B
About Bastionary

Built on the idea of a bastion

A bastion is the strongest point in a defensive fortification — the part engineered to hold when everything else is under pressure. That's exactly what your authentication layer should be.

bastion
/ ˈbæs.tʃən / · noun
1. A projecting part of a fortification built at an angle, designed to allow defensive fire in multiple directions.

2. A thing or person considered as a protector of something, or as a strongly maintained system of values.

— from the Italian bastione, from bastia (fortified building)

Why "Bastionary"?

Authentication is the gate to everything your product does. It decides who gets in, what they're allowed to see, and whether someone trying to break in succeeds or fails. Done right, it's invisible — users just log in and work. Done wrong, it becomes the single most consequential vulnerability in your entire system.

We chose the name Bastionary because we think about auth the same way military architects thought about bastions: it should be the hardest point to breach, designed with overlapping defenses, with no single point of failure.

The "-ary" suffix turns "bastion" into something more active — a place, a practice, an institution. Like a library is where you work with books, a bastionary is where you work with identity. It's a platform, not just a library.

What we're building

Bastionary is a self-hosted platform that handles the full identity + billing + licensing stack for software products. Instead of stitching together Auth0, Stripe, LaunchDarkly, and Keygen — four separate vendors, four contracts, four SLAs, four price increases — you run one system you actually own.

  • Authentication & identity — email/password, passkeys, TOTP MFA, SAML SSO, OAuth providers, magic links, SMS OTP, WebAuthn
  • Authorization — role-based access control, fine-grained authorization, policy engine, attribute-based access
  • Billing & subscriptions — plans, trials, metered usage, dunning, Stripe integration
  • Licensing — per-seat, per-machine, floating, offline licenses
  • Feature flags — progressive rollouts, A/B testing, entitlements per plan
  • Developer platform — REST API, webhooks, audit logs, OIDC/OAuth 2.1-aligned, SCIM provisioning

Everything runs on your infrastructure, in your cloud account, in your data center — wherever you want. You control the data. You set the retention policies. You decide what goes where.

Who this is for

Bastionary is designed for software teams that have grown past the "just grab a managed auth service" stage and are starting to feel the friction: escalating costs, missing enterprise features, compliance requirements that need data sovereignty, or the desire to stop paying for infrastructure you don't control.

If you're a SaaS company, an enterprise ISV, or a team building developer tools — and you're currently paying per-MAU or per-seat to a vendor for features you could own outright — Bastionary is for you.

Our principles

🏰

Defense in depth

Multiple overlapping controls, not single-point security theater.

🔓

Self-hosted first

Your data stays where you put it. We don't have a copy.

🔧

Operator-grade APIs

Every feature is accessible via API. No features trapped in the UI.

📐

Standards compliance

OAuth 2.1-aligned, OIDC, SCIM 2.0, WebAuthn — not proprietary lock-in.

SummitFlux

Bastionary is built and maintained by SummitFlux LLC — a software company focused on building infrastructure tools for independent software businesses. We eat our own cooking: Bastionary runs the auth and billing stack for our own products.

If you have questions, want to report a vulnerability, or just want to talk about what you're building — reach out on the contact page.

Ready to own your auth stack?

Get started free → Read the docs