How to use font metadata for licensing compliance audits
- Step 1Inventory the production fonts — Pull every `.woff2`/`.woff`/`.otf`/`.ttf` served from your CDN and bundled in your apps. Record the source URL or repo path for the audit trail — the extractor reports the font's own claims, but provenance comes from where you found it.
- Step 2Run each font through the extractor — Drop the file and press Process. For the audit, capture from `names`: Copyright (0), Version (5), Manufacturer (8), Designer (9), License (13), License URL (14). The tool decompresses WOFF2/WOFF first, so you can audit the exact artefact you ship, not a re-derived copy.
- Step 3Record the structural identity too — Note `outlines_format` and `units_per_em` alongside the name records — they help disambiguate two fonts with the same family name but different outline technology (a CFF webfont vs a TrueType desktop licence, which may be separate SKUs).
- Step 4Cross-reference against your EULA pool — Match each font's licence record against purchased EULAs and your known free-licence allowlist (SIL OFL, Apache 2.0, Ubuntu Font Licence, etc.). A clear match closes the row; a mismatch or an empty record opens a legal-review ticket.
- Step 5Pin the version with a fingerprint — The Version string (nameID 5) is the foundry's claim and varies in format. For a tamper-evident pin, also run the [Font Fingerprinter](/font-tools/font-fingerprinter) to record a SHA-256 — so a year from now you can prove the audited binary is the one still in production.
- Step 6Escalate the gaps, don't pass them — An empty License field is a question, not an answer. Treat it as 'licence not embedded' — then check the upstream distribution (OFL.txt, the foundry invoice, the Google Fonts package) before concluding the font is or isn't covered.
Records that carry compliance signal
The name records most relevant to a licensing audit, the nameID, and how to read each one. The extractor returns these under the labels shown when the font populates them.
| Record (label) | nameID | What it tells an auditor |
|---|---|---|
| License | 13 | Embedded licence text — often the full SIL OFL / Apache notice for open-source fonts; frequently empty for commercial faces |
| License URL | 14 | URL to the licence — the strongest single signal for identifying an open-source licence at a glance |
| Copyright | 0 | Copyright holder and year — the attribution anchor; usually names the foundry or project |
| Manufacturer | 8 | The foundry / vendor that produced the font — your cross-reference key into purchased EULAs |
| Designer | 9 | Type designer credit — useful for attribution requirements in some licences |
| Version | 5 | Foundry version string — pair with a SHA-256 fingerprint for a tamper-evident pin |
| Trademark | 7 | Trademark notice — relevant when the family name itself is a registered mark |
Licence URL → likely licence family
Common licence URLs you'll see in nameID 14 and the licence they usually indicate. Always confirm against the actual text — a URL is a hint, not a contract.
| URL fragment in nameID 14 | Likely licence | Audit action |
|---|---|---|
openfontlicense.org / scripts.sil.org/OFL | SIL Open Font License 1.1 | Allowlist; preserve OFL.txt in distribution; keep RFN (Reserved Font Name) in mind if you rename |
apache.org/licenses/LICENSE-2.0 | Apache License 2.0 | Allowlist; retain NOTICE if present |
ubuntu.com/legal/terms-and-policies/font-licence | Ubuntu Font Licence 1.0 | Allowlist; copyleft-style — review redistribution terms |
A foundry domain (e.g. monotype.com, commercialtype.com) | Commercial EULA | Match against your purchased licence and seat/pageview limits |
| (empty) | Unknown from the binary | Check the upstream package / invoice before passing |
Per-file limits for an audit run
The size ceiling is checked on the uploaded compressed file before parsing. The extractor handles one font at a time.
| Tier | Per-file limit | Batch |
|---|---|---|
| Free | 5 MB | 1 file at a time |
| Pro | 50 MB | 1 file at a time |
| Developer | 1 GB | 1 file at a time |
Cookbook
Worked audit rows. The extractor reports the font's own claims; the audit decision combines that with your EULA pool and provenance. For automating the capture across a repo see the CI extraction guide.
Clean open-source pass
ExampleAn OFL webfont with a populated licence URL is the easy case — the binary self-identifies and the URL maps to a known allowlisted licence.
Font: Inter-Regular.woff2 Manufacturer : The Inter Project Authors Version : Version 4.000 License : ...SIL Open Font License, Version 1.1. License URL : https://openfontlicense.org Audit verdict: PASS (OFL on allowlist) Action: keep OFL.txt in the distribution alongside the webfont
Commercial font with a foundry URL
ExampleA commercial face often embeds a foundry licence URL or a short EULA pointer rather than full terms. The record identifies the foundry; the decision is whether your purchased licence covers this usage (web embedding, pageviews, seats).
Font: Brand-Headline.woff2
Copyright : (c) 2023 Acme Type Foundry
Manufacturer : Acme Type Foundry
Version : Version 2.100
License URL : https://acmetype.com/eula
Audit verdict: REVIEW
Action: locate the Acme web-licence SKU; confirm it covers the
current monthly pageviews on this domainThe dangerous case: empty licence record
ExampleA font with no License or License URL key is the one to escalate. The binary cannot tell you whether it's licensed — that answer lives in your records, the original distribution, or an invoice.
Font: legacy-sans.ttf
Family : Legacy Sans
Subfamily : Regular
(no Copyright, Version, Manufacturer, License, or License URL)
Audit verdict: ESCALATE
Action: this is a thin/possibly-stripped name table. Identify the
source before shipping. Fingerprint it so the unknown is
tracked: /font-tools/font-fingerprinterAudit spreadsheet shape
ExampleFlatten each font's records into one row per font. This is the artefact legal actually wants — a manifest of what shipped, from whom, at what version, under what licence.
filename | foundry | version | license_url --------------------|------------------|---------------|------------------ Inter-Regular.woff2 | Inter Authors | Version 4.000 | openfontlicense.org Roboto-Reg.woff2 | Google | Version 3.011 | apache.org/... Brand-Headline.woff2| Acme Type Foundry| Version 2.100 | acmetype.com/eula legacy-sans.ttf | (none) | (none) | (none) <-- ESCALATE
Two same-named fonts, different SKUs
ExampleFamily name alone can hide a licence trap: the desktop TTF and the web WOFF2 of the 'same' font may be separate purchases. Use outlines_format and the fingerprint to keep them distinct in the audit.
BrandSerif (desktop TTF): outlines_format=truetype, units_per_em=2048 BrandSerif (web WOFF2): outlines_format=cff, units_per_em=1000 Same Family name, different binaries → likely two licences. Fingerprint each separately and match to the correct SKU.
Edge cases and what actually happens
Every row below was probed against the live API. Some documented requirements (alphabetical axis order, numerical tuple order) are not actually enforced in practice — useful to know if you've been blaming the wrong thing for a 400.
Licence record is empty but the font is licensed
ExpectedOpen-source families (Google Fonts especially) routinely ship the licence as a separate OFL.txt/LICENSE file and leave nameID 13/14 thin. An empty License field is therefore not evidence the font is unlicensed — it's a prompt to check the upstream distribution. Record it as 'licence not embedded; verified via package' once you've confirmed.
Licence text claims one thing, your usage is another
ReviewThe embedded text states the licence the foundry chose, but compliance is about your usage. An OFL font is free to embed on the web; a commercial EULA may cap monthly pageviews, domains, or seats. The extractor surfaces the record — matching it against your actual usage and purchased terms is the audit's job, not the tool's.
Reserved Font Name (RFN) under OFL
ReviewIf an OFL font's licence reserves the font's name, you may not distribute a modified version (e.g. a subset you renamed) under the original name. The extractor shows you the Family and License records; if you've run the font through a subsetter or renamer, confirm the RFN clause before shipping under the original name.
Vendor ID not in the output
Use another signalSome audit playbooks key on the OS/2 achVendID (e.g. 'GOOG', 'ADBE', 'MONO'). This extractor does not report achVendID — use the Manufacturer (nameID 8) record for foundry attribution instead, or read the vendor ID with a low-level tool. The Manufacturer string is usually the more human-readable signal anyway.
Subset webfont with the licence stripped
EscalateAggressive build pipelines trim the name table to the few records a browser needs, sometimes dropping License/License URL. The shipped WOFF2 then looks unlicensed even though the foundry source was fully populated. Audit against the source font or the build's licence manifest, not only the deployed artefact.
Records only in a non-English language
English onlyThe extractor reads the English string via getEnglishName. A font localised only for, say, a CJK market may store its records in that language, returning a thin English names object. For a complete picture across all platform/language records, use fonttools ttx on that specific binary.
Free font that's actually 'free for personal use only'
ReviewA populated, friendly-looking licence record can still restrict commercial use. The extractor shows you the text — read it. 'Free' in a foundry's marketing is not the same as the licence's actual grant. When in doubt, the License URL (nameID 14) usually leads to the binding terms.
Two licences (dual-licensed font)
ReviewSome fonts ship under more than one licence (e.g. a foundry's own EULA plus an OFL fork). The single License record may reflect only one of them. Cross-check the upstream project, which may offer a choice — the binary's record is one data point, not necessarily the whole licensing picture.
Confidential / unreleased font in the audit
PreservedBecause parsing is entirely in-browser, an unreleased brand font or a beta from a foundry never leaves your machine. This is the main reason to use the extractor over an upload-based service for compliance work on confidential binaries.
TrueType Collection bundling several licensed faces
Unsupported formatA .ttc is rejected by the loader. For a collection, split out each face and audit them individually — each face can in principle carry different name records and even different licence terms.
Frequently asked questions
Which records prove a font's licence?
nameID 13 (License) holds the embedded licence text and nameID 14 (License URL) points to the terms. Together with Copyright (0) and Manufacturer (8) they give you the font's own claim. But 'prove' is strong — many fonts ship the binding licence in a separate file, so treat the records as strong evidence to be corroborated, not a contract.
What if the licence string is empty?
It means the licence isn't embedded in the binary — common for Google Fonts and other open-source families that ship OFL.txt/LICENSE separately. Don't read it as 'unlicensed'. Check the upstream distribution or your purchase records, then note in the audit how you verified it.
Can I see the OS/2 vendor ID (achVendID)?
Not from this tool. It reports the name records plus units-per-em, glyph count, outline format, and the table list — not OS/2 fields. For foundry attribution, use the Manufacturer record (nameID 8), which is usually clearer than the four-character vendor code anyway.
Is the confidential font uploaded anywhere?
No. Parsing runs entirely in your browser via opentype.js and a WASM WOFF2 decoder, so unreleased or commercially-licensed binaries never reach a server. For signed-in users an anonymous run counter is recorded — no file content. This is the key advantage for audits on sensitive fonts.
How do I batch-audit hundreds of fonts?
The browser tool does one font at a time. For a folder-wide audit, replicate the same opentype.js extraction in a Node script — see the CI extraction guide — to emit one JSON or CSV row per font. Or pair the @jadapps/runner and drive the tool locally; either way the binaries stay on your machine.
Does the embedded licence override a separate EULA?
No — the binding terms are whatever you actually agreed to (the EULA, the OFL.txt, the invoice). The embedded record is the font's self-description and a useful identifier, but if the embedded text and your purchased EULA disagree, your contract governs. Use the record to find the right EULA, then read that.
How do I tell an OFL font from a commercial one quickly?
Look at License URL (nameID 14). openfontlicense.org/scripts.sil.org/OFL indicates SIL OFL; apache.org/licenses indicates Apache 2.0; a foundry's own domain usually indicates a commercial EULA. Confirm against the actual licence text — the URL is a fast hint, not a guarantee.
Can I detect if a font was modified or subset?
Not directly from the metadata, but a thin name table (only Family/Subfamily/Version) is a strong hint it was subset by a build pipeline. To detect change over time, fingerprint the binary with the Font Fingerprinter and compare SHA-256 hashes between the audited artefact and the foundry source.
Why does the same font show two licence pictures on desktop vs web?
Desktop (TTF/OTF) and web (WOFF2) are frequently separate SKUs with separate licences, even for the same family. They may also differ in outline format (truetype vs cff) and units-per-em. Audit each binary independently and match it to the correct licence; don't assume the desktop purchase covers web embedding.
Does the tool check licence expiry or seat counts?
No. Those are commercial terms tracked in your procurement system, not in the font binary. The extractor surfaces the embedded licence text/URL; expiry, seat limits, and pageview caps come from the EULA you matched it against.
What about variable fonts in the audit?
A variable font carries the same name/licence records as a static one — extract them the same way. tables_present will include fvar. If your licence covers only a specific weight, note that a single variable file may contain the whole range; the Variable Font Freezer can bake a single instance if your licensing or delivery requires it.
Can the extractor produce a signed compliance report?
It produces the raw metadata JSON; turning that into a signed report is your process. A practical pattern: extract metadata + fingerprint per font, write both into a manifest committed to source control, and have the responsible person sign off the commit. The CI extraction guide shows how to automate the manifest generation.
Privacy first
Every JAD Font tool runs entirely in your browser using opentype.js and the wawoff2 WASM Brotli encoder. Your fonts never leave your device — verified by zero outbound network requests during processing.