GLOSSARY / DEFINITION
What is an OSI approved license
An OSI approved license is one the Open Source Initiative has reviewed and certified as meeting the Open Source Definition. The approval is the recognized line between genuine open source and the source available licenses that look similar but restrict use. For an enterprise, that single status check is one of the fastest ways to tell whether a dependency carries a hidden production restriction.
Definition
An OSI approved license is a software license that the Open Source Initiative has formally reviewed and certified as conforming to the Open Source Definition. That definition sets ten criteria a license must satisfy, including free redistribution, availability of the source code, permission to create and distribute derived works, and a prohibition on restricting the field of use or discriminating against any person, group, or endeavor. When a license clears that review, it earns a place on the approved list, and software released under it can be called open source with confidence. The approval is not a quality rating or a security claim. It is a precise statement that the terms grant the freedoms the definition requires.
Why the approval is the line that matters
The reason an OSI approved license matters to a buyer is that the approval cleanly separates open source from source available. A source available license publishes the same kind of readable code but adds a use restriction, which is exactly what the Open Source Definition forbids. So the approval status answers the question that drives production risk: am I free to use this for any purpose, or does the license limit how I deploy it. Licenses that fail review, such as the Business Source License and the Server Side Public License, restrict competitive or service use. Several widely used tools moved onto those licenses in recent years, attaching restrictions to software organizations were already running. Checking whether a component sits under an OSI approved license, at intake and during review, is one of the cheapest controls you can run.
Which licenses are approved, and which are not
The approved list spans both license families. On the permissive side it includes the MIT License, the Apache License 2.0, and the BSD licenses, which place few conditions on use. On the copyleft side it includes the GNU General Public License, the GNU Lesser General Public License, the Mozilla Public License, and the GNU Affero General Public License, which grant the same freedoms but attach sharing obligations. Approval certifies open source, not the absence of obligation, so a strong copyleft license can be fully approved and still carry significant duties. Outside the list sit the source available licenses. The Business Source License, used by HashiCorp for Terraform and other tools as of August 2023, and the Server Side Public License, used by MongoDB since 2018 and by Elastic and Redis since 2021 and 2024 respectively, are not approved by the Open Source Initiative. They are source available, not open source.
Related reading
For the companion concept on the other side of the line, see what is a source available license. For a worked example of an approved copyleft license, read our definition of the GNU AGPL. Both sit alongside the rest of our open source license risk glossary.
CONTAINMENT
Find the unapproved licenses in your stack
An open source license risk assessment maps which components are OSI approved and which carry source available terms that restrict production use. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Start a risk assessmentCOMMON QUESTIONS
Questions buyers ask.
What is an OSI approved license?
An OSI approved license is a software license that the Open Source Initiative has reviewed and certified as meeting the Open Source Definition. That definition requires free redistribution, available source code, permitted derived works, and no restriction on the field of use or against any person or group. Only licenses that pass this review carry the approval, which is the recognized marker of genuine open source.
Why does OSI approval matter to enterprises?
OSI approval is a clean test for whether a license is open source or only source available. Licenses without the approval, such as the Business Source License and the Server Side Public License, can restrict competitive or service use of software you already run. Checking approval status during intake and review catches a license that limits production use before it becomes a finding.
Are the BSL and SSPL OSI approved?
No. Neither the Business Source License nor the Server Side Public License is approved by the Open Source Initiative. Both are source available licenses that publish source code while restricting how it may be used. HashiCorp adopted the Business Source License for Terraform and other tools as of August 2023, and MongoDB, Elastic, and Redis have used the Server Side Public License. None of these are open source.
Which common licenses are OSI approved?
Widely used OSI approved licenses include the MIT License, Apache License 2.0, the BSD licenses, the GNU General Public License, the GNU Lesser General Public License, the Mozilla Public License, and the GNU Affero General Public License. Each has passed review against the Open Source Definition, which is why software under them carries the four freedoms of open source.
Is OSI approval the same as permissive?
No. OSI approval certifies that a license is open source, not that it is permissive. Approved licenses span both permissive families, such as MIT and Apache 2.0, and copyleft families, such as the GNU General Public License and the GNU AGPL. A copyleft license can carry strong obligations and still be fully OSI approved.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. For interpretation of whether a license is approved and how its terms apply to your use, engage your own counsel.