Safeguard
Compliance

The GNU Affero General Public License v3.0, Explained

The GNU Affero General Public License v3.0 extends GPLv3 copyleft to software used over a network. Here is what AGPLv3 requires and how it differs from GPLv3.

Safeguard Research Team
Research
6 min read

The GNU Affero General Public License v3.0 is GPLv3 with one decisive addition: a clause that makes network use of the software trigger the obligation to share source code, closing the "software as a service" gap that lets ordinary GPLv3 modifications stay private on a server. If you already understand the GNU General Public License v3.0, you understand roughly 95 percent of AGPLv3 — the remaining 5 percent, Section 13, is the part that changes everything about how it applies to hosted applications.

AGPLv3 is published by the Free Software Foundation and shares almost all of its text with GPLv3. That shared foundation matters, because most compliance questions about the GNU Affero General Public License v3.0 are really GPLv3 questions plus one network-specific twist.

The GPLv3 foundation

Before the twist, the base. The GNU general public license v3.0 is a strong copyleft licence with a few defining obligations that AGPLv3 inherits wholesale:

  • Source disclosure on distribution. When you convey the software (or a binary built from it), you must make the corresponding source available under the same licence.
  • Copyleft / share-alike. Derivative works must be licensed under the same terms, keeping the software and its descendants free.
  • Patent grant. Contributors grant a licence to any patents needed to use their contribution, and there are anti-patent-retaliation provisions.
  • Anti-tivoization. For consumer devices, you must provide the information needed to install modified versions, preventing hardware locks that defeat the freedom to modify.

That is GPLv3 in brief. The gnu general public license v3.0 explained this way is a licence built around one event: distribution. No distribution, no trigger.

Section 13: the network clause

Here is where AGPLv3 departs. Section 13 of the GNU Affero General Public License v3.0 adds a "Remote Network Interaction" requirement. In plain terms: if you modify the software and let users interact with it remotely through a computer network, you must give those users the opportunity to receive the corresponding source of your modified version, at no charge, through some standard means.

The consequence is that the classic GPL workaround disappears. Under plain GPLv3, a company can take the code, modify it heavily, run it only as a web service, and never distribute a binary — so it never has to publish its changes. AGPLv3 treats that network interaction itself as the trigger. If your users touch your modified AGPLv3 software over the network, they are entitled to your source.

This is the entire reason the licence exists. It was written for the SaaS era, to keep networked software as free for its remote users as distributed software is for the people who receive copies.

Who this affects, and how

The practical impact depends on your relationship to the code:

  • You run unmodified AGPLv3 software as a service. Lowest risk. You should still be prepared to point users to the upstream source, but you have no modifications to publish.
  • You modify AGPLv3 software and expose it over a network. Section 13 applies directly. Your modifications must be offered as source to your users under AGPLv3.
  • You embed AGPLv3 code into a larger product served over a network. This is the highest-stakes case, because copyleft can extend to the combined work. Whether a specific integration constitutes a combined work or mere aggregation is a fact-specific legal determination, not something to resolve from a forum thread.

Because the trigger is network interaction rather than shipping a file, teams accustomed to GPL reasoning ("we never distributed it") can be caught off guard. The mental model to carry: with AGPLv3, offering the software to users over a network is the distribution-equivalent event.

Managing AGPLv3 as a compliance concern

AGPLv3 dependencies deserve the same continuous inventory as security vulnerabilities, and for the same reason — both can enter your codebase transitively, several levels below anything you chose directly. A permissively licensed package can depend on another that is AGPLv3, and your top-level licence report will look clean while the obligation sits three hops down.

Sound practice:

  • Inventory licences continuously. A software composition analysis tool should report the licence of every package in your dependency tree, not just direct ones. Our SCA product overview explains how that tree is resolved, and platforms such as Safeguard surface AGPLv3 and other copyleft licences on each component so nothing ships unreviewed.
  • Set an explicit policy. Decide in advance how your organization treats AGPLv3 — permitted for unmodified internal use, reviewed for anything customer-facing or embedded — so engineers have a clear rule rather than an ad-hoc argument per package.
  • Escalate the grey zones. Whether a combination triggers copyleft is a legal call. Engineering flags it; counsel decides it.

None of this makes AGPLv3 a licence to fear. It is a deliberate, widely used choice that keeps networked software free, and many respected projects publish under it. The failures come almost entirely from not knowing an AGPLv3 dependency is present.

FAQ

What is the difference between GPLv3 and the GNU Affero General Public License v3.0?

They are nearly identical except for Section 13 of AGPLv3, the network-interaction clause. GPLv3 triggers source-sharing only on distribution; AGPLv3 also triggers it when users interact with your modified software over a network, closing the SaaS loophole.

Does AGPLv3 require me to open-source my entire application?

Not by default. Running unmodified AGPLv3 software as a service is low risk. The obligation grows when you modify the software served over a network, or embed its source into your product. Whether a given combination extends copyleft to your whole application is a fact-specific legal question.

What does Section 13 of AGPLv3 actually say?

Section 13 requires that if you run a modified version of the software and let users interact with it remotely over a network, you must offer those users access to the corresponding source of your modified version, free of charge, through a standard means.

How do I know if I have an AGPLv3 dependency?

Use a software composition analysis tool that reports the licence of every package in your full dependency tree, including transitive ones. AGPLv3 dependencies frequently enter through a chain of otherwise-permissive packages, so a top-level scan alone will miss them.

More on #gnu-affero-general-public-license-v3-0

View all

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.