Use when identifying attribution requirements that apply to software products — open-source license notices, third-party asset credits, API usage attribution, font licensing, media licensing, and data source attribution. Covers what must be attributed, how, and where across different asset types and jurisdictions.
USE FOR: attribution requirements, license notices, open-source attribution, Creative Commons, font licensing, image licensing, API attribution, data attribution, NOTICE files, third-party credits, attribution in UI, attribution in documentation
DO NOT USE FOR: choosing open-source licenses (use open-source-licensing), IP ownership disputes (use intellectual-property), content moderation obligations (use content-moderation)
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Use when identifying attribution requirements that apply to software products — open-source license notices, third-party asset credits, API usage attribution, font licensing, media licensing, and data source attribution. Covers what must be attributed, how, and where across different asset types and jurisdictions.
USE FOR: attribution requirements, license notices, open-source attribution, Creative Commons, font licensing, image licensing, API attribution, data attribution, NOTICE files, third-party credits, attribution in UI, attribution in documentation
DO NOT USE FOR: choosing open-source licenses (use open-source-licensing), IP ownership disputes (use intellectual-property), content moderation obligations (use content-moderation)
Disclaimer: This skill provides general educational information about legal topics relevant to software development. It is not legal advice. Laws vary by jurisdiction and change frequently. Always consult a qualified attorney licensed in the relevant jurisdiction before making legal decisions for your organization.
Overview
Attribution is a legal obligation that arises from many sources — open-source licenses, Creative Commons media, font licenses, API terms of service, data provider agreements, and more. Failing to provide required attribution can constitute license violation (risking license termination and copyright infringement claims), breach of contract, or regulatory non-compliance. Many companies underestimate attribution requirements because the obligation is spread across dozens of different asset types, each with its own rules.
Open-source attribution is the most common and most frequently violated attribution requirement in software.
What Most OSS Licenses Require
License
Requirements
NOTICE File
License Text
Copyright Notice
MIT
Include copyright notice + license text in copies
Recommended
Required
Required
Apache 2.0
Include NOTICE file + license text; state changes
Required
Required
Required
BSD 2-Clause
Include copyright notice + license text
Recommended
Required
Required
BSD 3-Clause
Same as 2-Clause + no endorsement clause
Recommended
Required
Required
ISC
Include copyright notice + license text
Recommended
Required
Required
MPL 2.0
License text in source files; larger work can be proprietary
Per-file
Required (per file)
Required
LGPL 2.1/3.0
License text + copyright + link to source for modifications
Required
Required
Required
GPL 2.0/3.0
Full license + copyright + source offer for binaries
Required
Required
Required
AGPL 3.0
Same as GPL + network interaction triggers
Required
Required
Required
NOTICE File Structure
The standard approach for bundling attribution in a distributable product:
NOTICE
This product includes software developed by third parties.
================================================================================
Library: react
Version: 18.2.0
License: MIT
Copyright (c) Meta Platforms, Inc. and affiliates.
================================================================================
================================================================================
Library: lodash
Version: 4.17.21
License: MIT
Copyright JS Foundation and other contributors
================================================================================
================================================================================
Library: express
Version: 4.18.2
License: MIT
Copyright (c) 2009-2014 TJ Holowaychuk
Copyright (c) 2013-2014 Roman Shtylman
Copyright (c) 2014-2015 Douglas Christopher Wilson
================================================================================
Automation Tools
Tool
Ecosystem
Output
license-checker
npm
JSON/CSV/Markdown of all dependency licenses
license-report
npm
Detailed license report with texts
pip-licenses
Python
Tabular license output for pip packages
go-licenses
Go
License detection and NOTICE file generation
dotnet-project-licenses
.NET
NuGet package license report
FOSSA
Multi-language
Full compliance management platform
Snyk
Multi-language
License auditing as part of SCA
licenseFinder
Multi-language (Ruby-based)
Approve/deny license policies
Where to Display OSS Attribution
Distribution Method
Where to Show Attribution
Web application (SaaS)
"Legal" or "Open Source Licenses" page linked from footer
Desktop application
About dialog → "Third-Party Licenses" section
Mobile app (iOS)
Settings → Licenses (use Settings.bundle or acknowledgements plist)
Mobile app (Android)
About → Open Source Licenses (use oss-licenses-plugin for Gradle)
CLI tool
--licenses flag or THIRD-PARTY-NOTICES.txt bundled in distribution
Library / SDK
NOTICE or THIRD-PARTY-NOTICES file in package root
Container image
/licenses/ directory or NOTICE file in image root
Documentation
Acknowledgements section in README or docs site
Creative Commons Attribution
Creative Commons licenses are common for media, data, and documentation.
License
Attribution Required
Share Alike
Commercial Use
CC0
No
No
Yes
CC BY 4.0
Yes
No
Yes
CC BY-SA 4.0
Yes
Yes (derivatives same license)
Yes
CC BY-NC 4.0
Yes
No
No
CC BY-NC-SA 4.0
Yes
Yes
No
CC BY-ND 4.0
Yes
No (no derivatives)
Yes
Proper CC BY Attribution (TASL)
Creative Commons specifies the TASL format:
Title — name of the work
Author — creator name (linked to profile if available)
Source — URL where the work was found
License — license name linked to the license deed
Example:
"Sunset Over Mountains" by Jane Smith (https://example.com/photo/123)
is licensed under CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)
Font Licensing
Fonts carry their own licensing terms that are frequently overlooked.
License
Attribution
Embedding
Modification
SIL Open Font License (OFL)
Required (original name + copyright)
Web/app/document embedding allowed
Allowed (must rename modified version)
Apache 2.0 (some Google Fonts)
Required (copyright + license)
Allowed
Allowed
Proprietary (Adobe, Monotype, etc.)
Per EULA
Per EULA (often limited seats/pageviews)
Typically prohibited
Desktop-only licenses
Per EULA
Web embedding NOT allowed
Per EULA
Font Attribution Pitfalls
Web fonts loaded via Google Fonts CDN do not require separate attribution (Google's ToS handles it), but self-hosted Google Fonts do require including the license file.
Icon fonts (Font Awesome, Material Icons) have separate licenses for the font file vs the CSS/SVG — check both.
Custom font subsets may trigger modification clauses — OFL requires renaming modified fonts.
API and Service Attribution
Many APIs and services require visible attribution as a condition of use.
"Powered by Stripe" badge on checkout (optional but encouraged)
OpenAI API
No required attribution (per current ToS), but must not claim AI output is human-generated
GitHub API
Must comply with ToS; no mandatory badge
Unsplash
Attribution appreciated but not required (Unsplash License)
Always check the current Terms of Service. API attribution requirements change with ToS updates. What was optional last year may be mandatory now.
Data Source Attribution
Data License
Attribution Required
Derivative Works
Open Data Commons Attribution (ODC-BY)
Yes — credit source
Yes
Open Data Commons ODbL
Yes — credit source + share alike
Yes (same license)
CC BY 4.0 (for datasets)
Yes — TASL format
Yes
Government open data (US)
Generally no (public domain)
Yes
Government open data (UK)
OGL — yes, crown copyright
Yes
Government open data (EU)
Varies by member state
Varies
Compliance Checklist
#
Check
Frequency
1
Audit all dependencies for license types and attribution requirements
Every release
2
Generate NOTICE/THIRD-PARTY-NOTICES file from dependency metadata
Every build (automate)
3
Review media assets (images, icons, fonts, audio) for license terms
When assets are added
4
Check API ToS for attribution requirements
When integrating new APIs and on ToS change notifications
5
Verify data source licenses for attribution and share-alike terms
When incorporating new data sources
6
Display attribution in the correct location for your distribution type
Every release
7
Verify modified fonts are renamed per OFL requirements
When customizing fonts
8
Document attribution decisions in a central register
Ongoing
Best Practices
Always consult legal counsel when unsure about attribution requirements — getting it wrong can terminate your license to use the software.
Automate NOTICE file generation as part of your CI/CD pipeline — tools like license-checker, FOSSA, and go-licenses catch new dependencies automatically.
Maintain a central attribution register that tracks every third-party component, its license, and where attribution is displayed.
Include attribution in your release checklist — it is easy to add a dependency and forget to update the NOTICE file.
Check API Terms of Service on a scheduled basis — attribution requirements change with ToS updates without notice.
Do not strip copyright notices or license headers from source files — many licenses explicitly require preserving them.
Display attribution accessibly — a legal/licenses page that users can actually find, not buried in an invisible footer.
Treat font licenses as seriously as code licenses — font piracy lawsuits are common and penalties can be per-seat or per-pageview.
