Security isn't a premium feature.

Some auth vendors gate MFA behind their enterprise tier. Others tuck audit logs into a "Business" plan. SAML SSO is the classic one — pay a five-figure upgrade so the same login flow that's free for one of your users works for ten of them at one of your customers.

We don't believe in any of that. Authaz charges on volume, not on features.

Security is not negotiable

Everyone who builds a product owes their users a baseline: passwords stored properly, MFA available, suspicious sign-ins flagged, audit trail you can read. That baseline doesn't change because a startup picked the free tier. If anything, the startup needs the baseline more — they don't have a security team to compensate.

So when we built Authaz, we picked one rule for security primitives: if it keeps a user safe, it's in every plan.

That means:

• TOTP MFA — every plan, including free.
• Audit logs — every plan. Retention scales with tier, but you always have them.
• Tenant isolation — built into the model, not a checkbox you have to find.
• Encryption at rest, JWE/JWS tokens, automatic key rotation — the bar, not a feature.

You shouldn't have to choose between "is this product safe" and "can I afford to use it for the first hundred users."

We charge on volume, not on features

The economics are straightforward. It costs us more when you serve more users — CPU, storage, bandwidth, audit-log throughput. We charge for that. Once you're paying for volume, you've already paid for the security you depend on. We don't get to charge twice.

Paid tiers add things that genuinely scale with usage: more MAU, longer retention, custom session lifetimes, multi-region SLA targets, dedicated rate-limit headroom. Those are operational dimensions. They are not "we'll let you do MFA now."

When we charge for something, it's because someone else is

Take WhatsApp OTP. We support sending one-time codes over WhatsApp — useful for AI products with global users where SMS coverage is patchy.

Authaz manages the WhatsApp Business connection for you. We don't make money on your WhatsApp volume. Meta charges per WhatsApp business message; we pass that cost through with no markup. Same shape applies to SMS, voice, and email delivery — we don't mark up the upstream provider's per-message fee. If your usage spikes because your AI agent sent ten thousand verification codes overnight, your bill from us reflects exactly what those upstream services charged us, plus the standard volume fee for the auth itself.

The principle: where there's a real cost, you pay the real cost. Where there isn't, we don't invent one.

So what does the Enterprise plan do?

It buys service, not security.

• A named account manager who knows your stack.
• A higher uptime SLA, with credits if we miss it.
• A dedicated Slack channel and faster response targets.
• Custom contracts, HIPAA / BAA, regional data-residency commitments.
• Onboarding and migration help, including off your current vendor.

If you've ever bought enterprise software, this list is exactly what enterprise software is for — relationship and reliability commitments. It's not for unlocking the parts of the product that matter.

We've heard from teams that picked Authaz specifically because they didn't want to explain to their CTO why MFA cost twelve thousand dollars a year. That's a conversation we'd rather you not have to have.

Why this matters now

The companies being built right now — AI startups, agent platforms, vibe-coded SaaS that ships daily — don't have time to negotiate features into their auth contract. They need the safety primitives on day one, the volume fees to come in linearly with usage, and zero surprise upgrades when the first big customer walks in the door.

If you've ever been quoted "that's an enterprise feature" for something a sixteen-year-old can buy from Authy for $1.99 a month, we built Authaz for you.

Get early access — pricing is published. No salesperson required.