the factories that built them. Each device runs firmware, or more commonly a light-weight embedded OS and software written in performant languages like C++ or Rust or more accessible languages like Java or Python.

A company building the latest smart TV, or Fridge, or Japanese-style automated toilet needs to ship their device, fully loaded with working software to control the device, connect to the internet to provide analytics back to HQ and get new versioned updates to introduce new features - or most importantly, to receive security patches.

And that’s where Cloudsmith comes in.

Cloudsmith provides a distribution toolkit for IoT that helps to solve the issues with global rollout at scale.

## **Global Infrastructure At The Edge**

If you need fast, reliable deployment infrastructure; look no further. Cloudsmith provides accelerated edge delivery of software to allow you to stay close to the sea of devices you want to manage. And what’s more, the caching of your packages and artifacts at the edge is configurable, because there is no one-size-fits-all solution. Your needs are bespoke, and Cloudsmith gives you the control to define a best-fit solution for your own needs.

## **Entitlement Tokens**

Cloudsmith enables you to automate the rollout of software using a unique token to manage repository access for each device. Entitlement tokens are read-only access tokens for a Cloudsmith Repository and they can be created to nearly any secure standard.

You can attach metadata; allowing you to store additional information for the device. You can add restrictions to the token; such as a validity period, a specific allowable device IP address or a maximum number of downloads. Each token can be individually managed and filtered to provide tight control of your IP. All of which is accessible via the Cloudsmith first-class API.

## **Analytics**

Track and monitor which devices have received the latest update. You can attribute each download from Cloudsmith to the specific Entitlement Token used, and you can see when and from where it was used. You can also export this data for further ingest into your own big data or analytics platform of choice, giving you an unparalleled view over the status of your IoT fleet and their package/updates status.

## **Universality**

Cloudsmith repositories are fully multi-tenant for package formats. This means you can store all of the package types that we support in one repository, and this repository still works as a native repo with all of the client-side tooling for each format. No more managing multiple repositories if your IoT devices need [Debian packages](/product/formats/debian-repository), [Python packages](/product/formats/python-repository) and even more. Simplify your package management, and gain more control.

### **In Summary**

Cloudsmith provides a “low-gravity” launchpad for IoT software updates at scale. Let us worry about performance, delivery and scalability while you concentrate on building secure software your customers will love.

Our distinguished competition took a puzzling position of “Imagine there’s no versions”.

At Cloudsmith we think that’s crazy. Software versions are what makes software development possible. They make deployment possible. They make distribution possible. How else can you understand and navigate complex dependency trees or be sure your code will interact with a third party’s? Hint - you can’t!

You must care about versions. And updates. It’s the only way to know you are on the latest build; the one with the security fixes and new features. But it’s not about the end-user. It’s about you. How else can you label or tag the push of a new build that’s been verified?

#### **Not a single one of our customers has ever asked us how to architect, build, and deploy versionless software.**

The revolution against versions hasn’t begun - and never will. Versions are here to stay. There is an explosion in the amount of open-source software that all software relies upon, and the only way to manage the chaos is with versioning.

As an example, [Docker](https://cloudsmith.com/docker-registry/) containers are filled with versioned software. You need to know what’s in each and every layer.

Now more than ever, engineers, like you, and like us, need better tools to track, manage, and understand all software pulled into your stack. Cloudsmith was built to tackle this problem, providing a single source of truth across every format you use; providing isolation from public upstreams, and allowing you to interrogate the provenance of any package with insight into security and licensing. These are vital for everyone going forward.

But more than that, there are three key reasons why versions are so important:

****Visibility****

More bluntly - “Knowing what is where”. The dependency tree for any piece of modern software can be vast. You need proper visibility on what packages, libraries and components make up this tree because without it you really are running blind, in more ways than one. Without versions, you don’t have this visibility, and you’re missing the details of the “what”.

****Traceability****

Once you know “What is where” you need to explore “When did something change?”. You should be able to trace back when a particular package or library was updated, modified or even rolled back. Without versions, you can’t do any of this - it’s like a financial audit without figures: it’s lacking the very detail that it requires to be effective.

****Compatibility****

And finally, you need to know “Will this actually work?” You can see what you have, you know when things changed, and now you can determine if the sum of these will, in effect, “make” or “break”. Without versions, you can’t tell. You can’t plan, implement or react effectively. You’re adrift in a sea of unknowns. Breaking changes are real, we have all seen them. This is one of the most important reasons why versions matter.

While we admire the sentiment of imagining a world with no software versions; it’s just not realistic. We fundamentally believe in the opposite; and will continue to build a platform that gives you a more profound understanding of versions; not one that muddies the very clarity you need to develop better, faster, more maintainable products.

Versions aren’t going anywhere.

At Cloudsmith we love playing video games, everything from Super Meat Boy to Halo, Fortnite to Candy Crush. We’ve got a big Pac Man money box sitting on the office shelf. Steve Collins, of Havok fame, is on our Board of Directors. Quite simply, gaming is in our DNA.

When we started Cloudsmith we made a list of customers we’d love to work with someday and there were numerous games studios on the list. It was a proud moment for the team when the first games company signed up to distribute its software globally. Since then more major studios have followed suit. It’s truly exciting to be a part of the deployment and delivery process for companies we really admire.

### **We pay homage to a few video game greats with our pop culture banners in our documentation; see [Alpine](https://help.cloudsmith.io/docs/alpine-repository), [Go](https://help.cloudsmith.io/docs/go-registry), [Composer](https://help.cloudsmith.io/docs/composer-repository), and [Terraform](https://help.cloudsmith.io/docs/terraform-modules-repository). Can you guess the games on which each is based?**

Cloudsmith can solve many problems for games companies, but what is most unique about a games company is that they are the software companies that can make use of all three of our primary use cases:

****Development****

The beating heart of any games company is its Intellectual Property. Now, of course, this consists of game characters, themes, and franchises, but it also consists of a lot of proprietary code, libraries and packages, game engine components, and sound and graphic assets. Protecting this IP, while also granting globally distributed internal development teams easy access so that they can work with it is a major challenge. Cloudsmith private repositories allow a games company to centrally manage its software assets, provide secure access for development teams worldwide, and also deliver performant global availability.

****Deployment****

A games company requires a lot of infrastructure to operate effectively. Significant resources are required to facilitate both internal development teams and any customer-facing environments for matchmaking and multiplayer services. This may take the shape of on-prem servers or cloud-based environments, but building and managing this infrastructure is a complex task. Even when automated through tools such as Terraform, Ansible, Puppet, Chef, and others, it still requires that these tools have a central source-of-truth for the packages and modules that they require. The universal package support offered by Cloudsmith means that it is easier for internal DevOps teams to manage these builds and deployments.

****Distribution****

Games companies often need distribution of software assets and packages for a few different use cases, like distribution of software assets to licensed customers or distribution of packages and libraries to 3rd party development partners. To do this, they require fine-grained control over access, and visibility into download activity and usage. Cloudsmith’s extremely flexible Entitlement Token system allows the creation of unique, read-only access tokens that grant access to specific packages or assets. These tokens can have multiple restrictions attached, such as limiting access to specific packages, for a specific timeframe, from specific locations, and even a maximum number of downloads or bandwidth use. Any read activity on the repository is attributed and associated with an Entitlement Token and therefore users can be precisely monitored and analyzed.

As an example, we’re solving two use-cases for one such customer:

- Supporting the management of Debian deployments to their IT infrastructure, including isolating public packages through our recently launched Upstream Proxy & Caching feature,
- Enabling the distribution of private core dependencies to their partners, which utilizes our Entitlement token system.

As we mentioned, we love playing video games, and being part of the deployment and delivery process for companies that create them is something we’ll be forever excited about. Whether it’s [development](https://cloudsmith.com/product/for-development/), [deployment](https://cloudsmith.com/product/for-deployment/), [distribution](https://cloudsmith.com/product/for-distribution/), or the full trifecta, Cloudsmith is here to help support and solve many of the problems games companies face all in one platform.

Don’t just take our word for it though - [start a free trial](https://cloudsmith.com/signup/) and check it out for yourself!

The following is a true story. It doesn’t have a happy ending.

****_Horrors lurk beneath the trap door, for there is always something down there, in the dark, waiting to come out..._****

The Thing Upstairs glares across the conference table, already knowing the horrible truth, “What license does it have?”

Berk confidently replies, “GPL version 3.”

Two months prior.

Berk is an experienced software developer at a well-known consultancy firm, TrapDoor Inc. He’s worked his way up the ranks, paid his dues, and has been given his first solo project.

A customer has asked TrapDoor Inc. to architect and build a software tool. The problem specification is well-defined, but the solution design, architecture, and implementation details can all be decided by Berk.

The high-level design gets approved, and Berk gets to work. The agreement with the customer is to release often and early as they too are a software consultancy and can run tests internally and externally on their customers’ sites.

After about five weeks of development, the first alpha is released.

A week later the second.

A week after that, the third iteration is released to much fanfare. Good, steady progress is being made.

Only then does The Thing Upstairs stir and decide to code review Berk’s solution. The findings are shocking. Berk’s solution relies heavily on an open-source project with a copyleft GPL v3.0 license.

That’s bad.

Really bad.

_Copyleft is the practice of granting the right to freely distribute and modify intellectual property with the requirement that the same rights be preserved in derivative works created from that property._

Berk has spent seven weeks writing logic that is attached to the original license, not fit for commercial handover, and now likely being run illegally on customer sites, without the proper license or attribution.

Worst of all, the original source code for the dependency was copied into a TrapDoor Inc. repository and modified with Berk having explicitly deleted the license file.

Little could be done without a page-one, clean-room rewrite, using a dependency with a more permissive license. But we’ll never know. This story doesn’t have a happy ending. Trust was lost. The six-figure project was canceled. The customer refused to pay.

All because Berk didn’t think licensing was important.
