// pricing
Simple.
Transparent.
Self-hosted identity infrastructure. Pay for infrastructure, not per-seat licensing. Your users are yours.
Starter
$0
Everything you need to get your first app authenticating. No limits on users or tokens.
- Unlimited users
- Unlimited realms
- OpenID Connect & OAuth 2.0
- TOTP / MFA
- Social login providers
- Brute force protection
- SAML 2.0
- Priority support
- Custom email domain
Most popular
Pro
$29/mo
For teams shipping multiple products. Adds SAML, custom branding, and dedicated support.
- Everything in Starter
- SAML 2.0 federation
- Custom login theme
- Custom email domain
- User federation (LDAP/AD)
- Fine-grained authorization
- Audit log export
- Priority email support
- SLA guarantee
Enterprise
Custom
For organizations with compliance requirements, custom SLA needs, or high-volume authentication.
- Everything in Pro
- 99.9% uptime SLA
- Dedicated infrastructure
- Custom contract & billing
- Security audit support
- GDPR / SOC2 guidance
- Slack-based support
- Architecture review
- On-call incident response
// compare plans
Feature breakdown
Everything that's included at each tier.
| Feature | Starter | Pro | Enterprise |
|---|---|---|---|
| Core | |||
| Users | Unlimited | Unlimited | Unlimited |
| Realms / tenants | Unlimited | Unlimited | Unlimited |
| OAuth 2.0 & OIDC | ✓ | ✓ | ✓ |
| SAML 2.0 | — | ✓ | ✓ |
| Authentication | |||
| TOTP / Authenticator app | ✓ | ✓ | ✓ |
| WebAuthn / Passkeys | ✓ | ✓ | ✓ |
| Social login (Google, GitHub…) | ✓ | ✓ | ✓ |
| LDAP / Active Directory | — | ✓ | ✓ |
| Customisation | |||
| Custom login theme | — | ✓ | ✓ |
| Custom email domain | — | ✓ | ✓ |
| Email template branding | — | ✓ | ✓ |
| Operations | |||
| Audit log export | — | ✓ | ✓ |
| Uptime SLA | — | — | 99.9% |
| Support | Community | Priority email | Slack + on-call |
// faq
Common questions
Everything you might want to know before integrating.
Is there really no user limit?
Yes. Keycloak doesn't charge per user — it's a single server process connected to your PostgreSQL database. The only limits are your VPS resources. A standard 2-core / 4GB RAM server handles tens of thousands of active users without issue.
Where does my user data live?
Entirely on your own VPS — in your PostgreSQL database. No data is sent to any third party. Passwords are hashed with PBKDF2-SHA256 by default. You own everything.
Can I use SSO.so for multiple separate products?
Yes — that's the main use case. Create one Keycloak realm per product (or a shared realm with separate client registrations). Each realm is completely isolated with its own users, roles, and settings.
What happens if Keycloak goes down?
Users with existing valid tokens can continue using your apps until their token expires (default 5 minutes). New logins and token refreshes will fail until the service is restored. For high availability, Keycloak supports clustering — reach out if you need a clustered setup.
Do I need to know Keycloak to use this?
Not deeply. The docs cover everything you need to integrate an app — fetching the discovery document, registering a client, and handling the OIDC callback. Most modern frameworks have drop-in OIDC middleware that needs only three config values.
// get started
One identity.
All your products.
Start with the docs. Have your first app integrated in minutes.