Docs / Core
Licensing
How activation, validation and the grace period work.
Get a key
Every mlab.sh organisation has a free IR license auto-provisioned. Find it under Organization > Incident Response on mlab.sh and paste it into LICENSE_KEY in your .env.
Validation flow
- On boot,
appreadsLICENSE_KEYand registers the instance withmlab.sh/api/v1/ir/license/validate. - Once per hour the
executorperforms an HMAC challenge-response with mlab.sh: server sends a nonce, instance signs it with the secret derived from the license key. - A successful response refreshes the cached license — tier, limits, expiry, kept locally.
- If mlab.sh is unreachable, the cached license is honored for 48 hours.
- After 48 hours without contact, the instance is locked: read-only for analysts, no new ingestion. Data is never deleted.
- As soon as mlab.sh is reachable again, the lock clears automatically.
License management lives on mlab.sh. Upgrades, downgrades, key rotation, deactivation — all happen at mlab.sh/orga/ir/license. The ir.mlab.sh instance only reads the current state.
Tiers
| Tier | Users | Alerts / month | Cases / month | Support |
|---|---|---|---|---|
free | 3 | 10 | 5 | Community |
lite | 10 | 200 | 50 | |
company | 50 | 3,000 | 500 | Priority email |
corpo | ∞ | ∞ | ∞ | Priority + SLA |
See the pricing page for the full comparison.
What if I hit a limit?
You get a banner in the UI and a warning event in the audit log. The platform keeps running — we don't drop incidents on the floor — but you'll need to upgrade to receive more ingestion the next month. Upgrades take effect within the hour without restart or reinstallation.
Network requirements
The executor needs outbound HTTPS to mlab.sh (443). That's the only egress required. No telemetry, no usage analytics, no error reporting.