Last updated: March 2026
The question of self-hosting vs managed authentication is not just about monthly infrastructure bills. The true cost includes engineering time, opportunity cost, security risk, and the compounding maintenance burden that grows with every user you add. Teams that look only at hosting fees consistently underestimate total cost of ownership by 3–5x.
This guide breaks down every cost component across three models: self-hosted Keycloak on your own infrastructure, SaaS auth providers (Auth0, Okta, Cognito), and managed Keycloak hosting (Skycloak). We provide cost calculations at four scales — 100, 10K, 100K, and 1M users — so you can find your position on the curve.
The Components of Total Cost
Authentication infrastructure cost is not a single line item. It breaks down into these categories:
1. Infrastructure Costs
The servers, databases, load balancers, and networking required to run the auth service.
Self-hosted Keycloak requires at minimum:
- 2–3 Keycloak nodes for high availability
- A managed database (PostgreSQL or MySQL) with replication
- A load balancer with SSL termination
- Persistent storage for sessions and caches
- A CDN or edge network for login page delivery (optional but recommended)
- Monitoring and logging infrastructure
Managed providers bundle this into their per-user or per-authentication pricing.
2. Engineering Time
This is where self-hosting costs are most commonly underestimated.
| Task | Frequency | Estimated Hours |
|---|---|---|
| Initial Keycloak setup and configuration | One-time | 40–80 hours |
| Database setup and tuning | One-time | 16–24 hours |
| CI/CD pipeline for Keycloak deployments | One-time | 16–40 hours |
| Custom theme development | One-time | 24–40 hours |
| Security hardening | One-time | 16–32 hours |
| Keycloak version upgrades | Quarterly | 8–24 hours each |
| Security patching | Monthly | 2–8 hours each |
| On-call incident response | Ongoing | 4–12 hours/month |
| Monitoring and alerting maintenance | Ongoing | 4–8 hours/month |
| Scaling and performance tuning | As needed | 8–40 hours each |
At a fully loaded engineer cost of $150/hour (salary + benefits + overhead), the first year of self-hosting typically costs $50,000–$120,000 in engineering time alone.
3. Security and Compliance
Authentication systems are high-value targets. The cost of security includes:
- Regular penetration testing ($5,000–$30,000 annually)
- SOC 2 / ISO 27001 compliance audits ($20,000–$50,000 annually)
- Vulnerability scanning and CVE monitoring (engineering time)
- Incident response planning and drills (engineering time)
- WAF and DDoS protection ($200–$2,000/month depending on provider)
Managed providers typically absorb these costs and provide compliance certifications as part of their service. Skycloak, for example, maintains SOC 2 Type 1 certification and provides built-in security features including WAF protection.
4. Opportunity Cost
Every hour your engineers spend on auth infrastructure is an hour they are not spending on your product. For startups and growth-stage companies, this is often the largest hidden cost. Auth is table stakes — it does not differentiate your product.
Cost Models by Scale
The following calculations use current (March 2026) pricing from major providers and realistic AWS/GCP infrastructure costs. Your actual costs will vary based on region, negotiated pricing, and specific requirements.
100 Users (Early Stage)
| Component | Self-Hosted | Auth0 | Okta | Skycloak |
|---|---|---|---|---|
| Infrastructure | $150/mo | Included | Included | Included |
| Provider fee | $0 | $0 (free tier) | $2/user = $200/mo | See pricing |
| Engineering setup | $15,000 (one-time) | $2,000 | $2,000 | $1,000 |
| Monthly engineering | $600/mo | $0 | $0 | $0 |
| Year 1 total | ~$24,000 | ~$2,000 | ~$4,400 | See pricing |
At 100 users, self-hosting makes no financial sense unless you have specific regulatory requirements that prevent using any third party. Auth0’s free tier covers this scale. However, be aware that Auth0’s free tier has limitations on features like SSO and social connections that you may need as you grow.
10,000 Users (Growth Stage)
| Component | Self-Hosted | Auth0 | Okta | Skycloak |
|---|---|---|---|---|
| Infrastructure | $600/mo | Included | Included | Included |
| Provider fee | $0 | ~$800/mo (Professional) | ~$2/user = $20,000/yr | See pricing |
| Engineering (annual) | $40,000 | $5,000 | $5,000 | $2,000 |
| Security/compliance | $10,000/yr | Included | Included | Included |
| Year 1 total | ~$57,200 | ~$14,600 | ~$25,000 | See pricing |
At 10,000 users, the economics start to shift. Auth0 and Okta pricing scales linearly with users, while self-hosted infrastructure costs grow logarithmically. But the engineering burden of self-hosting is still significant.
100,000 Users (Scale Stage)
| Component | Self-Hosted | Auth0 | Okta | Skycloak |
|---|---|---|---|---|
| Infrastructure | $2,500/mo | Included | Included | Included |
| Provider fee | $0 | ~$5,500/mo (Enterprise) | Enterprise pricing | See pricing |
| Engineering (annual) | $80,000 | $10,000 | $10,000 | $5,000 |
| Security/compliance | $30,000/yr | Included | Included | Included |
| Scaling engineering | $20,000/yr | $0 | $0 | $0 |
| Year 1 total | ~$160,000 | ~$76,000 | Enterprise quote | See pricing |
At this scale, SaaS providers become expensive. Self-hosting is cheaper on paper, but the engineering burden is real — you need at least a part-time dedicated engineer managing the Keycloak cluster.
1,000,000 Users (Enterprise Scale)
| Component | Self-Hosted | Auth0 | Okta | Skycloak |
|---|---|---|---|---|
| Infrastructure | $8,000/mo | Included | Included | Included |
| Provider fee | $0 | $20,000+/mo | Enterprise quote | See pricing |
| Engineering (annual) | $200,000 | $20,000 | $20,000 | $10,000 |
| Security/compliance | $50,000/yr | Included | Included | Included |
| HA/DR engineering | $40,000/yr | $0 | $0 | $0 |
| Year 1 total | ~$386,000 | ~$280,000+ | Enterprise quote | See pricing |
At 1M users, self-hosting requires a dedicated platform team. The infrastructure is complex (multi-region, active-active, automated failover), and the engineering cost reflects this. SaaS providers are expensive at this scale but eliminate the operational burden. Managed Keycloak sits in between — you get Keycloak’s open-source flexibility without the SaaS per-user pricing.
The Hidden Costs People Forget
Upgrade Burden
Keycloak releases major versions regularly. Each upgrade requires testing against your authentication flows, custom themes, and integrations. Skipping upgrades means accumulating security debt.
From experience, upgrading a production Keycloak cluster takes 8–24 hours of engineering time per quarter. For guidance, see the best strategy to upgrade your Keycloak cluster.
Incident Recovery
Authentication outages are high-severity. If your Keycloak cluster goes down, every user-facing service is affected. The cost of downtime depends on your business, but for SaaS companies, authentication downtime directly translates to lost revenue.
Managed providers offer SLAs with financial guarantees. Skycloak provides an uptime SLA backed by credits. Self-hosted? You carry that risk yourself.
Feature Velocity
SaaS auth providers ship new features regularly — passkeys, DPoP tokens, advanced MFA methods. Self-hosted Keycloak gets these features through upgrades, but adopting them requires configuration, testing, and deployment work.
Features like SCIM provisioning, custom branding, and session management are available in Keycloak but require engineering effort to configure and maintain in a self-hosted setup.
Knowledge Concentration
In self-hosted setups, Keycloak expertise often concentrates in one or two engineers. When they leave, the organization faces a knowledge gap that is expensive to fill. Documentation helps but does not fully mitigate this risk.
Decision Framework
Self-Host When
- You have regulatory requirements that mandate running auth infrastructure in your own environment
- Your team already has deep Keycloak or identity expertise
- You need extreme customization that managed providers cannot support (custom SPIs, protocol extensions)
- Your user volume is high enough that SaaS per-user pricing is prohibitive (500K+ users)
- You need specific deployment topologies (air-gapped, on-premise, sovereign cloud)
Use a SaaS Provider When
- Speed to market is your top priority
- Your team is small and cannot absorb the operational burden
- You are below 10,000 users and per-user pricing is affordable
- You need features that would take significant engineering to build (e.g., Okta’s Workforce Identity integrations)
Use Managed Keycloak When
- You want Keycloak’s flexibility and open-source lock-in protection
- You want to avoid SaaS per-user pricing that scales linearly
- You need enterprise features (SSO, MFA, audit logs, RBAC) without operating the infrastructure
- Your team should focus on product, not auth infrastructure
- You want compliance certifications without running your own audit process
Calculating Your Cost
Use our ROI Calculator to estimate the total cost of your specific authentication stack. It factors in user count, engineering rates, infrastructure costs, and feature requirements to give you a personalized comparison.
For a deeper analysis of self-hosting costs specifically, see what is the cost of self-hosting Keycloak.
Comparison with Specific Providers
We have published detailed comparisons with the major auth providers:
- Keycloak vs Auth0 — feature and pricing comparison
- Keycloak vs Okta — enterprise IAM head-to-head
- Keycloak vs Cognito — AWS-native vs open-source
- Keycloak vs Firebase Auth — developer-focused comparison
- Keycloak vs FusionAuth — open-source alternative comparison
- Auth0 alternatives — comprehensive market overview
Real-World Migration Considerations
If you are currently self-hosting and considering a managed option, the migration itself has a cost. Realm exports, user migration, client reconfiguration, and DNS changes all take engineering time. See our realm export and import strategy guide for the technical details.
If you are coming from Auth0 or another SaaS provider, see how to migrate from Auth0 to Keycloak.
The Infrastructure You Do Not See
When comparing costs, remember that managed providers handle everything below the application layer:
- High availability — multi-zone deployment, automated failover
- Backups — automated, encrypted, regularly tested
- Monitoring — real-time insights and alerting
- Security — WAF, DDoS protection, SSL management
- Compliance — SOC 2, ongoing security assessments
- Upgrades — automated Keycloak version updates with zero downtime
Building and maintaining all of this yourself is possible, but it is a full-time job.
Further Reading
- Keycloak Server Installation Guide
- IAM solutions ROI comparison
- Authentication capacity planning
- Keycloak cluster best practices
- Identity service procurement and SLA requirements
Wrapping Up
The “cheapest” authentication option depends entirely on what you count as cost. Self-hosting Keycloak has zero licensing fees but substantial engineering and operational costs. SaaS providers eliminate operations but charge per-user fees that scale linearly. Managed Keycloak — like what Skycloak offers — sits in between: open-source flexibility, managed operations, and pricing that does not penalize you for growing.
Run the numbers for your specific scale using our ROI Calculator, or check our pricing page to see how Skycloak compares. If you want to talk through your specific requirements, contact our team.
Ready to simplify your authentication?
Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.