diff --git a/api/README.md b/api/README.md
index 80e1ed3..9f3cc5d 100644
--- a/api/README.md
+++ b/api/README.md
@@ -567,8 +567,9 @@ CGO_ENABLED=0 go build
             "fqdn": "controller.ns8.local",
             "grafana_path": "/grafana",
             "prometheus_path": "/prometheus",
-            "webssh_path": "/webssh"
+            "webssh_path": "/webssh",
+            "valid_subscription": false
         },
         "message": "success"
      }
-    ```
\ No newline at end of file
+    ```
diff --git a/api/configuration/configuration.go b/api/configuration/configuration.go
index 52ac99e..1a26bf6 100644
--- a/api/configuration/configuration.go
+++ b/api/configuration/configuration.go
@@ -56,6 +56,8 @@ type Configuration struct {
 	FQDN string `json:"fqdn"`
 
 	CacheTTL string `json:"cache_ttl"`
+
+	ValidSubscription bool `json:"valid_subscription"`
 }
 
 var Config = Configuration{}
@@ -228,4 +230,10 @@ func Init() {
 	} else {
 		Config.CacheTTL = "7200"
 	}
+
+	if os.Getenv("VALID_SUBSCRIPTION") != "" {
+		Config.ValidSubscription = os.Getenv("VALID_SUBSCRIPTION") == "true"
+	} else {
+		Config.ValidSubscription = false
+	}
 }
diff --git a/api/methods/defaults.go b/api/methods/defaults.go
index de46d17..f93ba18 100644
--- a/api/methods/defaults.go
+++ b/api/methods/defaults.go
@@ -24,10 +24,11 @@ func GetDefaults(c *gin.Context) {
 		Code:    200,
 		Message: "success",
 		Data: gin.H{
-			"fqdn":            configuration.Config.FQDN,
-			"prometheus_path": configuration.Config.PrometheusPath,
-			"webssh_path":     configuration.Config.WebSSHPath,
-			"grafana_path":    configuration.Config.GrafanaPath,
+			"fqdn":               configuration.Config.FQDN,
+			"prometheus_path":    configuration.Config.PrometheusPath,
+			"webssh_path":        configuration.Config.WebSSHPath,
+			"grafana_path":       configuration.Config.GrafanaPath,
+			"valid_subscription": configuration.Config.ValidSubscription,
 		},
 	}))
 }
diff --git a/api/methods/unit.go b/api/methods/unit.go
index 71c03bc..be219ba 100644
--- a/api/methods/unit.go
+++ b/api/methods/unit.go
@@ -228,6 +228,27 @@ func AddUnit(c *gin.Context) {
 		return
 	}
 
+	// if the controller does not have a subscription, limit the number of units to 3
+	if !configuration.Config.ValidSubscription {
+		units, err := ListUnits()
+		if err != nil {
+			c.JSON(http.StatusBadRequest, structs.Map(response.StatusBadRequest{
+				Code:    400,
+				Message: "can't list units",
+				Data:    err.Error(),
+			}))
+			return
+		}
+		if len(units) >= 3 {
+			c.JSON(http.StatusForbidden, structs.Map(response.StatusBadRequest{
+				Code:    403,
+				Message: "subscription limit reached",
+				Data:    "",
+			}))
+			return
+		}
+	}
+
 	// check duplicates
 	if _, err := os.Stat(configuration.Config.OpenVPNCCDDir + "/" + jsonRequest.UnitId); err == nil {
 		c.JSON(http.StatusConflict, structs.Map(response.StatusConflict{
@@ -369,6 +390,16 @@ func RegisterUnit(c *gin.Context) {
 		return
 	}
 
+	// if the controller has a subscription, the unit must have a valid subscription too
+	if configuration.Config.ValidSubscription && jsonRequest.SubscriptionType == "" {
+		c.JSON(http.StatusForbidden, structs.Map(response.StatusBadRequest{
+			Code:    403,
+			Message: "subscription is required",
+			Data:    "",
+		}))
+		return
+	}
+
 	// check openvpn conf exists
 	if _, err := os.Stat(configuration.Config.OpenVPNPKIDir + "/issued/" + jsonRequest.UnitId + ".crt"); err == nil {
 		// read ca