Reference
License tiers & entitlements
Your license is a signed artefact that sets which capabilities are active and for how long. Workbench reads it locally — entitlements degrade gracefully rather than taking the core offline. This page lists the dimensions a license controls and the states Workbench reports; the specific limits for each tier are set by your contract.
What a license controls
Entitlements are gated along these dimensions:
- Single sign-on — whether OIDC / SAML SSO is available alongside local accounts.
- Ticket integrations — whether findings can be pushed to GitHub, GitLab, or Jira.
- Insight — whether the connected Insight surface is enabled.
- Databases — how many databases you may register and analyse.
- Instances — how many Workbench installs the license authorises (see below).
The license also carries an informational plan name and a valid_until date. Gating reads the dimensions above directly, not the plan name.
One process per license
Each licensed Workbench install runs as exactly one process. Running a second replica against the same identity, or cloning the identity volume, makes the installs fail closed to LICENSE_INACTIVE on the next attestation. If you need horizontal scale, license one install per Workbench. This is why the Helm chart pins replicaCount: 1 and the Recreate strategy.
Cache state
/healthz reports the local entitlement cache as one of:
fresh— read recently, within the cadence window.stale— past the cadence window but still usable; a refresh is due.empty/unactivated— no license loaded yet (the fresh-install state).expired— the license is past itsvalid_until.revoked/invalidated— withdrawn by an imported revocation list or a decommission.
Activation state
Where offline activation is used, Workbench additionally reports an activation state — active, expiring_soon / expiring_critical as re-attestation approaches, expired, rejected, or unactivated. Renew before the deadline; the activate offline guide covers the re-attestation flow.