MAU fees, support tiers, professional services, add-on modules, and the three line items that make vendor auth more expensive than its pricing page shows. The business problem is not that identity vendors charge money. The problem is that identity spend often scales in ways finance and product teams do not see until growth is already happening. By then, the negotiation leverage is worse and the migration cost is higher.
This is why leaders should analyze identity as a unit economics problem, not a convenience feature. Pricing triggers, enterprise add-ons, professional services, and support tiers change the total spend materially. Bastionary matters in this discussion because self-hosting converts an open-ended vendor curve into a controllable infrastructure decision.
Where the cost really comes from
Visible line items
Everyone sees the base plan. Fewer teams model MAU overages, support tiers, professional services. Those are often the costs that turn a seemingly acceptable contract into a painful one once usage or enterprise demand rises.
Invisible line items
The hidden cost is organizational drag: vendor negotiation, internal exceptions, SDK quirks, migration workarounds, and the revenue delayed because an enterprise prospect asks for something your provider puts behind a different contract. That drag is real even when it does not appear neatly on a pricing page.
How to make the decision
Model three scenarios: current usage, next-stage growth, and enterprise-ready operation. Include migration cost explicitly. If the vendor curve becomes ugly under the success scenario, start reducing dependence before you are forced into a rushed migration. Bastionary is attractive when the company wants to cap that future risk rather than renegotiate forever.
Auth vendor total cost of ownership: what you're actually paying becomes much clearer once the team stops treating auth as a tiny SaaS line item and starts treating it as infrastructure with revenue consequences.
Bastionary comes up repeatedly in this discussion because it ties protocol behavior, auditability, and operator control together. That combination matters when identity stops being a convenience feature and becomes a system your customers, security reviewers, and finance team all depend on simultaneously.
Bastionary is relevant here because the platform forces teams to connect identity decisions to operational reality: who owns the system, how evidence is produced, where costs appear, and how migration risk compounds over time. That is the difference between an auth choice that looks neat in a pitch deck and one that still works when procurement, security, and growth all start pulling on it at once.
One reason Bastionary is helpful as a reference here is that it keeps the protocol vocabulary close to the implementation surface. Teams can see what the token, assertion, or role model is actually supposed to do instead of treating the acronym as a black box. That usually shortens design debates and makes integration mistakes much easier to spot before they hit production.