1001Ferramentas
πŸ“‹ Validators

SPDX Expression Validator

Validate SPDX license expressions ("(MIT OR Apache-2.0) AND BSD-3-Clause") with official parser, useful for package.json and Cargo.toml.

Operadores suportados: AND, OR, WITH, +, ( ). Útil para license em package.json e Cargo.toml.

SPDX license expressions explained

An SPDX License Expression is a small, machine-readable language for declaring exactly which open-source license (or combination of licenses) applies to a piece of software. It shows up in the license field of package.json, in Cargo manifests, in Software Bills of Materials (SBOMs), and in REUSE-compliant headers. Validating an expression means checking two things: the grammar (operators and parentheses) and the identifiers (are they real entries on the SPDX License List?).

Identifiers and operators

A bare expression is a single license id from the SPDX License List, such as MIT, Apache-2.0, GPL-3.0-or-later, or BSD-3-Clause. Identifiers are case-sensitive, and the operators that combine them are written in uppercase:

  • AND β€” both licenses apply (e.g. MIT AND BSD-3-Clause).
  • OR β€” the recipient may choose either (e.g. MIT OR Apache-2.0).
  • WITH β€” attaches a license exception (e.g. GPL-2.0-or-later WITH Classpath-exception-2.0).
  • Parentheses group sub-expressions: (MIT OR Apache-2.0) AND BSD-3-Clause.

For licenses not on the official list, use the LicenseRef- prefix (e.g. LicenseRef-my-proprietary-license) to reference a license defined elsewhere in the document.

The deprecated + operator

A trailing + (as in GPL-2.0+) once meant "this version or any later version." It is now deprecated in favor of explicit -or-later identifiers like GPL-2.0-or-later, which are clearer and avoid ambiguity. Prefer the new form in any new metadata you author.

Common pitfalls

  • Writing operators in lowercase (mit or apache-2.0) β€” operators must be uppercase.
  • Getting the identifier case wrong: it is Apache-2.0, not apache-2.0 or APACHE-2.0.
  • Using a license name instead of the SPDX id (e.g. "GPLv3" rather than GPL-3.0-or-later).
  • Relying on the deprecated + instead of -or-later.
  • Forgetting that WITH takes an exception id, not another license id.

FAQ

Is MIT OR Apache-2.0 a dual license? Yes β€” OR means the downstream user may pick whichever of the two licenses they prefer. AND would instead require complying with both.

Why does my expression fail even though the grammar looks fine? The identifier probably is not recognized. Validation also checks each id against the SPDX License List, so a typo or an outdated/custom name without the LicenseRef- prefix will be rejected.

How do I declare a proprietary license? Use the LicenseRef- prefix, for example LicenseRef-Acme-EULA, and define the license text in the accompanying document or SBOM.

Related Tools

βœ…

CPF Validator

Validate Brazilian CPF numbers instantly using the official algorithm. Useful for testing document validation in applications. No data sent to servers.
πŸ“‹

Batch CPF Validator

Validate a list of CPFs (one per line) and see which are valid and which are not. No data sent to servers.
πŸ“‹

Batch CNPJ Validator

Validate a list of CNPJs (one per line) with a summary of valid, invalid and total. No data sent to servers.