Bastionary — Open Authentication Infrastructure

What's included

Everything. No asterisk.

Every feature that costs extra on Auth0 is included in the self-hosted edition, forever.

🔐

OIDC Identity Provider

Full OAuth 2.1 + OIDC server. Authorization code + PKCE, PAR (RFC 9126), DPoP (RFC 9449), refresh token rotation with family-based reuse detection. RS256, ES256, EdDSA signing.

🏢

Enterprise SSO

SAML 2.0 with JIT provisioning, SCIM 2.0 user/group sync, enterprise connections, IdP group-to-role mapping. Bring Okta, Azure AD, or any SAML provider.

🛡️

Adaptive MFA + Risk Engine

TOTP, WebAuthn/FIDO2, SMS, magic links. Risk-based step-up authentication — automatically challenges high-risk logins. Bot detection, HIBP credential breach checking, geo-validation.

🔑

Fine-Grained Authorization

Google Zanzibar-inspired relationship-based access control. RBAC, ABAC, and FGA in one system. Policy engine with custom rule evaluation.

🪝

Auth Hooks (20 triggers)

Pre/post hooks for every auth event. Encrypted action secrets injected at runtime. 5 built-in templates (block by country, require MFA, sync to CRM, Slack alerts). Webhook delivery with HMAC signing.

🚀

6 Language SDKs

TypeScript, Python, Go, Ruby, Java, PHP — all zero external dependencies. React drop-in components. Full command namespace coverage with typed responses.

💳

Billing & Licensing built-in

Stripe + Paddle + LemonSqueezy integration. Seat-based licensing, per-feature entitlements, trial management, dunning, affiliate tracking. Auth and billing in one service.

🚩

Feature Flags + Entitlements

Per-user, per-team, per-plan feature flags. Entitlement engine for metered features. A/B testing segments. Onboarding checklist engine. All computed server-side.

📋

SOC 2-Ready Audit Trail

Append-only audit log with SHA-256 hash chain integrity. Config change auditing. GDPR consent management with versioned, immutable records. Data retention policy enforcement.

How it stacks up

The honest comparison

We measured these ourselves. All data from public documentation as of 2026.

Feature	Bastionary	Auth0	Clerk	Keycloak
Self-hosted	✓ Free	✗ N/A	✗ N/A	✓ Free
Cost at 100K MAU	$0	~$1,300/mo	~$600/mo	Ops cost
OIDC IdP (full RFC)	✓	✓	PARTIAL	✓
SAML SSO + JIT	✓	✓ Paid	✓ Paid	✓
SCIM 2.0	✓	✓ Paid	✓ Paid	✓
Risk engine / Adaptive MFA	✓	✓ Paid	✗	✗
Fine-grained authz (FGA)	✓	✓ Paid	✗	PARTIAL
Billing / licensing built-in	✓	✗	✗	✗
Feature flags built-in	✓	✗	✗	✗
Auth hooks (20 triggers)	✓	✓	✓	✗
6 language SDKs	✓	✓	PARTIAL	✗
Setup time	< 5 min	~30 min	~10 min	~2 hours

Pricing

Simple. Transparent. Yours.

Download and self-host free, forever — no license, no MAU limits, no strings. Pay only if you want us to run it for you.

Community

$0 forever

Self-hosted. Unlimited users.

✓ Unlimited MAU

✓ All 340+ API commands

✓ OIDC, SAML, SCIM

✓ MFA, risk engine

✓ 55 admin UI pages

✓ MIT licensed

○ Community support

○ Self-managed ops

Download & deploy →

Cloud Starter

$29 /month

We host it. 10K MAU.

✓ Up to 10,000 MAU

✓ Managed hosting

✓ Automatic updates

✓ SSL + CDN included

✓ Nightly backups

✓ Email support

Join waitlist →

Be first on the cloud.

Cloud hosting is in private beta. Join the waitlist and get early access + locked-in pricing.

Get in touch

Questions? We're here.

Reach out about pricing, integrations, enterprise deployments, or anything else.

hello@bastionary.com sales@bastionary.com security@bastionary.com

Auth infrastructure you actually own.

Everything. No asterisk.

The honest comparison

Simple. Transparent. Yours.

Be first on the cloud.

Questions? We're here.

Auth infrastructure
you actually own.