Safeguard
Concepts

What Is the Apache 2.0 License? A Complete Guide

The Apache License 2.0 is a permissive license with an explicit patent grant and a few conditions that set it apart from MIT and BSD. Here is what it permits, requires, and means for compliance.

Priya Mehta
Security Analyst
Updated 6 min read

The Apache License 2.0 is a permissive open-source license that grants broad rights to use, modify, and distribute software — including an explicit, irrevocable patent license from contributors — in exchange for a handful of conditions: preserving notices, documenting changes, and carrying forward any NOTICE file. Published by the Apache Software Foundation in 2004, it is the license behind projects such as Kubernetes, Android's core, TensorFlow, and Apache's own web server. Its SPDX identifier is Apache-2.0, which is why dependency manifests and license scanners report it as the Apache-2.0 license. It is more detailed than the MIT or BSD licenses precisely because it addresses patents and trademarks head-on, which is why many enterprises consider it the most legally robust permissive option.

This article is general information about how the Apache License 2.0 works. It is not legal advice; consult a qualified attorney for guidance on your specific circumstances.

What the Apache 2.0 License Permits and Requires

Apache 2.0 grants generous rights but attaches more conditions than the minimalist permissive licenses. The table below summarizes them.

CategoryDetails
PermissionsCommercial use, modification, distribution, private use, sublicensing, and an explicit patent grant from each contributor
ConditionsInclude the license and copyright notice; state significant changes made to the files; preserve the NOTICE file if one is present; do not remove existing attribution notices
LimitationsNo trademark rights are granted; no warranty; no liability; the patent grant terminates if you sue a contributor over patents in the work

The standout feature is the patent grant in Section 3. Every contributor to Apache-licensed code grants users a royalty-free, irrevocable patent license covering their contributions. Section 3 also includes a patent-retaliation clause: if you initiate patent litigation alleging that the software infringes, your patent license terminates automatically. This gives downstream users far more certainty about patent exposure than the silence of MIT or BSD.

Is the Apache 2.0 License Copyleft or Permissive?

Apache 2.0 is permissive. You can combine Apache-licensed code with proprietary code, keep your own modifications closed, and redistribute the result under different terms, as long as you honor the notice and change-documentation conditions for the Apache-licensed portions. There is no requirement to license your derivative work under Apache 2.0 or to release its source.

One compatibility nuance matters for anyone mixing licenses: Apache 2.0 is one-way compatible with GPLv3, meaning Apache code can be included in a GPLv3 project but not the reverse. It is generally considered incompatible with GPLv2 because GPLv2 predates and does not accommodate Apache's patent and indemnification terms. If your project touches copyleft code, our comparison pages lay out these compatibility relationships clearly.

What the Apache 2.0 License Means for Your Project and Compliance

For engineering teams, consuming Apache-licensed dependencies is straightforward but carries three concrete obligations that go beyond the single-line attribution of MIT.

First, preserve the NOTICE file. Many Apache projects ship a NOTICE file containing required attributions. If a component includes one, you must propagate its relevant contents in your distribution — typically in your third-party notices. This is the obligation teams most often overlook, because it is not present in every project and is easy to miss when it is.

Second, document significant changes. If you modify Apache-licensed files and redistribute them, you must carry prominent notices stating that you changed them. In practice this is usually satisfied by version control history and change headers, but the obligation is explicit in the license text.

Third, understand the patent-retaliation trigger. The explicit patent grant is a benefit, but it is conditional: filing a patent suit over the software ends your license. For most consumers this is a non-issue, but organizations with active patent portfolios should be aware of it.

Because Apache 2.0 explicitly addresses patents, trademarks, and contributions, it is often the preferred permissive license for corporate-backed projects and for organizations that want maximum legal clarity. Our concepts library explains why that clarity matters in enterprise procurement.

How Safeguard Tracks Apache 2.0 License Compliance

The Apache License is permissive and low-friction, but its NOTICE and change-documentation requirements mean you cannot treat it as "attribution-optional." At scale, with hundreds of dependencies, the challenge is knowing which components are Apache-licensed and which of those carry a NOTICE file you must reproduce.

Safeguard's Software Composition Analysis inventories every open-source component in your project, resolves its license, and flags components carrying the Apache-2.0 license identifier across your full dependency tree, including transitive ones. That gives you an authoritative list of exactly where the NOTICE obligation applies rather than a manual guess.

From there, SBOM Studio records each component's license in a CycloneDX or SPDX software bill of materials, producing the auditable evidence you need to demonstrate compliance and the raw material for the attribution bundle you ship. Policy gates can enforce your organization's approved-license list — permitting Apache 2.0 while flagging anything that would introduce copyleft or unknown terms into a permissive-only product. The academy shows how to wire these checks into a CI pipeline so compliance is verified on every build, not just at release.

Create a free account to see the license breakdown of your own codebase, or read the documentation to get started.

Frequently Asked Questions

How is the Apache 2.0 License different from the MIT License? Both are permissive and both allow commercial, closed-source use. The key differences are that Apache 2.0 includes an explicit patent grant with a retaliation clause, requires you to preserve any NOTICE file, and requires you to state significant changes to modified files. The MIT License is silent on patents and imposes only a copyright-notice condition, making it shorter but less explicit about patent risk.

Do I have to open-source my project if I use Apache 2.0 code? No. Apache 2.0 is permissive and imposes no copyleft obligation. You can build proprietary, closed-source software on top of Apache-licensed components and keep your own code private. You must, however, honor the notice, NOTICE-file, and change-documentation conditions for the Apache-licensed portions you distribute.

What is the NOTICE file and do I need to keep it? A NOTICE file is an optional text file that some Apache projects include to carry required attributions. If a component you use ships one, the license requires you to include its relevant contents in your own distribution's notices. If a component has no NOTICE file, there is nothing extra to propagate beyond the standard license and copyright notice.

Can Apache 2.0 code be combined with GPL code? Apache 2.0 is compatible with GPLv3 in one direction: Apache code can be incorporated into a GPLv3 project, which then governs the combined work. It is generally considered incompatible with GPLv2 because of Apache's patent and indemnification terms. Always check compatibility before combining differently licensed code in a distributed product.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.