License & Trial

Hugin is free for personal use, with a Pro tier that unlocks team features (collaboration, multi-project, RBAC) and the offensive plugins (vurl-offensive, Synaps, ratrace, mobile, Lua extensions).

🔗Tiers

🔗Community (Free)

  • MITM proxy with HTTP/1.1, HTTP/2, WebSocket
  • Built-in scanner: 41 active + 36 passive checks
  • Repeater, Intruder, Sequencer, Decoder, Comparer
  • Full UI + GUI + CLI + headless serve
  • 87 built-in MCP tools
  • REST + GraphQL APIs
  • Single project
  • Single user

🔗Pro (Paid)

  • Everything in Community, plus:
  • Multi-project workspace isolation
  • Real-time Collaboration — share sessions with teammates
  • RBAC for multi-user serve deployments
  • Lua extensions — modify traffic in flight via Lua scripts
  • vurl-offensive plugin — 46 specialised hunting tools
  • Synaps plugin — WASM scanner with community modules
  • RatRace — race condition testing
  • Mobile — APK / IPA + Frida + emulator management
  • AI orchestration — Auto Mode, multi-step explore agents
  • Scheduled tasks at higher concurrency limits

🔗Account ID Format

HGN-XXXXXXXX-XXXXXXXX-XXXXXXXX

Issued in your purchase confirmation email and visible on hugin.nu/account.

🔗Activation

hugin account set HGN-XXXXXXXX-XXXXXXXX-XXXXXXXX

The license token is signed with Ed25519 and verified locally — no phone-home required for normal operation. Background refresh runs once per day to check for revocations.

Verify status:

hugin account show

Output (representative):

Account: HGN-........-........-........
Tier:    Pro
Expires: 2027-04-01
Devices: 2 / 3
Status:  Active

Deactivate:

hugin account clear

Removes the stored account ID. Pro features lock until you re-set.

🔗Trial

Hugin includes a 14-day Pro trial — one per machine fingerprint. Trial activation happens automatically the first time the binary launches on a fresh device: the licensing client calls /v1/trial/check with the device fingerprint and, if the device hasn’t used its trial yet, receives a 14-day Pro token.

After expiry, you’ll see a “Trial expired” banner and Pro features lock — your captured data, projects, scope, and findings are untouched. You can keep using Community-tier features without interruption.

The trial is handled entirely by the background license client; there is no separate hugin account trial CLI command.

🔗Device Fingerprinting

To prevent license sharing across unlimited machines, Hugin builds a stable device ID with a 4-tier fallback:

  1. OS keychain (macOS Keychain / Windows Credential Manager / Linux Secret Service) — survives app reinstall, tied to OS user account
  2. Data directory file — survives config wipe; not a full OS reinstall
  3. Hardware-derived fingerprint — SHA-256 over stable hardware identifiers:
    • macOS: IOPlatformSerialNumber + IOPlatformUUID from ioreg
    • Linux: /etc/machine-id (or /var/lib/dbus/machine-id fallback)
    • Windows: machine GUID
  4. Generated UUID — last-resort fallback if all hardware signals fail; persisted to (1) and (2) for future calls

The raw device ID is never transmitted. Only its SHA-256 hex fingerprint goes to the licensing server during checks.

The Pro tier allows up to 3 active devices per account; the server enforces this limit at activation. To free a slot when retiring a laptop, use the Devices tab on hugin.nu/account. Removing a device revokes its license token at the next refresh.

🔗License Verification Internals

State is stored as two files under ~/.hugin/:

  • license.token — the Ed25519-signed token returned by the licensing server (account ID, tier, expiry, is_trial flag)
  • license.last_check — ISO timestamp of the last successful refresh

The token is verified at startup against the embedded license-signing public key (a separate keypair from the release-signing key). Verification is local — no network call needed for the binary to run.

Refresh runs opportunistically in the background. Failures (offline machine, expired refresh token) keep the existing token active until expiry.

For air-gapped deployments, contact licensing for an extended-validity offline token.

🔗Refunds & Subscriptions

See hugin.nu/refund for the refund policy. Subscription cancellations take effect at the end of the current billing period; the license remains Pro until then.

🔗Pirate Detection

Hugin doesn’t include anti-tamper. The license check is straightforward — if license.tier == Pro then unlock — and could be patched out by a determined adversary. We rely on:

  • Signing key secrecy (account IDs can’t be forged)
  • Per-device fingerprint limits (sharing one ID across 1000 machines surfaces)
  • Community goodwill (the people who’d patch this aren’t our customers)

If you find genuinely useful Hugin Pro and your situation makes paying difficult, email us — we have student / FOSS / open-source contributor discounts.

🔗API

GET  /api/license/status     Current license status and tier
POST /api/license/account    Set account ID

🔗MCP

License management isn’t exposed via MCP — it’s a one-time CLI / GUI operation, not something you’d want an LLM agent to touch.