What protocols does Bastionary support?

Bastionary supports email/password auth, WebAuthn passkeys, TOTP MFA, OAuth 2.1-aligned, OpenID Connect, SAML SSO, SCIM provisioning, and webhook-based integration workflows.

Is it truly self-hosted with no data leaving my servers?

Bastionary is designed for self-hosted deployment so identity data, logs, signing keys, and policy decisions can remain on infrastructure you control.

Does it support SAML and SCIM for enterprise provisioning?

Yes. Bastionary supports SAML SSO for enterprise login flows and SCIM-style provisioning patterns for automated user lifecycle management.

What is the difference between Bastionary and Auth0?

Auth0 is a hosted identity vendor. Bastionary is a self-hosted platform that combines authentication, enterprise SSO, billing-linked entitlements, licensing, and feature flags under infrastructure you control.

Can I use Bastionary for both authentication and billing?

Yes. Bastionary combines authentication with billing, licensing, feature flags, and audit-ready operational controls so SaaS teams can reduce identity-adjacent vendor sprawl.

Bastionary — Self-Hosted Authentication Infrastructure

Live platform metrics

Built for production, day one.

These are the numbers Bastionary is handling right now across all cloud-hosted deployments.

1,247

Active Tenants

Live

14.3M

Tokens Issued / Day

Live

99.97%

30-Day Uptime

Live

1.4ms

Token Verify P50

Live

341

API Commands

Typed SDK

< 5s

Cold Boot Time

Docker or binary

View full platform status & live metrics →

What's included

Everything. No asterisk.

Every feature that costs extra on Auth0 is included in the self-hosted edition, forever.

🔐

OIDC Identity Provider

Full OAuth 2.1-aligned + OIDC server. Authorization code + PKCE, PAR (RFC 9126), DPoP (RFC 9449), refresh token rotation with family-based reuse detection. RS256, ES256, EdDSA signing.

🏢

Enterprise SSO

SAML 2.0 with JIT provisioning, SCIM 2.0 user/group sync, enterprise connections, IdP group-to-role mapping. Bring Okta, Azure AD, or any SAML provider.

🛡️

Adaptive MFA + Risk Engine

TOTP, WebAuthn/FIDO2, SMS, magic links. Risk-based step-up authentication — automatically challenges high-risk logins. Bot detection, HIBP credential breach checking, geo-validation.

🔑

Fine-Grained Authorization

Google Zanzibar-inspired relationship-based access control. RBAC, ABAC, and FGA in one system. Policy engine with custom rule evaluation.

🪝

Auth Hooks (20 triggers)

Pre/post hooks for every auth event. Encrypted action secrets injected at runtime. 5 built-in templates (block by country, require MFA, sync to CRM, Slack alerts). Webhook delivery with HMAC signing.

🚀

6 Language SDKs

TypeScript, Python, Go, Ruby, Java, PHP — all zero external dependencies. React drop-in components. Full command namespace coverage with typed responses.

💳

Billing & Licensing built-in

Stripe + Paddle + LemonSqueezy integration. Seat-based licensing, per-feature entitlements, trial management, dunning, affiliate tracking. Auth and billing in one service.

🚩

Feature Flags + Entitlements

Per-user, per-team, per-plan feature flags. Entitlement engine for metered features. A/B testing segments. Onboarding checklist engine. All computed server-side.

📋

SOC 2-Ready Audit Trail

Append-only audit log with SHA-256 hash chain integrity. Config change auditing. GDPR consent management with versioned, immutable records. Data retention policy enforcement.

How it works

Architecture at a glance

Bastionary sits between your app and your identity stack. Every auth event flows through one API layer — tokens, sessions, licenses, and billing in one service.

How it stacks up

The honest comparison

We measured these ourselves. All data from public documentation as of 2026.

Feature	Bastionary	Auth0	Clerk	Keycloak	Cognito
Cloud hosted cost at 100K MAU	$99/mo	~$1,300/mo	~$600/mo	N/A	~$460/mo
OIDC IdP (full RFC)	✓	✓	PARTIAL	✓	PARTIAL
SAML SSO + JIT	✓	✓ Paid	✓ Paid	✓	Lambda triggers
SCIM 2.0	✓	✓ Paid	✓ Paid	✓	✗
Multi-tenancy	✓	✓	✓	✓	✗ DIY
Billing / licensing built-in	✓	✗	✗	✗	✗
Feature flags built-in	✓	✗	✗	✗	✗
6 language SDKs	✓	✓	PARTIAL	✗	AWS SDK only
Setup time	< 5 min	~30 min	~10 min	~2 hours	~1 hour
Self-hosted option	✓ Free forever	✗ SaaS only	✗ SaaS only	✓ Free	✗ AWS only

Bastionary vs Auth0 → Bastionary vs Clerk → Bastionary vs Keycloak → Bastionary vs Cognito → Bastionary vs Firebase →

Pricing

Simple. Transparent. Yours.

Download and self-host free, forever — ELv2 license, no MAU limits, no seat fees. Pay only if you want us to run it for you.

Community

$0 forever

Self-hosted. Unlimited users.

✓ Unlimited MAU

✓ All 341 API commands

✓ OIDC, SAML, SCIM

✓ MFA, risk engine

✓ 55 admin UI pages

✓ Elastic License v2 (ELv2)

○ Community support

○ Self-managed ops

Download & deploy →

Cloud Starter

$29 /month

We host it. You own your data.

✓ All 341 API commands

✓ Managed hosting + SSL

✓ Daily encrypted backups

✓ Provisioning wizard

✓ Email support

○ Up to 10,000 MAU

Start free trial →

Try it free for 14 days.

Create an account, run the provisioning wizard, get your OIDC client + API key. Start building in under 5 minutes. No credit card required for the trial. Cancel anytime.

Start Starter trial (free 14 days) Start Pro trial (free 14 days) →

After 14 days: Starter $29/mo · Pro $99/mo. Questions? Contact us

Get in touch

Questions? We're here.

Reach out about pricing, integrations, enterprise deployments, or anything else.

General questions, sales, enterprise, and security reports — use the form above. We respond within one business day.

One platform for auth, billing & access.

Built for production, day one.

Everything. No asterisk.

Architecture at a glance

The honest comparison

Simple. Transparent. Yours.

Try it free for 14 days.

Questions? We're here.

One platform for
auth, billing & access.