diff --git a/etc/run.sh b/etc/run.sh
index bf2bb67d48..bfb1e8940a 100644
--- a/etc/run.sh
+++ b/etc/run.sh
@@ -26,7 +26,6 @@ _env_mail_smtp() {
 _env_moderate() {
     declare sim_type=$1
     export SIREPO_FEATURE_CONFIG_MODERATED_SIM_TYPES=$sim_type
-    export SIREPO_AUTH_ROLE_MODERATION_MODERATOR_EMAIL=$USER+moderator@localhost.localdomain
     _msg "Moderated sim_type=$sim_type"
     _setup_smtp
     _env_common
diff --git a/sirepo/api_auth.py b/sirepo/api_auth.py
index ab484d77d9..d8f83f8dbf 100644
--- a/sirepo/api_auth.py
+++ b/sirepo/api_auth.py
@@ -32,12 +32,15 @@ def check_api_call(qcall, func):
         a.ALLOW_SIM_TYPELESS_REQUIRE_EMAIL_USER,
         a.REQUIRE_COOKIE_SENTINEL,
         a.REQUIRE_USER,
+        a.REQUIRE_PLAN,
         a.REQUIRE_ADM,
         a.REQUIRE_PREMIUM,
     ):
         if not qcall.cookie.has_sentinel():
             raise sirepo.util.SRException("missingCookies", None)
-        if expect == a.REQUIRE_USER:
+        if expect == a.REQUIRE_PLAN:
+            qcall.auth.require_plan()
+        elif expect == a.REQUIRE_USER:
             qcall.auth.require_user()
         elif expect == a.ALLOW_SIM_TYPELESS_REQUIRE_EMAIL_USER:
             qcall.auth.require_email_user()
diff --git a/sirepo/api_perm.py b/sirepo/api_perm.py
index 1c28eb750b..36f6f3af96 100644
--- a/sirepo/api_perm.py
+++ b/sirepo/api_perm.py
@@ -32,7 +32,9 @@ class APIPerm(aenum.Flag):
     REQUIRE_USER = aenum.auto()
     #: only usable on internal test systems
     INTERNAL_TEST = aenum.auto()
-    #: a user with a a premium subscription is required
+    #: a user with an active plan (any type) is required
+    REQUIRE_PLAN = aenum.auto()
+    #: a user with a premium plan is required
     REQUIRE_PREMIUM = aenum.auto()
 
 
diff --git a/sirepo/auth/__init__.py b/sirepo/auth/__init__.py
index ffb7877963..dbbbb810b6 100644
--- a/sirepo/auth/__init__.py
+++ b/sirepo/auth/__init__.py
@@ -48,7 +48,7 @@
 _GUEST_USER_DISPLAY_NAME = "Guest User"
 
 _PAYMENT_PLAN_BASIC = "basic"
-_PAYMENT_PLAN_PREMIUM = sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM
+_PAYMENT_PLAN_PREMIUM = sirepo.auth_role.ROLE_PLAN_PREMIUM
 _ALL_PAYMENT_PLANS = (
     _PAYMENT_PLAN_BASIC,
     _PAYMENT_PLAN_PREMIUM,
@@ -172,11 +172,9 @@ def check_sim_type_role(self, sim_type, force_sim_type_required_for_api=False):
             return
         u = self.logged_in_user()
         r = sirepo.auth_role.for_sim_type(t)
-        if self.qcall.auth_db.model("UserRole").has_role(
-            role=r
-        ) and not self.qcall.auth_db.model("UserRole").is_expired(role=r):
+        if self.qcall.auth_db.model("UserRole").has_active_role(role=r):
             return
-        elif r in sirepo.auth_role.for_proprietary_oauth_sim_types():
+        if r in sirepo.auth_role.for_proprietary_oauth_sim_types():
             oauth.raise_authorize_redirect(self.qcall, sirepo.auth_role.sim_type(r))
         if r in sirepo.auth_role.for_moderated_sim_types():
             auth_role_moderation.raise_control_for_user(self.qcall, u, r)
@@ -184,7 +182,7 @@ def check_sim_type_role(self, sim_type, force_sim_type_required_for_api=False):
 
     def _assert_role_user(self):
         u = self.logged_in_user()
-        if not self.qcall.auth_db.model("UserRole").has_role(
+        if not self.qcall.auth_db.model("UserRole").has_active_role(
             role=sirepo.auth_role.ROLE_USER,
         ):
             raise sirepo.util.Forbidden(
@@ -274,8 +272,8 @@ def is_logged_in(self, state=None):
         return s in (_STATE_COMPLETE_REGISTRATION, _STATE_LOGGED_IN)
 
     def is_premium_user(self):
-        return self.qcall.auth_db.model("UserRole").has_role(
-            role=sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM,
+        return self.qcall.auth_db.model("UserRole").has_active_role(
+            role=sirepo.auth_role.ROLE_PLAN_PREMIUM,
         )
 
     def logged_in_user(self, check_path=True):
@@ -493,7 +491,7 @@ def parse_display_name(self, value):
 
     def require_adm(self):
         u = self.require_user()
-        if not self.qcall.auth_db.model("UserRole").has_role(
+        if not self.qcall.auth_db.model("UserRole").has_active_role(
             role=sirepo.auth_role.ROLE_ADM,
         ):
             raise sirepo.util.Forbidden(
@@ -515,9 +513,20 @@ def require_email_user(self):
         if m != METHOD_EMAIL:
             raise sirepo.util.Forbidden(f"method={m} is not email for uid={i}")
 
+    def require_plan(self):
+        from sirepo import auth_role_moderation
+
+        u = self.require_user()
+        for r in sirepo.auth_role.PLAN_ROLES:
+            if self.qcall.auth_db.model("UserRole").has_active_role(r):
+                return
+        auth_role_moderation.raise_control_for_user(
+            self.qcall, u, sirepo.auth_role.ROLE_PLAN_TRIAL
+        )
+
     def require_premium(self):
         if not self.is_premium_user():
-            raise sirepo.util.Forbidden(f"not premium user")
+            raise sirepo.util.Forbidden("not premium user")
 
     def require_user(self):
         """Asserts whether user is logged in
@@ -763,7 +772,7 @@ def _method_user_model(self, module, uid):
 
     def _plan(self, data):
         r = data.roles
-        if sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM in r:
+        if sirepo.auth_role.ROLE_PLAN_PREMIUM in r:
             data.paymentPlan = _PAYMENT_PLAN_PREMIUM
             data.upgradeToPlan = None
         else:
diff --git a/sirepo/auth_db/__init__.py b/sirepo/auth_db/__init__.py
index 85ad2dec52..1547573755 100644
--- a/sirepo/auth_db/__init__.py
+++ b/sirepo/auth_db/__init__.py
@@ -188,8 +188,11 @@ def execute(self, statement):
             statement.execution_options(synchronize_session="fetch")
         )
 
-    def execute_sql(self, text):
-        return self.execute(sqlalchemy.text(text + ";"))
+    def execute_sql(self, text, params=None):
+        q = sqlalchemy.text(text + ";")
+        if params:
+            q = q.bindparams(**params)
+        return self.execute(q)
 
     def metadata(self):
         return UserDbBase.metadata
diff --git a/sirepo/auth_db/user.py b/sirepo/auth_db/user.py
index 15c16b357c..f67fd7d328 100644
--- a/sirepo/auth_db/user.py
+++ b/sirepo/auth_db/user.py
@@ -36,9 +36,9 @@ def add_roles(self, roles, expiration=None):
         u = self.logged_in_user()
         for r in roles:
             try:
-                # Check here, because sqlite doesn't through IntegrityErrors
+                # Check here, because sqlite doesn't throw IntegrityErrors
                 # at the point of the new() operation.
-                if not self.has_role(r, uid=u):
+                if not self._has_role(r, uid=u):
                     self.new(uid=u, role=r, expiration=expiration).save()
             except sqlalchemy.exc.IntegrityError:
                 # role already exists
@@ -46,7 +46,7 @@ def add_roles(self, roles, expiration=None):
         sim_data.audit_proprietary_lib_files(qcall=self.auth_db.qcall)
 
     def add_role_or_update_expiration(self, role, expiration):
-        if not self.has_role(role):
+        if not self._has_role(role):
             self.add_roles(roles=[role], expiration=expiration)
             return
         r = self.search_by(uid=self.logged_in_user(), role=role)
@@ -71,22 +71,22 @@ def delete_roles(self, roles, uid=None):
     def get_roles(self):
         return self.search_all_for_column("role", uid=self.logged_in_user())
 
-    def has_role(self, role, uid=None):
-        return bool(
-            self.unchecked_search_by(uid=uid or self.logged_in_user(), role=role)
-        )
+    def get_roles_and_expiration(self):
+        return [
+            PKDict(role=r.role, expiration=r.expiration)
+            for r in self.query().filter_by(uid=self.logged_in_user())
+        ]
 
-    def is_expired(self, role):
-        u = self.logged_in_user()
-        assert self.has_role(role=role), f"No role for uid={u} and role={role}"
-        r = self.search_by(uid=u, role=role)
-        if not r.expiration:
-            # Roles with no expiration can't expire
-            return False
-        return r.expiration < sirepo.srtime.utc_now()
+    def has_active_role(self, role, uid=None):
+        r = self._has_role(role, uid=uid)
+        return r and not self._is_expired_role(r)
+
+    def has_expired_role(self, role):
+        r = self._has_role(role)
+        return r and self._is_expired_role(r)
 
     def uids_of_paid_users(self):
-        return self.uids_with_roles(sirepo.auth_role.PAID_USER_ROLES)
+        return self.uids_with_roles(sirepo.auth_role.PLAN_ROLES_PAID)
 
     def uids_with_roles(self, roles):
         a = sirepo.auth_role.get_all()
@@ -103,6 +103,14 @@ def uids_with_roles(self, roles):
             .all()
         ]
 
+    def _has_role(self, role, uid=None):
+        return self.unchecked_search_by(uid=uid or self.logged_in_user(), role=role)
+
+    def _is_expired_role(self, role_record):
+        return (
+            role_record.expiration and role_record.expiration < sirepo.srtime.utc_now()
+        )
+
 
 class UserRoleModeration(sirepo.auth_db.UserDbBase):
     __tablename__ = "user_role_moderation_t"
diff --git a/sirepo/auth_role.py b/sirepo/auth_role.py
index 5750e2f7d3..a3166a9746 100644
--- a/sirepo/auth_role.py
+++ b/sirepo/auth_role.py
@@ -10,9 +10,11 @@
 import sirepo.feature_config
 
 ROLE_ADM = "adm"
+ROLE_PLAN_PREMIUM = "premium"
+ROLE_PLAN_TRIAL = "trial"
 ROLE_USER = "user"
-ROLE_PAYMENT_PLAN_PREMIUM = "premium"
-PAID_USER_ROLES = (ROLE_PAYMENT_PLAN_PREMIUM,)
+PLAN_ROLES_PAID = frozenset((ROLE_PLAN_PREMIUM,))
+PLAN_ROLES = PLAN_ROLES_PAID.union((ROLE_PLAN_TRIAL,))
 _SIM_TYPE_ROLE_PREFIX = "sim_type_"
 
 
@@ -58,7 +60,8 @@ def get_all():
         for_sim_type(t) for t in sirepo.feature_config.auth_controlled_sim_types()
     ] + [
         ROLE_ADM,
-        ROLE_PAYMENT_PLAN_PREMIUM,
+        ROLE_PLAN_PREMIUM,
+        ROLE_PLAN_TRIAL,
         ROLE_USER,
     ]
 
diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py
index f10399dfdd..77e0447ab6 100644
--- a/sirepo/auth_role_moderation.py
+++ b/sirepo/auth_role_moderation.py
@@ -1,22 +1,25 @@
-# -*- coding: utf-8 -*-
 """Moderate user roles
 
 :copyright: Copyright (c) 2022 RadiaSoft LLC.  All Rights Reserved.
 :license: http://www.apache.org/licenses/LICENSE-2.0.html
 """
+
 from pykern import pkconfig
-from pykern.pkdebug import pkdexc, pkdp, pkdlog
-from pykern.pkcollections import PKDict
 from pykern import pkjinja
+from pykern.pkcollections import PKDict
+from pykern.pkdebug import pkdexc, pkdp, pkdlog
 import datetime
-import sirepo.quest
+import getpass
 import sirepo.auth_role
+import sirepo.const
 import sirepo.feature_config
+import sirepo.quest
 import sirepo.simulation_db
 import sirepo.smtp
 import sirepo.uri
 import sirepo.uri_router
 import sqlalchemy
+import sqlalchemy.exc
 
 _STATUS_TO_SUBJECT = PKDict(
     approve="Access Request Approved",
@@ -42,14 +45,38 @@ class API(sirepo.quest.API):
         "require_adm", uid="Str", role="Str", status="AuthModerationStatus"
     )
     async def api_admModerate(self):
+        def _role_info(role, status):
+            res = PKDict(
+                role=role,
+                status=status,
+                moderator_uid=self.auth.logged_in_user(),
+                product_name=sirepo.simulation_db.SCHEMA_COMMON.productInfo.shortName,
+            )
+            if role == sirepo.auth_role.ROLE_PLAN_TRIAL:
+                return res.pkupdate(
+                    role_display_name="Trial",
+                    expiration=datetime.datetime.utcnow()
+                    + datetime.timedelta(
+                        days=sirepo.feature_config.cfg().trial_expiration_days
+                    ),
+                    additional_text=f"Your trial is active for {sirepo.feature_config.cfg().trial_expiration_days} days.",
+                )
+            return res.pkupdate(
+                role_display_name=sirepo.simulation_db.SCHEMA_COMMON.appInfo[
+                    sirepo.auth_role.sim_type(role)
+                ].longName
+            )
+
         def _send_moderation_status_email(info):
             sirepo.smtp.send(
                 recipient=info.user_name,
-                subject=f"Sirepo {info.app_name}: {_STATUS_TO_SUBJECT[info.status]}",
+                subject=f"Sirepo {info.role_display_name}: {_STATUS_TO_SUBJECT[info.status]}",
                 body=pkjinja.render_resource(
                     f"auth_role_moderation/{info.status}_email",
                     PKDict(
-                        app_name=info.app_name,
+                        additional_text=info.get("additional_text"),
+                        product_name=info.product_name,
+                        role_display_name=info.role_display_name,
                         display_name=info.display_name,
                         link=self.absolute_uri(
                             self.uri_for_app_root(
@@ -62,7 +89,9 @@ def _send_moderation_status_email(info):
 
         def _set_moderation_status(info):
             if info.status == "approve":
-                self.auth_db.model("UserRole").add_roles(roles=[info.role])
+                self.auth_db.model("UserRole").add_roles(
+                    roles=[info.role], expiration=info.get("expiration")
+                )
             self.auth_db.model("UserRoleModeration").set_status(
                 role=info.role,
                 status=info.status,
@@ -87,14 +116,7 @@ def _set_moderation_status(info):
                 req.req_data.uid,
                 req.req_data.role,
             )
-        p = PKDict(
-            app_name=sirepo.simulation_db.SCHEMA_COMMON.appInfo[
-                sirepo.auth_role.sim_type(i.role)
-            ].longName,
-            role=i.role,
-            status=req.req_data.status,
-            moderator_uid=self.auth.logged_in_user(),
-        )
+        p = _role_info(i.role, req.req_data.status)
         pkdlog("status={} uid={} role={}", p.status, i.uid, i.role)
         # Force METHOD_EMAIL. We are sending them an email so we will
         # need an email for them. We only have emails for METHOD_EMAIL
@@ -153,9 +175,18 @@ def _send_request_email(info):
 
         req = self.parse_post()
         u = self.auth.logged_in_user()
-        r = sirepo.auth_role.for_sim_type(req.type)
-        if self.auth_db.model("UserRole").has_role(role=r):
+        r = sirepo.auth_role.ROLE_PLAN_TRIAL
+        # SECURITY: type has been validated to be a known sim type. If it is
+        # not in moderated_sim_types then we know the user is just requesting
+        # access to start using Sirepo (ROLE_PLAN_TRIAL).
+        if req.type in sirepo.feature_config.cfg().moderated_sim_types:
+            r = sirepo.auth_role.for_sim_type(req.type)
+        if self.auth_db.model("UserRole").has_active_role(role=r):
             raise sirepo.util.Redirect(sirepo.uri.local_route(req.type))
+        if self.auth_db.model("UserRole").has_expired_role(role=r):
+            raise AssertionError(
+                f"uid={u} trying to request moderation for expired role={r}"
+            )
         try:
             self.auth_db.model(
                 "UserRoleModeration",
@@ -183,7 +214,7 @@ def _send_request_email(info):
                 email_addr=self.auth.logged_in_user_name(),
                 link=l,
                 reason=req.req_data.reason,
-                role=sirepo.auth_role.for_sim_type(req.type),
+                role=r,
                 sim_type=req.type,
                 uid=u,
             ).pkupdate(self.user_agent_headers())
@@ -200,6 +231,10 @@ def _datetime_to_str(rows):
 
 
 def raise_control_for_user(qcall, uid, role):
+    if qcall.auth_db.model("UserRole").has_expired_role(role):
+        if role == sirepo.auth_role.ROLE_PLAN_TRIAL:
+            raise sirepo.util.PlanExpired(f"uid={uid} role={role} expired")
+        raise sirepo.util.Forbidden(f"uid={uid} role={role} expired")
     s = qcall.auth_db.model("UserRoleModeration").get_status(uid=uid, role=role)
     if s in _ACTIVE:
         raise sirepo.util.SRException("moderationPending", None)
@@ -207,15 +242,17 @@ def raise_control_for_user(qcall, uid, role):
         raise sirepo.util.Forbidden(f"uid={uid} role={role} already denied")
     assert s is None, f"Unexpected status={s} for uid={uid} and role={role}"
     qcall.auth.require_email_user()
-    raise sirepo.util.SRException("moderationRequest", None)
+    raise sirepo.util.SRException("moderationRequest", PKDict(role=role))
 
 
 def init_apis(*args, **kwargs):
     global _cfg
 
     _cfg = pkconfig.init(
-        moderator_email=pkconfig.Required(
-            str, "The email address to send moderation emails to"
+        moderator_email=pkconfig.RequiredUnlessDev(
+            f"{getpass.getuser()}+moderator@{sirepo.const.LOCALHOST_FQDN}",
+            str,
+            "The email address to send moderation emails to",
         ),
     )
     x = frozenset(_STATUS_TO_SUBJECT.keys())
diff --git a/sirepo/const.py b/sirepo/const.py
index 54c362dc4d..afde1f433b 100644
--- a/sirepo/const.py
+++ b/sirepo/const.py
@@ -16,6 +16,8 @@
 #: where template resources and template non-sim user files live
 LIB_DIR = "lib"
 
+LOCALHOST_FQDN = "localhost.localdomain"
+
 # matches requirements for uid and isn't actually put in the db
 MOCK_UID = "someuser"
 
diff --git a/sirepo/db_upgrade.py b/sirepo/db_upgrade.py
index a7e3917b00..8d1fbae76d 100644
--- a/sirepo/db_upgrade.py
+++ b/sirepo/db_upgrade.py
@@ -8,9 +8,11 @@
 from pykern.pkcollections import PKDict
 from pykern.pkdebug import pkdp, pkdlog, pkdexc
 import contextlib
+import datetime
 import shutil
 import sirepo.auth_db
 import sirepo.auth_role
+import sirepo.feature_config
 import sirepo.file_lock
 import sirepo.job
 import sirepo.quest
@@ -97,8 +99,23 @@ def _20240524_add_role_user(qcall):
     )
     qcall.auth_db.drop_table("user_role_invite_t")
     qcall.auth_db.execute_sql(
-        f"INSERT INTO user_role_t (uid, role, expiration)"
-        + f'SELECT uid, "{sirepo.auth_role.ROLE_USER}", NULL from user_registration_t'
+        f"""INSERT INTO user_role_t (uid, role, expiration)
+        SELECT uid, '{sirepo.auth_role.ROLE_USER}', NULL from user_registration_t"""
+    )
+
+
+def _20250114_add_role_plan_trial(qcall):
+    """Give all existing users a trial plan with expiration"""
+    qcall.auth_db.execute_sql(
+        """INSERT INTO user_role_t (uid, role, expiration)
+        SELECT uid, :role, :expiration FROM user_registration_t""",
+        PKDict(
+            role=sirepo.auth_role.ROLE_PLAN_TRIAL,
+            expiration=datetime.datetime.utcnow()
+            + datetime.timedelta(
+                days=sirepo.feature_config.cfg().trial_expiration_days
+            ),
+        ),
     )
 
 
diff --git a/sirepo/feature_config.py b/sirepo/feature_config.py
index 8d1bd4f9f6..7c064d84e7 100644
--- a/sirepo/feature_config.py
+++ b/sirepo/feature_config.py
@@ -216,6 +216,11 @@ def _test(msg):
             show_open_shadow=_test('Show "Open as a New Shadow Simulation" menu item'),
             show_rsopt_ml=_test('Show "Export ML Script" menu item'),
         ),
+        trial_expiration_days=(
+            30,
+            pkconfig.parse_positive_int,
+            "number of days a sirepo trial is active",
+        ),
         trust_sh_env=(
             False,
             bool,
diff --git a/sirepo/job_api.py b/sirepo/job_api.py
index f103f3441e..4728438901 100644
--- a/sirepo/job_api.py
+++ b/sirepo/job_api.py
@@ -54,12 +54,12 @@ async def api_admJobs(self):
             _request_content=self._parse_post_just_data(),
         )
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_analysisJob(self):
         # TODO(robnagler): computeJobHash has to be checked
         return await self._request_api()
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_beginSession(self):
         """Starts beginSession request asynchronously
 
@@ -72,7 +72,7 @@ async def api_beginSession(self):
         )
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         sid="SimId",
         model="AnalysisModel",
         frame="DataFileIndex",
@@ -87,7 +87,7 @@ async def api_downloadDataFile(
         )
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         sid="SimId",
         model="AnalysisModel",
         frame="DataFileIndex",
@@ -148,7 +148,7 @@ def _content_too_large(req):
                 f"frame={frame} not found sid={req.id} sim_type={req.type}",
             )
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_globalResources(self):
         assert (
             sirepo.feature_config.cfg().enable_global_resources
@@ -184,13 +184,13 @@ async def api_jobSupervisorPing(self):
             e = "unexpected exception"
         return PKDict(state="error", error=e)
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_ownJobs(self):
         return await self._request_api(
             _request_content=self._parse_post_just_data(),
         )
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_runCancel(self):
         try:
             return await self._request_api()
@@ -199,19 +199,19 @@ async def api_runCancel(self):
         # Always true from the client's perspective
         return self.reply_dict({"state": "canceled"})
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_runSimulation(self):
         r = self._request_content(PKDict())
         if r.isParallel:
             r.isPremiumUser = self.auth.is_premium_user()
         return await self._request_api(_request_content=r)
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_runStatus(self):
         # runStatus receives models when an animation status if first queried
         return await self._request_api(_request_content=self._request_content(PKDict()))
 
-    @sirepo.quest.Spec("require_premium")
+    @sirepo.quest.Spec("require_plan")
     async def api_sbatchLogin(self):
         r = self._request_content(
             PKDict(computeJobHash="unused", jobRunMode=sirepo.job.SBATCH),
@@ -221,7 +221,7 @@ async def api_sbatchLogin(self):
         r.pkdel("data")
         return await self._request_api(_request_content=r)
 
-    @sirepo.quest.Spec("require_premium")
+    @sirepo.quest.Spec("require_plan")
     async def api_sbatchLoginStatus(self):
         return await self._request_api(
             _request_content=self._request_content(
@@ -229,7 +229,7 @@ async def api_sbatchLoginStatus(self):
             )
         )
 
-    @sirepo.quest.Spec("require_user", frame_id="SimFrameId")
+    @sirepo.quest.Spec("require_plan", frame_id="SimFrameId")
     async def api_simulationFrame(self, frame_id):
         return await template_common.sim_frame(
             frame_id,
@@ -243,11 +243,11 @@ async def api_simulationFrame(self, frame_id):
             self,
         )
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_statefulCompute(self):
         return await self._request_compute(op_key="stful")
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_statelessCompute(self):
         return await self._request_compute(op_key="stlss")
 
diff --git a/sirepo/job_driver/docker.py b/sirepo/job_driver/docker.py
index 08c302d88c..15281f2690 100644
--- a/sirepo/job_driver/docker.py
+++ b/sirepo/job_driver/docker.py
@@ -4,7 +4,6 @@
 :license: http://www.apache.org/licenses/LICENSE-2.0.html
 """
 
-from __future__ import absolute_import, division, print_function
 from pykern import pkconfig, pkio
 from pykern.pkcollections import PKDict
 from pykern.pkdebug import pkdp, pkdlog, pkdexc, pkdc
@@ -13,6 +12,7 @@
 import io
 import os
 import re
+import sirepo.const
 import sirepo.util
 import subprocess
 import tornado.ioloop
@@ -246,7 +246,7 @@ def _init_dev_hosts(cls):
         ), "neither cfg.tls_dir and cfg.hosts nor must be set to get auto-config"
         # dev mode only; see _cfg_tls_dir and _cfg_hosts
         cls.cfg.tls_dir = srdb.root().join("docker_tls")
-        cls.cfg.hosts = ("localhost.localdomain",)
+        cls.cfg.hosts = (sirepo.const.LOCALHOST_FQDN,)
         d = cls.cfg.tls_dir.join(cls.cfg.hosts[0])
         if d.check(dir=True):
             return
diff --git a/sirepo/package_data/auth_role_moderation/approve_email.jinja b/sirepo/package_data/auth_role_moderation/approve_email.jinja
index b993859404..09b52945f5 100644
--- a/sirepo/package_data/auth_role_moderation/approve_email.jinja
+++ b/sirepo/package_data/auth_role_moderation/approve_email.jinja
@@ -1,3 +1,4 @@
-Your request for {{ app_name }} access has been approved.
+Your request for Sirepo {{ role_display_name }} access has been approved.
 {{ link }}
 
+{{ additional_text }}
diff --git a/sirepo/package_data/auth_role_moderation/clarify_email.jinja b/sirepo/package_data/auth_role_moderation/clarify_email.jinja
index 65d7f66ec2..4ca448a9f1 100644
--- a/sirepo/package_data/auth_role_moderation/clarify_email.jinja
+++ b/sirepo/package_data/auth_role_moderation/clarify_email.jinja
@@ -1,10 +1,10 @@
 Dear {{ display_name }},
 
-You recently tried to login to {{ app_name }}. We need some more information in order to process your login request.
+You recently tried to login to {{ product_name }}. We need some more information in order to process your login request.
 
-Would you please let us know how you heard about {{ app_name }}?
+Would you please let us know how you heard about {{ product_name }}?
 
-How do you intend to use {{ app_name }}?
+How do you intend to use {{ product_name }}?
 
 We need this information to prevent abuse of our servers.
 
@@ -13,4 +13,3 @@ Thank you for your understanding.
 Sincerely,
 
 Sirepo Support
-
diff --git a/sirepo/package_data/auth_role_moderation/deny_email.jinja b/sirepo/package_data/auth_role_moderation/deny_email.jinja
index 7fddfe0a60..f8a44b90ec 100644
--- a/sirepo/package_data/auth_role_moderation/deny_email.jinja
+++ b/sirepo/package_data/auth_role_moderation/deny_email.jinja
@@ -1 +1 @@
-Your request for {{ app_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/
+Your request for {{ product_name }} {{ role_display_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/
diff --git a/sirepo/package_data/auth_role_moderation/moderation_email.jinja b/sirepo/package_data/auth_role_moderation/moderation_email.jinja
index 8c8a579cb4..39fa75fbea 100644
--- a/sirepo/package_data/auth_role_moderation/moderation_email.jinja
+++ b/sirepo/package_data/auth_role_moderation/moderation_email.jinja
@@ -1,5 +1,6 @@
 Name: {{ display_name }}
 Simulation Type: {{ sim_type }}
+Role: {{ role }}
 Reason: {{ reason }}
 Email: {{ email_addr }}
 DNS: {{ domain_name }}
diff --git a/sirepo/package_data/static/html/http-plan-required.html b/sirepo/package_data/static/html/http-plan-required.html
new file mode 100644
index 0000000000..c93086ff2a
--- /dev/null
+++ b/sirepo/package_data/static/html/http-plan-required.html
@@ -0,0 +1,8 @@
+<div class="container-fluid">
+  <div class="row">
+    <div class="col-sm-6 col-sm-offset-2">
+      <h1>Plan Required</h1>
+      <p>An <span data-plans-link="" link-text="active plan"></span> is required to use Sirepo.</p>
+    </div>
+  </div>
+</div>
diff --git a/sirepo/package_data/static/js/sirepo-components.js b/sirepo/package_data/static/js/sirepo-components.js
index 2b5e1be54b..dc0c954782 100644
--- a/sirepo/package_data/static/js/sirepo-components.js
+++ b/sirepo/package_data/static/js/sirepo-components.js
@@ -398,11 +398,11 @@ SIREPO.app.directive('canceledDueToTimeoutAlert', function(authState) {
         template: `
             <div data-ng-if="showAlert()" class="alert alert-warning" role="alert">
               <h4 class="alert-heading"><b>Canceled: Maximum runtime exceeded</b></h4>
-              <p>Your runtime limit is {{getTime()}}. To increase your maximum runtime, please upgrade to ${authState.upgradePlanLink()}.</p>
+              <p>Your runtime limit is {{getTime()}}. To increase your maximum runtime, <span data-plans-link="" link-text="{{ upgradeToLink }}"></span>.</p>
             </div>
         `,
         controller: function($scope, appState) {
-            $scope.authState = authState;
+            $scope.upgradeToLink = `please upgrade to a ${authState.upgradeToPlan} plan`;
 
             $scope.getTime = function() {
                 return appState.formatTime($scope.simState.getCanceledAfterSecs());
@@ -1791,6 +1791,20 @@ SIREPO.app.directive('pendingLinkToSimulations', function() {
     };
 });
 
+
+SIREPO.app.directive('plansLink', function() {
+    return {
+        restrict: 'A',
+        scope: {
+            linkText: '@',
+        },
+        template: '<a data-ng-href="{{ plansUrl }}" target="_blank">{{ linkText }}</a>',
+        controller: function($scope) {
+            $scope.plansUrl = SIREPO.APP_SCHEMA.constants.plansUrl;
+        },
+    };
+});
+
 SIREPO.app.directive('safePath', function() {
 
     // keep in sync with sirepo.srschem.py _NAME_ILLEGALS
@@ -3576,6 +3590,7 @@ SIREPO.app.directive('emailLogin', function(requestSender, errorService) {
                    <div data-disable-after-click="">
                     <button data-ng-click="login()" class="btn btn-primary">Continue</button>
                   </div>
+                  <p class="help-block">Your email address must be  associated with a university, company, or research institution.</p>
                   <p class="help-block">By signing up for Sirepo you agree to Sirepo's <a href="en/privacy.html">privacy policy</a> and <a href="en/terms.html">terms and conditions</a>, and to receive informational and marketing communications from RadiaSoft. You may unsubscribe at any time.</p>
                 </div>
               </div>
@@ -4346,17 +4361,20 @@ SIREPO.app.directive('moderationRequest', function(appState, errorService, panel
         template: `
           <form>
             <div class="form-group">
-              <label for="requestAccessExplanation">Please describe your reason for requesting access:</label>
+              <label for="requestAccessExplanation">{{ moderationRequestReason }}:</label>
               <textarea data-ng-show="!submitted" data-ng-model="data.reason" id="requestAccessExplanation" class="form-control" rows="4" cols="50" required></textarea>
             </div>
             <button data-ng-disabled="disableSubmit" data-ng-show="!submitted" type="submit" class="btn btn-primary" data-ng-click="submitRequest()">Submit</button>
           </form>
           <div data-ng-show="submitted">Response submitted.</div>
         `,
-        controller: function(requestSender, $scope) {
+        controller: function(requestSender, $route, $scope) {
             $scope.data = {};
             $scope.submitted = false;
             $scope.disableSubmit = true;
+            $scope.moderationRequestReason = {
+                trial: `To prevent abuse of our systems all new users must supply a reason for requesting access to ${SIREPO.APP_SCHEMA.productInfo.shortName}. In a few sentences please describe how you plan to use ${SIREPO.APP_SCHEMA.productInfo.shortName}`
+            }[$route.current.params.role] ?? 'Please describe your reason for requesting access';
             $scope.submitRequest = function () {
                 const handleResponse = (data) => {
                     if (data.state === 'error') {
@@ -4762,11 +4780,7 @@ SIREPO.app.directive('sbatchLoginModal', function() {
                     <button data-ng-click="cancel()" type="button" class="close" data-ng-disabled="! sbatchLoginService.query('showLogin')"><span>&times;</span></button>
                     </div>
                     <div class="modal-body">
-                        <div data-ng-show="! authState.isPremiumUser()" class="alert alert-warning" role="alert">
-                        <h4 class="alert-heading"><b>Please upgrade</b></h4>
-                        <p>Supercomputer and HPC services are only available with <a data-ng-href="{{ plansUrl }}" target="_blank">one of our paid plans</a>.</p>
-                        </div>
-                        <form name="sbatchLoginModalForm" data-ng-show="authState.isPremiumUser()">
+                        <form name="sbatchLoginModalForm">
                             <div class="sr-input-warning">{{ warning }}</div>
                             <div class="form-group">
                                 <input type="text" class="form-control" name="username" placeholder="username" autocomplete="username" data-ng-model="username" />
@@ -4802,7 +4816,6 @@ SIREPO.app.directive('sbatchLoginModal', function() {
 
 	    _resetLoginFormText();
 	    $scope.authState = authState;
-            $scope.plansUrl = SIREPO.APP_SCHEMA.constants.plansUrl;
 	    $scope.sbatchLoginService = sbatchLoginService;
 
             $scope.cancel = () => {
diff --git a/sirepo/package_data/static/js/sirepo.js b/sirepo/package_data/static/js/sirepo.js
index 522682401e..8741619e8d 100644
--- a/sirepo/package_data/static/js/sirepo.js
+++ b/sirepo/package_data/static/js/sirepo.js
@@ -2,6 +2,7 @@
 // needs to be here so test.sh doesn't see it
 SIREPO.srlog = (...args) => {console.log(
     (new Date().toISOString()).substring(11, 19),
+    (new Error()).stack.split("\n")[2].match(/\(([^)]+)\)/)?.[1] || "[unknown line number]",
     ...args,
 );};
 SIREPO.srdbg = SIREPO.srlog;
@@ -310,11 +311,6 @@ SIREPO.app.factory('authState', function(appDataService, appState, errorService,
         `;
     };
 
-    self.isPremiumUser = function() {
-        // positive test (vs just testing 'basic')
-        return self.paymentPlan == 'premium';
-    };
-
     self.paymentPlanName = function() {
         return SIREPO.APP_SCHEMA.constants.paymentPlans[self.paymentPlan];
     };
@@ -323,12 +319,6 @@ SIREPO.app.factory('authState', function(appDataService, appState, errorService,
 
     self.sbatchHostIsNersc = self.sbatchHostDisplayName ? self.sbatchHostDisplayName.toLowerCase().indexOf('nersc') >= 0 : false;
 
-    self.upgradePlanLink = function() {
-        return '<a href="' + SIREPO.APP_SCHEMA.constants.plansUrl +
-            '" target="_blank">' +
-            SIREPO.APP_SCHEMA.constants.paymentPlans[self.upgradeToPlan] + '</a>';
-    };
-
     return self;
 });
 
@@ -4620,6 +4610,7 @@ SIREPO.app.controller('LoginWithController', function (authState, errorService,
     }
 });
 
+
 SIREPO.app.controller('LoginConfirmController', function (authState, requestSender, $route) {
     var self = this;
     var p = $route.current.params;
diff --git a/sirepo/package_data/static/json/schema-common.json b/sirepo/package_data/static/json/schema-common.json
index 0849c6298c..1d612a484a 100644
--- a/sirepo/package_data/static/json/schema-common.json
+++ b/sirepo/package_data/static/json/schema-common.json
@@ -160,6 +160,7 @@
         "listSimulations": "/simulation-list",
         "newSimulation": "/new-simulation",
         "ownJobs": "/own-jobs",
+        "planRequired": "/plan-required",
         "proxyError": "/proxy-error",
         "pythonSource": "/python-source/<simulation_type>/<simulation_id>/?<model>/?<title>",
         "redirectJupyterHub": "/redirect-jupyterhub",
@@ -427,7 +428,7 @@
                 }
             },
             "moderationRequest":  {
-                "route": "/moderation-request",
+                "route": "/moderation-request/:role",
                 "config": {
                   "sirepoNoLoginRedirect": true,
                   "templateUrl": "/static/html/moderation-request.html"
@@ -453,6 +454,12 @@
                   "templateUrl": "/static/html/copy-session.html"
                 }
             },
+            "planRequired": {
+                "route": "/plan-required",
+                "config": {
+                  "templateUrl": "/static/html/http-plan-required.html"
+                }
+            },
             "proxyError": {
                 "route": "/proxy-error",
                 "config": {
@@ -557,6 +564,11 @@
         }
     },
     "customErrors": {
+        "402": {
+            "url": "http-plan-required.html",
+            "msg": "Plan Required",
+            "route": "planRequired"
+        },
         "403": {
             "url": "http-forbidden.html",
             "msg": "Forbidden",
diff --git a/sirepo/pkcli/roles.py b/sirepo/pkcli/roles.py
index 839c25c697..b3c2f74dfc 100644
--- a/sirepo/pkcli/roles.py
+++ b/sirepo/pkcli/roles.py
@@ -8,20 +8,37 @@
 from pykern.pkdebug import pkdc, pkdexc, pkdlog, pkdp
 from sirepo.pkcli import admin
 import contextlib
+import datetime
 import pykern.pkcli
 import sirepo.auth_role
 import sirepo.quest
 
 
-def add(uid_or_email, *roles):
-    """Assign roles to a user
+def add(uid_or_email, *roles, expiration=None):
+    """Assign roles to a user.
     Args:
         uid_or_email (str): Uid or email of the user
-        *roles: The roles to assign to the user
+        *roles (str): The roles to assign to the user
+        expiration (int): Days until expiration
     """
+    with _parse_args(uid_or_email, roles) as qcall:
+        qcall.auth_db.model("UserRole").add_roles(
+            roles, expiration=_parse_expiration(expiration)
+        )
 
+
+def add_or_update(uid_or_email, *roles, expiration=None):
+    """Add roles or update expirations to existing roles for user.
+    Args:
+        uid_or_email (str): Uid or email of the user
+        *roles (str): The roles to assign to the user
+        expiration (int): Days until expiration
+    """
     with _parse_args(uid_or_email, roles) as qcall:
-        qcall.auth_db.model("UserRole").add_roles(roles)
+        for r in roles:
+            qcall.auth_db.model("UserRole").add_role_or_update_expiration(
+                r, _parse_expiration(expiration)
+            )
 
 
 def add_roles(*args):
@@ -72,6 +89,16 @@ def list(uid_or_email):
         return qcall.auth_db.model("UserRole").get_roles()
 
 
+def list_with_expiration(uid_or_email):
+    """List all roles assigned to a user with their expiration.
+    Args:
+        uid_or_email (str): Uid or email of the user
+    """
+
+    with _parse_args(uid_or_email) as qcall:
+        return qcall.auth_db.model("UserRole").get_roles_and_expiration()
+
+
 def list_roles(*args):
     """DEPRECATED: Use list"""
     return list(*args)
@@ -102,3 +129,11 @@ def _parse_args(uid_or_email, roles=None):
             ), "roles={} not a subset of all_roles={}".format(roles, a)
         with qcall.auth.logged_in_user_set(u):
             yield qcall
+
+
+def _parse_expiration(expiration):
+    return (
+        None
+        if expiration is None
+        else (datetime.datetime.utcnow() + datetime.timedelta(days=int(expiration)))
+    )
diff --git a/sirepo/reply.py b/sirepo/reply.py
index 98ce953109..58ce086802 100644
--- a/sirepo/reply.py
+++ b/sirepo/reply.py
@@ -569,12 +569,12 @@ def _gen_exception_reply_ContentTooLarge(self, args):
     def _gen_exception_reply_Error(self, args):
         return self.from_kwargs(content=_Error(args))
 
-    def _gen_exception_reply_Forbidden(self, args):
-        return self._gen_http_exception(403)
-
     def _gen_exception_reply_NotFound(self, args):
         return self._gen_http_exception(404)
 
+    def _gen_exception_reply_PlanExpired(self, args):
+        return self._gen_http_exception(402)
+
     def _gen_exception_reply_Redirect(self, args):
         return self.gen_redirect(args.uri)
 
@@ -597,6 +597,9 @@ def _gen_exception_reply_SRException(self, args):
         args.pksetdefault(sim_type=lambda: self.qcall.sim_type_uget())
         return self.from_kwargs(content=_SRException(args))
 
+    def _gen_exception_reply_Forbidden(self, args):
+        return self._gen_http_exception(403)
+
     def _gen_exception_reply_Unauthorized(self, args):
         return self._gen_http_exception(401)
 
diff --git a/sirepo/server.py b/sirepo/server.py
index b5b09510d0..132f3eaf3f 100644
--- a/sirepo/server.py
+++ b/sirepo/server.py
@@ -40,7 +40,7 @@
 
 
 class API(sirepo.quest.API):
-    @sirepo.quest.Spec("require_user", sid="SimId")
+    @sirepo.quest.Spec("require_plan", sid="SimId")
     async def api_copyNonSessionSimulation(self):
         req = self.parse_post(id=True, template=True)
         src = pkio.py_path(
@@ -70,7 +70,10 @@ async def api_copyNonSessionSimulation(self):
         return self._save_with_related(req, data)
 
     @sirepo.quest.Spec(
-        "require_user", sid="SimId", folder="SimFolderName", name="SimName"
+        "require_plan",
+        sid="SimId",
+        folder="SimFolderName",
+        name="SimName",
     )
     async def api_copySimulation(self):
         """Takes the specified simulation and returns a newly named copy with the suffix ( X)"""
@@ -84,12 +87,12 @@ async def api_copySimulation(self):
         )
         return self._save_new_and_reply(req, d)
 
-    @sirepo.quest.Spec("require_user", filename="SimFileName", file_type="SimFileType")
+    @sirepo.quest.Spec("require_plan", filename="SimFileName", file_type="SimFileType")
     async def api_deleteFile(self):
         """Deprecated - use `api_deleteLibFile`"""
         return await self.api_deleteLibFile()
 
-    @sirepo.quest.Spec("require_user", filename="SimFileName", file_type="SimFileType")
+    @sirepo.quest.Spec("require_plan", filename="SimFileName", file_type="SimFileType")
     async def api_deleteLibFile(self):
         req = self.parse_post(filename=True, file_type=True)
         e = _simulations_using_file(req)
@@ -107,18 +110,18 @@ async def api_deleteLibFile(self):
         pkio.unchecked_remove(_lib_file_write_path(req))
         return self.reply_ok()
 
-    @sirepo.quest.Spec("require_user", sid="SimId")
+    @sirepo.quest.Spec("require_plan", sid="SimId")
     async def api_deleteSimulation(self):
         req = self.parse_post(id=True)
         simulation_db.delete_simulation(req.type, req.id, qcall=self)
         return self.reply_ok()
 
-    @sirepo.quest.Spec("require_user", filename="SimFileName")
+    @sirepo.quest.Spec("require_plan", filename="SimFileName")
     async def api_downloadFile(self, simulation_type, simulation_id, filename):
         """Deprecated - use `api_downloadLibFile`"""
         return await self.api_downloadLibFile(simulation_type, filename)
 
-    @sirepo.quest.Spec("require_user", filename="SimFileName")
+    @sirepo.quest.Spec("require_plan", filename="SimFileName")
     async def api_downloadLibFile(self, simulation_type, filename):
         req = self.parse_params(type=simulation_type, filename=filename)
         return self.reply_attachment(
@@ -174,7 +177,7 @@ async def api_forbidden(self):
         raise sirepo.util.Forbidden("app forced forbidden")
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         file_type="LibFileType",
     )
     async def api_listFiles(self):
@@ -198,7 +201,9 @@ async def api_findByName(self, simulation_type, application_mode, simulation_nam
         )
 
     @sirepo.quest.Spec(
-        "require_user", application_mode="AppMode", simulation_name="SimName"
+        "require_plan",
+        application_mode="AppMode",
+        simulation_name="SimName",
     )
     async def api_findByNameWithAuth(
         self, simulation_type, application_mode, simulation_name
@@ -249,7 +254,7 @@ async def api_findByNameWithAuth(
         )
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         file="ImportFile",
         folder="SimFolderPath",
         sid="SimId",
@@ -349,7 +354,7 @@ async def api_homePage(self, path_info=None):
             "staticFile", kwargs=PKDict(path_info="en/" + (path_info or "landing.html"))
         )
 
-    @sirepo.quest.Spec("require_user", folder="FolderName", name="SimName")
+    @sirepo.quest.Spec("require_plan", folder="FolderName", name="SimName")
     async def api_newSimulation(self):
         req = self.parse_post(template=True, folder=True, name=True)
         d = simulation_db.default_data(req.type)
@@ -422,7 +427,7 @@ async def api_root(self, path_info=None):
             return self.reply_redirect(u)
         raise sirepo.util.NotFound(f"unknown path={path_info}")
 
-    @sirepo.quest.Spec("require_user", sid="SimId", data="SimData all_input")
+    @sirepo.quest.Spec("require_plan", sid="SimId", data="SimData all_input")
     async def api_saveSimulationData(self):
         # do not fixup_old_data yet
         req = self.parse_post(id=True, template=True)
@@ -449,7 +454,10 @@ async def api_securityTxt(self):
         )
 
     @sirepo.quest.Spec(
-        "require_user", simulation_id="SimId", pretty="Bool optional", section="Section"
+        "require_plan",
+        simulation_id="SimId",
+        pretty="Bool optional",
+        section="Section",
     )
     async def api_simulationData(
         self, simulation_type, simulation_id, pretty=False, section=None
@@ -505,7 +513,7 @@ async def api_listSimulations(self):
             )
         )
 
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_simulationRedirect(self, simulation_type, local_route, simulation_id):
         return self.reply_redirect_for_local_route(
             sim_type=simulation_type,
@@ -544,7 +552,7 @@ async def api_staticFile(self, path_info=None):
             return self.reply_html(p)
         return self.reply_file(p)
 
-    @sirepo.quest.Spec("require_user", oldName="SimFolderPath", newName="SimFolderPath")
+    @sirepo.quest.Spec("require_plan", oldName="SimFolderPath", newName="SimFolderPath")
     async def api_updateFolder(self):
         # TODO(robnagler) Folder should have a serial, or should it be on data
         req = self.parse_post()
@@ -569,7 +577,6 @@ async def api_updateFolder(self):
                 qcall=self,
             ):
                 f = r.models.simulation.folder
-                l = o.lower()
                 if f.lower() == o.lower():
                     r.models.simulation.folder = n
                 elif f.lower().startswith(o.lower() + "/"):
@@ -580,7 +587,7 @@ async def api_updateFolder(self):
         return self.reply_ok()
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         file="LibFile",
         file_type="LibFileType",
         simulation_id="SimId",
@@ -591,7 +598,7 @@ async def api_uploadFile(self, simulation_type, simulation_id, file_type):
         return await self.api_uploadLibFile(simulation_type, simulation_id, file_type)
 
     @sirepo.quest.Spec(
-        "require_user",
+        "require_plan",
         file="LibFile",
         file_type="LibFileType",
         simulation_id="SimId",
diff --git a/sirepo/sim_api/jupyterhublogin.py b/sirepo/sim_api/jupyterhublogin.py
index c16a2e4458..6f28981be8 100644
--- a/sirepo/sim_api/jupyterhublogin.py
+++ b/sirepo/sim_api/jupyterhublogin.py
@@ -31,7 +31,7 @@
 
 
 class API(sirepo.quest.API):
-    @sirepo.quest.Spec("require_user", sim_type=f"SimType const={_SIM_TYPE}")
+    @sirepo.quest.Spec("require_plan", sim_type=f"SimType const={_SIM_TYPE}")
     async def api_checkAuthJupyterHub(self):
         # TODO(rorour) do this role check at a higher level
         # (see https://github.com/radiasoft/sirepo/issues/7026)
@@ -44,7 +44,7 @@ async def api_checkAuthJupyterHub(self):
             u = create_user(self)
         return self.reply_ok(PKDict(username=u))
 
-    @sirepo.quest.Spec("require_user", sim_type=f"SimType const={_SIM_TYPE}")
+    @sirepo.quest.Spec("require_plan", sim_type=f"SimType const={_SIM_TYPE}")
     async def api_redirectJupyterHub(self):
         # TODO(rorour) do this role check at a higher level
         # (see https://github.com/radiasoft/sirepo/issues/7026)
diff --git a/sirepo/sim_data/__init__.py b/sirepo/sim_data/__init__.py
index 154bf86edf..89b7329fe5 100644
--- a/sirepo/sim_data/__init__.py
+++ b/sirepo/sim_data/__init__.py
@@ -105,7 +105,7 @@ def _add(proprietary_code_dir, sim_type, cls):
         assert d.exists(), f"{d} proprietary_code_dir must exist" + (
             "; run: sirepo setup_dev" if pkconfig.in_dev_mode() else ""
         )
-        r = qcall.auth_db.model("UserRole").has_role(
+        r = qcall.auth_db.model("UserRole").has_active_role(
             role=sirepo.auth_role.for_sim_type(t),
         )
         if r:
diff --git a/sirepo/sim_oauth/flash.py b/sirepo/sim_oauth/flash.py
index f7085bf419..9ab456eda2 100644
--- a/sirepo/sim_oauth/flash.py
+++ b/sirepo/sim_oauth/flash.py
@@ -20,7 +20,7 @@
 
 
 class API(sirepo.quest.API):
-    @sirepo.quest.Spec("require_user")
+    @sirepo.quest.Spec("require_plan")
     async def api_simOauthFlashAuthorized(self):
         o, _ = sirepo.oauth.check_authorized_callback(self)
         i = PKDict(o.get(cfg.info_url).json())
diff --git a/sirepo/srunit.py b/sirepo/srunit.py
index b835748329..a0198658f0 100644
--- a/sirepo/srunit.py
+++ b/sirepo/srunit.py
@@ -153,6 +153,12 @@ def __init__(self, env, job_run_mode, port):
         if feature_config.cfg().ui_websocket:
             self._websocket = _WebSocket(self)
 
+    def add_plan_trial_role(self):
+        from sirepo.pkcli import roles
+        from sirepo import auth_role
+
+        roles.add(self.sr_uid, auth_role.ROLE_PLAN_TRIAL)
+
     def assert_post_will_redirect(self, expect_re, *args, **kwargs):
         rv = self.sr_post(*args, **kwargs)
         rv.assert_http_redirect(expect_re)
diff --git a/sirepo/uri_router.py b/sirepo/uri_router.py
index 7d90090b50..aa5410e3e9 100644
--- a/sirepo/uri_router.py
+++ b/sirepo/uri_router.py
@@ -27,7 +27,7 @@
 _FUNC_PREFIX = "api_"
 
 #: modules that must be initialized
-_REQUIRED_MODULES = ("auth_api", "job_api", "server", "srtime")
+_REQUIRED_MODULES = ("auth_api", "job_api", "server", "srtime", "auth_role_moderation")
 
 #: uri for default dispatches
 _ROUTE_URI_DEFAULT = ""
@@ -83,13 +83,10 @@ def init_module(want_apis, **imports):
     global _uri_to_route
 
     def _api_modules():
-        m = (
+        return (
             *_REQUIRED_MODULES,
             *sorted(sirepo.feature_config.cfg().api_modules),
         )
-        if sirepo.feature_config.cfg().moderated_sim_types:
-            return m + ("auth_role_moderation",)
-        return m
 
     if _uri_to_route is not None:
         return
diff --git a/sirepo/util.py b/sirepo/util.py
index da24d8e619..83ac34b865 100644
--- a/sirepo/util.py
+++ b/sirepo/util.py
@@ -113,6 +113,12 @@ class NotFound(ReplyExc):
     pass
 
 
+class PlanExpired(ReplyExc):
+    """API requires and active plan"""
+
+    pass
+
+
 class Redirect(OKReplyExc):
     """Raised to redirect
 
diff --git a/tests/adm_and_own_jobs_test.py b/tests/adm_and_own_jobs_test.py
index 603785cd1b..d09c12d4dd 100644
--- a/tests/adm_and_own_jobs_test.py
+++ b/tests/adm_and_own_jobs_test.py
@@ -125,11 +125,16 @@ def _make_user_adm(uid):
         pkunit.pkeq(r[0], uid, "Expected same uid as user")
 
     def _register_both_users():
+        from sirepo.pkcli import roles
+        import sirepo.auth_role
+
         fc.sr_email_login(adm_user, sim_type=t)
+        fc.add_plan_trial_role()
         u = fc.sr_uid
         fc.sr_logout()
         _make_user_adm(u)
         fc.sr_email_login(non_adm_user, sim_type=t)
+        fc.add_plan_trial_role()
 
     fc = auth_fc
     t = "srw"
diff --git a/tests/auth_role_moderation_test.py b/tests/auth_role_moderation_test.py
index 80e207c4ab..9a20a8ae69 100644
--- a/tests/auth_role_moderation_test.py
+++ b/tests/auth_role_moderation_test.py
@@ -7,6 +7,7 @@
 from pykern.pkcollections import PKDict
 
 _MODERATED_SIM_TYPE = "myapp"
+_NON_MODERATED_SIM_TYPE = "elegant"
 
 
 def setup_module(module):
@@ -45,7 +46,14 @@ def test_moderation(auth_fc):
         "saveModerationReason",
         PKDict(
             simulationType=auth_fc.sr_sim_type,
-            reason="reason for needing moderation",
+            reason="moderation for moderated sim type",
+        ),
+    )
+    auth_fc.sr_post(
+        "saveModerationReason",
+        PKDict(
+            simulationType=_NON_MODERATED_SIM_TYPE,
+            reason="moderation for sirepo trial access",
         ),
     )
     r = auth_fc.sr_post(
@@ -60,15 +68,16 @@ def test_moderation(auth_fc):
     r = auth_fc.sr_get("admModerateRedirect")
     r.assert_http_status(200)
     r = auth_fc.sr_post("getModerationRequestRows", PKDict())
-    pkunit.pkeq(len(r.rows), 1)
-    auth_fc.sr_post(
-        "admModerate",
-        PKDict(
-            uid=r.rows[0].uid,
-            role=r.rows[0].role,
-            status="approve",
-        ),
-    )
+    pkunit.pkeq(len(r.rows), 2)
+    for r in r.rows:
+        auth_fc.sr_post(
+            "admModerate",
+            PKDict(
+                uid=r.uid,
+                role=r.role,
+                status="approve",
+            ),
+        )
     auth_fc.sr_logout()
     auth_fc.sr_email_login(a, sim_type=_MODERATED_SIM_TYPE)
     r = auth_fc.sr_sim_data()
diff --git a/tests/db_upgrade_data/auth.txt b/tests/db_upgrade_data/auth.txt
index ac8fdfb7d3..a854741b68 100644
--- a/tests/db_upgrade_data/auth.txt
+++ b/tests/db_upgrade_data/auth.txt
@@ -10,6 +10,7 @@ INSERT INTO db_upgrade_t VALUES('_20231120_deploy_flash_update','');
 INSERT INTO db_upgrade_t VALUES('_20240322_remove_github_auth','');
 INSERT INTO db_upgrade_t VALUES('_20240507_cloudmc_to_openmc','');
 INSERT INTO db_upgrade_t VALUES('_20240524_add_role_user','');
+INSERT INTO db_upgrade_t VALUES('_20250114_add_role_plan_trial','');
 CREATE TABLE auth_email_user_t (
 	unverified_email VARCHAR(255) NOT NULL,
 	uid VARCHAR(8),
diff --git a/tests/parse_error_log_test.py b/tests/parse_error_log_test.py
index fc79ccf990..2d4600de4f 100644
--- a/tests/parse_error_log_test.py
+++ b/tests/parse_error_log_test.py
@@ -4,6 +4,7 @@
 :license: http://www.apache.org/licenses/LICENSE-2.0.html
 """
 
+import getpass
 import os
 
 
@@ -14,6 +15,8 @@ def setup_module(module):
         # Need to set these manually when in non-dev-mode
         SIREPO_COOKIE_IS_SECURE="0",
         SIREPO_COOKIE_PRIVATE_KEY="MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=",
+        SIREPO_AUTH_ROLE_MODERATION_MODERATOR_EMAIL=getpass.getuser()
+        + "@localhost.localdomain",
         # Avoids srw/predefined.json check
         SIREPO_FEATURE_CONFIG_SIM_TYPES="myapp",
         SIREPO_SMTP_PASSWORD="dev",
@@ -47,6 +50,7 @@ def test_runError(fc):
     from pykern.pkdebug import pkdc, pkdp, pkdlog
     import time
 
+    fc.add_plan_trial_role()  # Need to add explicitly when not in dev
     d = fc.sr_sim_data()
     d.models.simulation.name = "srunit_error_run"
     d = fc.sr_post(
@@ -65,5 +69,4 @@ def test_runError(fc):
             return
         time.sleep(1)
         d = fc.sr_post("runStatus", d.nextRequest)
-    else:
-        pkunit.pkfail("Error never returned d={}", d)
+    pkunit.pkfail("Error never returned d={}", d)
diff --git a/tests/pkcli/admin_data/db/auth.db b/tests/pkcli/admin_data/db/auth.db
index 6743ee6d53..07fc300010 100644
Binary files a/tests/pkcli/admin_data/db/auth.db and b/tests/pkcli/admin_data/db/auth.db differ
diff --git a/tests/plan_trial_test.py b/tests/plan_trial_test.py
new file mode 100644
index 0000000000..a65cc4d95f
--- /dev/null
+++ b/tests/plan_trial_test.py
@@ -0,0 +1,41 @@
+"""test Sirepo Trial plan
+
+:copyright: Copyright (c) 2025 RadiaSoft LLC.  All Rights Reserved.
+:license: http://www.apache.org/licenses/LICENSE-2.0.html
+"""
+
+_EXPIRATION_DAYS = 2
+
+
+def test_guest_trial_no_expiration(auth_fc):
+    from pykern import pkunit
+    from sirepo.pkcli import roles
+
+    u = auth_fc.sr_login_as_guest()
+    l = roles.list_with_expiration(u)
+    for r in l:
+        if r.role == "trial" and r.expiration is None:
+            return
+    pkunit.pkfail(f"no trial with no expiration in roles={l}")
+
+
+def test_expired_trial_no_run_sim(auth_fc):
+    from pykern.pkcollections import PKDict
+    from sirepo.pkcli import roles
+    import datetime
+
+    u = auth_fc.sr_email_login("e@e.e")
+    roles.add_or_update(u, "trial", expiration=_EXPIRATION_DAYS)
+    d = auth_fc.sr_sim_data()
+    auth_fc.sr_run_sim(d, "heightWeightReport")
+    with auth_fc.sr_adjust_time(_EXPIRATION_DAYS + 1):
+        auth_fc.sr_post(
+            "runSimulation",
+            PKDict(
+                models=d.models,
+                report="heightWeightReport",
+                simulationId=d.models.simulation.simulationId,
+                simulationType=d.simulationType,
+            ),
+            raw_response=True,
+        ).assert_http_status(402)
diff --git a/tests/proprietary_sim_types_test.py b/tests/proprietary_sim_types_test.py
index 308ee2292f..0b6686966d 100644
--- a/tests/proprietary_sim_types_test.py
+++ b/tests/proprietary_sim_types_test.py
@@ -32,6 +32,7 @@ def test_myapp(auth_fc):
     fc.sr_sim_data()
     fc.sr_logout()
     fc.sr_email_login("a@b.c")
+    fc.add_plan_trial_role()
     r = fc.sr_post(
         "listSimulations", {"simulationType": fc.sr_sim_type}, raw_response=True
     )
diff --git a/tests/supervisor_purge_free_sims_test.py b/tests/supervisor_purge_free_sims_test.py
index abba3d1323..c74c7d456a 100644
--- a/tests/supervisor_purge_free_sims_test.py
+++ b/tests/supervisor_purge_free_sims_test.py
@@ -51,11 +51,11 @@ def _make_user_premium(uid):
 
         roles.add(
             uid,
-            auth_role.ROLE_PAYMENT_PLAN_PREMIUM,
+            auth_role.ROLE_PLAN_PREMIUM,
         )
         with srunit.quest_start() as qcall:
             r = qcall.auth_db.model("UserRole").search_all_for_column(
-                "uid", role=auth_role.ROLE_PAYMENT_PLAN_PREMIUM
+                "uid", role=auth_role.ROLE_PLAN_PREMIUM
             )
         pkunit.pkeq([uid], r, "expecting one premium user with same id")
 
@@ -70,6 +70,7 @@ def _run_sim(data):
     user_free = "free@b.c"
     user_premium = "premium@x.y"
     fc.sr_email_login(user_free)
+    fc.add_plan_trial_role()
     fc.sr_email_login(user_premium)
     _make_user_premium(fc.sr_uid)
     _make_invalid_job()
@@ -95,6 +96,7 @@ def test_elegant_no_frame_after_purge(auth_fc):
     fc = auth_fc
     user_free = "free@b.c"
     fc.sr_email_login(user_free)
+    fc.add_plan_trial_role()
     d = fc.sr_sim_data(sim_name="Compact Storage Ring", sim_type="elegant")
     r = fc.sr_run_sim(d, "animation")
     with fc.sr_adjust_time(_PURGE_FREE_AFTER_DAYS + 1):