diff --git a/README.md b/README.md
index 6f53794..0cc2f0c 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,24 @@ Also delete all data (irreversible):
 curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall --purge-data
 ```
 
+## Host-bound licences (optional)
+
+Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
+so it cannot be installed on any other machine.
+
+**To get a host-bound licence:**
+
+1. Run `install.sh` on the target server — the output prints a **Machine ID** line:
+   ```
+   [manage-server] Machine ID (SHA-3-256): <64-hex-chars>
+   ```
+2. Share that value with your vendor when requesting the `.lic` file.
+3. The vendor enters it in the License Portal when generating the offline token.
+4. Install as usual — the Manage Server verifies the binding at every startup.
+
+For air-gapped deployments without host binding the `.lic` file is portable but anyone who
+obtains the file can run a second instance. Host binding removes that risk.
+
 ## Requirements
 
 - Linux (amd64 or arm64) or macOS
diff --git a/manage-server/compose.yaml b/manage-server/compose.yaml
index 4a75c54..c456c00 100644
--- a/manage-server/compose.yaml
+++ b/manage-server/compose.yaml
@@ -64,6 +64,7 @@ services:
     volumes:
       - triton-manage-bins:/bins
       - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
+      - /etc/machine-id:/etc/machine-id:ro
     ports:
       - "${TRITON_MANAGE_HOST_PORT:-8082}:8082"
       - "${TRITON_MANAGE_GATEWAY_HOST_PORT:-8443}:8443"
diff --git a/manage-server/install.sh b/manage-server/install.sh
index 4b9dcee..e5da2ac 100755
--- a/manage-server/install.sh
+++ b/manage-server/install.sh
@@ -135,3 +135,16 @@ info "  1. Open http://localhost:${HOST_PORT} (or your public URL)"
 info "  2. Complete the setup wizard"
 info "  3. Configure TLS via reverse proxy (see docs)"
 info ""
+
+# ── display machine-id for host-bound licence generation ─────────────────────
+if [[ -f /etc/machine-id ]]; then
+    RAW_ID="$(cat /etc/machine-id | tr -d '[:space:]')"
+    MACHINE_ID_HASH="$(echo -n "$RAW_ID" | sha3sum -a 256 2>/dev/null | awk '{print $1}' || \
+                       python3 -c "import hashlib,sys; print(hashlib.sha3_256(sys.stdin.buffer.read()).hexdigest())" <<< "$RAW_ID" 2>/dev/null || echo '')"
+    if [[ -n "$MACHINE_ID_HASH" ]]; then
+        info "── Host Machine ID ──────────────────────────────────────────────────────"
+        info "  Provide this value to your vendor when requesting a host-bound .lic file."
+        info "  Machine ID (SHA-3-256): $MACHINE_ID_HASH"
+        info "────────────────────────────────────────────────────────────────────────"
+    fi
+fi