The Apache licence — properly the Apache Licence 2.0 — is a permissive open-source licence that lets you use, modify, and redistribute code, including in closed-source commercial products, provided you meet a short list of attribution and notice obligations. It is one of the most common licences you will meet in any dependency tree, and while the licence apache 2.0 is friendly to commercial use, "permissive" is not the same as "no strings attached." This guide covers what the Apache 2.0 licence actually asks of you.
What "permissive" means here
Permissive licences grant broad freedoms and impose light obligations. Under the licence apache, you may use the software for any purpose, modify it, distribute it, sublicense it, and ship it inside proprietary products. Crucially — and this is the key contrast with copyleft licences like the GPL — the Apache licence does not require you to open-source your own code just because you used Apache-licensed components. Your derivative work can stay closed.
That property is why Apache 2.0 is the default choice for a huge share of foundational infrastructure: Kubernetes, Kafka, Spark, Android's core, and much of the cloud-native ecosystem ship under it precisely because companies can build on them without copyleft entanglement.
The obligations you actually have to meet
The freedoms come with conditions. For the apache 2.0 licence, three matter most in practice.
Include the licence and attribution. When you redistribute the software or a derivative — in source or binary form — you must include a copy of the Apache Licence 2.0 and retain the copyright, patent, trademark, and attribution notices from the original.
Preserve the NOTICE file. This is the obligation people miss. If the project ships a NOTICE file, you must carry forward its attributions in your distribution. The NOTICE contents are informational and do not modify the licence terms, and you are allowed to append your own attributions, but you cannot simply drop the upstream NOTICE. Many licence-compliance failures are nothing more sinister than a build process that stripped the NOTICE file.
State your changes. If you modify Apache-licensed files, you must carry prominent notices stating that you changed them. In practice this is usually satisfied by version control history plus a note in modified files, but the obligation is explicit in the licence text.
Notably, there is no requirement to publish your source, no viral relicensing, and no obligation to contribute changes back. Compared to copyleft, the apache licence 2.0 asks for attribution hygiene, not source disclosure.
The patent grant: the real reason Apache 2.0 exists
The feature that distinguishes the Apache licence from the MIT licence is its explicit patent handling. Under Apache 2.0, each contributor grants users a "perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable" patent licence covering their contributions. In plain terms: if someone contributes code to an Apache-licensed project, they cannot later turn around and sue users for patent infringement over that contribution.
There is also a patent retaliation clause: if you initiate patent litigation alleging that the software infringes your patents, your patent licence under Apache 2.0 terminates. That clause deters patent aggression against the project and its users.
MIT and BSD say nothing about patents at all, which leaves a theoretical gap — you get a copyright licence but no explicit patent protection. For anyone worried about patent exposure, this makes Apache 2.0 the more defensively sound permissive choice, which is exactly why so many corporate-backed projects prefer it.
Where Apache 2.0 clashes with the GPL
Compatibility is where teams get tripped up. The Apache licence is compatible with GPLv3: you can combine Apache 2.0 code into a GPLv3 project. But it is incompatible with GPLv2. The reason is the patent-termination clause — the Free Software Foundation considers it an "additional restriction" that GPLv2 does not permit, so the two cannot legally be combined in one work.
This matters concretely when your dependency graph mixes licences. If you pull in an Apache 2.0 library and a GPLv2 library and link them into a single distributed binary, you may have a genuine licence conflict. Catching that requires knowing every licence in your tree, which is why licence data belongs in your software bill of materials. An SCA tool such as Safeguard inventories the licence of every direct and transitive dependency so an Apache-2.0-versus-GPLv2 conflict surfaces in the build rather than in a customer's legal review.
Practical compliance for engineering teams
You do not need a lawyer for routine Apache 2.0 compliance; you need process. Concretely:
- Generate an SBOM on every build and record the licence of each component.
- Automate attribution: produce a THIRD-PARTY-NOTICES file that aggregates the licences and NOTICE contents of your Apache-licensed dependencies, and ship it with your product.
- Verify your build does not strip NOTICE files from packaged artifacts.
- Set a policy gate that flags copyleft-versus-permissive conflicts (the GPLv2 case above) before release.
- Keep the check continuous — a dependency update can change a transitive licence without anyone noticing.
Handled this way, the apache 2.0 licence is one of the easiest to comply with. The failures almost always come from missing attribution mechanics, not from misunderstanding the freedoms.
FAQ
Can I use Apache-licensed code in a closed-source commercial product?
Yes. The Apache Licence 2.0 is permissive and does not require you to open-source your own code. You must include the licence text, preserve copyright and NOTICE attributions, and state any changes to modified files, but there is no source-disclosure or relicensing obligation.
What is the NOTICE file and do I have to keep it?
The NOTICE file carries attribution statements from the project's authors. If a project ships one, you must include its contents when you redistribute the software or a derivative. You may add your own attributions to it, but you cannot remove the upstream ones. Dropping the NOTICE file is a common, avoidable compliance failure.
How is the Apache licence different from MIT?
The main difference is patents. Apache 2.0 includes an explicit patent grant and a patent-retaliation clause; MIT is silent on patents. Apache 2.0 also requires preserving NOTICE attributions and stating changes to modified files, which MIT does not.
Is Apache 2.0 compatible with the GPL?
It is compatible with GPLv3 but not with GPLv2. The Apache patent-termination clause is treated as an additional restriction that GPLv2 disallows, so Apache 2.0 and GPLv2 code cannot be legally combined into a single distributed work.