Citadel
Documentation menu

Citadel Cloud

Citadel Cloud is the optional online add-on that sits on top of your existing Citadel subscription. It's where features that only make sense across servers live — anything that needs a shared pool, cross-customer signal, or community-scale data.

If Citadel (the local app) is the cockpit for one server fleet, Citadel Cloud is the network of all those cockpits opting into a shared layer.

Pricing

ProductPriceWhat you get
Trust LookupFreePublic trust-score lookups + the cloud Discord bot. No account required.
Citadel$9.99/mo or $99.99/yrThe desktop app + dashboard. Required for any installation to activate.
Citadel Cloud add-on+$9.99/mo or $99.99/yr, 7-day free trialThe Live Ops Console, RCon Copilot, cheat/anomaly detection, replay, on-call push, and the federated trust network (incl. Cloud Bans).

Pricing is flat — one Citadel subscription plus the optional Cloud add-on covers your entire fleet, no per-server fees.

Both subscriptions live on the same Citadel account at citadels.cc. The Cloud add-on is optional — you can run Citadel just fine without it. You can also subscribe to or cancel Cloud independently of the base subscription.

Billing runs through Stripe for all new subscriptions and one-time donations. Customers who subscribed before the payments migration continue to be billed through Paddle until they cancel or renew — both providers coexist during the grandfather window, and license issuance reads a single, provider-neutral subscription status either way.

What's included today

Cloud Bans

A shared, customer-vouched community ban pool. When you ban a SteamID locally, you can opt to submit it to the Cloud Bans pool. Other Cloud-subscribed servers automatically pick up the ban and protect their players from the same cheater without you needing to coordinate manually.

The pool isn't trust-on-faith — it has a reputation model with vouch weights, overturn penalties, manual-review thresholds, and a public appeal flow. The audit reports in this repo describe the trust-and-safety policy in detail.

If you've ever spent a Saturday cross-banning a serial griefer across 3–5 servers, this is what eliminates that. See Cloud Bans for the full design.

Bringing an existing ban list — migrating from CFTools (or anywhere)? On citadels.cc/account, with Cloud active, the Import a ban list panel takes a paste or file upload — a CFTools export, a classic DayZ ban.txt, or any text containing SteamIDs. We extract every Steam64/Steam2 ID and submit each as your vouch, weighted exactly like a ban you file by hand. A single import can't flip bans to network-enforced on its own (the 3-vouch threshold still applies) — it contributes your signal, and any SteamID the network already agrees on protects you immediately. Note: this is a SteamID list import. CFTools' API keys its banlist entries by their internal account ID (not Steam64) and offers no reverse lookup, so the reliable path is the export/ban.txt you already have.

Live Ops Console

A real-time, browser-native view of every server running the Citadel agent — live map, kill/chat feeds, server metrics, and one-click actions, with no desktop install needed. It also includes:

  • An RCon Copilot — plain-English requests turned into a reviewed plan before anything runs.
  • Suspicious Activity & Server Health — automated cheat flags and metric-anomaly alerts.
  • Replay — scrub back through any window of telemetry; share a link to the exact moment.

See Live Ops Console.

On-call & push

A mobile-first, installable on-call view with push notifications for crashes, anomalies, flagged cheaters, and the moderation queue — so you don't have to be at a desk.

Trust Network

A cross-server trust graph: canonical player identity, explainable trust scores, a public lookup API, a cloud Discord bot anyone can install, auto-captured ban evidence, a reviewer pool, and a partner export feed. See the Trust API reference.

What's coming

If a feature requires cross-customer data or always-online infrastructure, it'll live behind Cloud. Anything purely local-server stays in the base Citadel product at no extra cost. On the roadmap (no dates): GitOps-style declarative server config, and a marketplace for mods/filters/configs.

How it shows up in your install

Once you subscribe to Cloud (after the trial or by paying through it), your license token from citadels.cc carries a 'cloud' entitlement alongside the base 'citadel' one. The desktop app and dashboard read this and unlock Cloud-only UI:

  • Settings → Cloud appears in the sidebar with toggles for which servers participate in Cloud Bans, your appeal contact email, etc.
  • Player ban dialogs gain a "Submit to Cloud Bans" checkbox.
  • The Live Ops feed picks up cloud-bans.sync events when new pool entries propagate to your servers.

If you're on the trial, all of the above lights up on day one — there's no "trial mode" subset. You get the real product for 7 days.

When the Cloud subscription lapses (canceled, payment failed past grace, etc.) the cloud features fade out cleanly:

  • Existing Cloud Bans on your servers stay locally — you don't lose protection on bans you've already received.
  • New /cloud-bans/sync calls return 402 CLOUD_SUBSCRIPTION_INACTIVE, with the upsell pointing back to your account page.
  • Submission endpoints stop accepting new bans into the pool.

Trial mechanics

A 7-day Cloud trial begins when you click Add Citadel Cloud on your account page. The trial is full-feature: it isn't a watered-down preview.

  • No charge during the trial.
  • Cancel anytime in those 7 days; you'll lose Cloud features at the end of the period and never see a charge.
  • If you don't cancel, the first $9.99/mo charge runs at the end of day 7 and the subscription becomes ongoing.

Paddle handles trial → paid conversion and emails you a clear "your trial ends in X days" notice on day 5 and day 7.

License token and entitlements

Each Citadel install gets a short-lived RS256 JWT from citadels.cc after activation. The token carries:

{
  "sub": "<your user id>",
  "deviceId": "<this install>",
  "subscriptionStatus": "active",          // base Citadel
  "cloudSubscriptionStatus": "trialing",   // Cloud (or null if no add-on)
  "entitlements": ["citadel", "cloud"],    // computed from the two statuses above
  "renewsAt": "2026-06-01T00:00:00Z",
  // ... iat / exp / iss
}

Tokens carrying the cloud entitlement have a tighter lifetime (default 4h vs 24h for citadel-only tokens) so a cancellation reaches the desktop app faster — you stop being entitled to Cloud features within hours of canceling, not at the next 24h refresh boundary.

The dashboard's /api/v1/auth/me endpoint surfaces both subscription states (subscriptionStatus and cloudSubscriptionStatus) so the UI can show the right CTA: "Add Cloud" if you don't have it, "Manage Cloud" if you do, "Reactivate Cloud" if it lapsed.

Subscribe / cancel

Add Cloud

  1. Sign in to citadels.cc/account.
  2. Click Add Citadel Cloud under your subscription summary.
  3. The Paddle checkout overlay opens. Confirm payment method (no charge during trial).
  4. Within ~30 seconds your dashboard reflects the new entitlement. The desktop app picks it up on its next license refresh.

Cancel Cloud

  1. From the same account page, click Manage next to Citadel Cloud.
  2. Choose Cancel in the Paddle billing portal.

Cancellation is effective at the end of the current billing period (trial or paid). You keep Cloud features until then.

You can cancel Cloud while keeping the base Citadel subscription, and vice versa. They're independent.

Privacy and what's actually shared

By default, Citadel is local-first — nothing about your DayZ configs, players, mod files, or operations leaves your machine. The only baseline traffic to citadels.cc is license activation and a periodic verify check.

Cloud changes this only for the specific data those features need:

  • Cloud Bans submissions send the SteamID, reason category (cheating / griefing / exploiting / other), and your account's vouch_weight at submit time. They do not send player names, server names, mod lists, chat, IPs, position data, or anything else.
  • /cloud-bans/sync is a download-only endpoint — the API doesn't learn what you do with the data, just that you queried.
  • Telemetry (already a Citadel-base feature) sends opt-in install diagnostics (update success/failure, license activation outcomes); no Cloud-specific change.

The audit pages and trust-and-safety overview in Cloud Bans cover the data model end-to-end.

Operational notes

  • Subscription status is DB-authoritative for cloud-gated server-side checks. The license JWT's entitlement claim is a fast-path for the dashboard, but every Cloud-bans API call re-fetches your current cloudSubscriptionStatus from the DB so a recent cancellation takes effect immediately at the API gate.
  • Two Paddle subscription IDs are stored on the same user row — paddleSubscriptionId for Citadel, paddleCloudSubscriptionId for Cloud. Webhook events are routed to the right column by their priceId. Webhooks for unknown priceIds are refused (no silent state writes for "what's this for?" events).
  • Idempotent webhooks: the receiver de-dups Paddle retries by eventId and uses an explicit "claimed/processed" lifecycle so a transient processing blip doesn't lock out subsequent retries from cleaning up the state.

Next

  • Cloud Bans — the trust-and-safety design behind the shared community pool
  • Architecture — how the Citadel local app and the citadels.cc cloud half communicate
  • Citadel License — base activation flow, applies to both subscriptions
Edit this page on GitHub