Bastionary vs Firebase Auth.
Standard OIDC, not Google-flavored JWT.
Firebase Authentication is an impressive product — it handles social logins, custom tokens, and phone auth with minimal config. But it runs exclusively on Google infrastructure, tokens require verification against Google-hosted keys rather than a locally shared secret, SAML and multi-tenancy require an upgrade to the paid Identity Platform tier, and there is no self-hosted option. If Google lock-in, data residency, or integrated billing and licensing matter to your team, Bastionary is standard OIDC from day one, deployable anywhere.
The Firebase ceiling.
- JWKS-based token verification: Firebase ID tokens are JWTs signed by Google-managed keys. You can verify them with the Firebase Admin SDK or with a third-party JWT library if you validate against Google's published JWKS endpoint and check the required claims. This is not the same as a locally shared-secret token — it introduces an external key dependency and claim-mapping requirements.
- SAML and enterprise SSO require an upgrade: Core Firebase Authentication does not support SAML 2.0 or SCIM 2.0. These are available via Firebase Authentication with Identity Platform, the paid upgrade tier. If you land an enterprise customer who requires SSO with Azure AD or Okta, verify whether your current Firebase tier supports it before committing.
- Google-only infrastructure: Your auth lives on Google servers, in Google's data centers. There is no self-hosted Firebase Auth. EU data residency, HIPAA BAA, and custom infrastructure requirements are not options — you accept Google's terms or you don't use Firebase Auth.
- Multi-tenancy requires the paid Identity Platform upgrade: Firebase Authentication with Identity Platform supports multi-tenancy. Core Firebase Auth does not. Building B2B SaaS with per-customer tenant isolation, custom SSO per customer, or per-tenant branding requires either the paid tier or significant custom work on top of the base product.
- Custom token complexity: If you need custom claims beyond Firebase's built-in fields, you must set them via the Admin SDK on a backend — there's no UI or REST API for it. Claims propagation has delays of up to an hour due to caching.
- Billing and licensing not included: Firebase Auth handles identity. You still need Stripe for billing, Keygen for license keys, and LaunchDarkly for feature flags. Bastionary replaces all four.
What each does out of the box.
| Feature | Firebase Auth | Bastionary |
|---|---|---|
| Standard OIDC/OAuth 2.0 | ~ Firebase-flavored (custom JWKS) | ✓ Fully RFC-compliant |
| SAML 2.0 | ~ Identity Platform (paid upgrade) only | ✓ Full, API-configured |
| SCIM 2.0 | ✗ Not supported | ✓ Built-in |
| Multi-tenancy | ~ Identity Platform (paid upgrade) only | ✓ First-class org model |
| Self-hosted option | ✗ Google-only | ✓ Deploy anywhere |
| Custom domain auth | ✓ (requires Firebase Hosting) | ✓ Any domain, no hosting dependency |
| Social logins | ✓ Excellent | ✓ Full |
| HIBP breach detection | ✗ | ✓ Every password, k-anonymity (disableable for air-gapped deployments) |
| DPoP tokens | ✗ | ✓ RFC 9449 |
| Billing integration | ✗ | ✓ Stripe, Paddle, LemonSqueezy |
| Software licensing | ✗ | ✓ Offline RSA keys |
| Feature flags | ✗ | ✓ Built-in, plan-gated |
| EU data residency | ~ Limited to Firebase regions | ✓ Self-host in any region |
| Pricing (100K MAU) | Free (Identity Platform: $0.0055/MAU) | $99/mo flat |
| Standard JWT verification | ~ Requires Firebase JWKS | ✓ Standard RS256, any JWT library |
Who Firebase is right for.
Firebase Auth is the right choice for consumer apps that are already deep in the Google ecosystem (Firestore, Cloud Functions, Firebase Hosting), where social logins are the primary auth method, you have no B2B enterprise requirements, and you're comfortable with Google lock-in. The free tier is genuinely generous for consumer apps.
Bastionary is the right choice if you need standard OIDC that works with any JWT library, need SAML/SCIM for enterprise customers, want to self-host for data residency or compliance, are building B2B SaaS, or need billing/licensing/auth in one system without bolting on additional vendors.
14-day free trial. Works everywhere Firebase doesn't.
Standard OIDC. RS256. Self-hostable. Deploy to your own server or use our cloud. No Google dependencies.