The feature tax: stop paying to flip switches that cost nothing

Somewhere on your auth vendor's pricing page is a checkbox that costs more per month than an engineer's laptop, and nothing to provide. This is a piece about that checkbox.

There's a website called sso.tax. It exists because so many software companies charge so much extra for single sign-on, a feature that costs them roughly nothing to operate, that someone had to build a public shaming list just to keep track. SAML has been a settled standard for two decades. The code is written. The bytes are the same bytes whether a user signs in with a password or a corporate identity provider. And yet "turn on SSO" is reliably the line item that doubles your invoice, or the one that finally forces the dreaded call to sales. That isn't a price. It's a tollbooth on a road that was already built and paid for.

Here's the distinction the industry would prefer you never drew cleanly. There's a difference between metering cost and metering permission. Metering cost is honest: if I send more traffic, store more data, or keep more monthly active users warm, it genuinely costs more to serve me, and you should charge for it. Metering permission is something else entirely. It's charging me to flip a boolean you already wrote, on infrastructure that's already running, to use a feature whose marginal cost to you rounds to zero. Most auth pricing pages are mostly the second thing wearing the first thing's clothes.

Once you can see it, you can't stop seeing it. Single sign-on gated behind the "Enterprise" tier, or billed per connection at a hundred-plus dollars a month each, and sometimes billed twice: once for the SSO connection, and again for the SCIM provisioning that rides the very same integration. Multi-factor authentication sold as a paid upgrade, which is to say a surcharge for not letting your users get phished. Audit logs sliced into retention windows by tier, as though a row from last quarter costs more to store than one from this morning. Machine-to-machine tokens capped and metered, as if signing a JWT were a scarce mineral. And the purest form of all: vendors who unbundle SSO, MFA, and user provisioning into three separate per-seat products, so the thing you thought you were buying (login) shows up in pieces, each with its own price tag.

Then there's the other flavor: the cover charge. At least one well-known identity product asks for several thousand dollars a year before you've authenticated a single human being. SAML is a paid add-on on top of that, and even then all you've licensed is protocol plumbing. You still build the login screens, the admin UI, the MFA enrollment, the audit trail; you still host, patch, and scale the whole thing yourself. The license is the cover charge. The actual product is left as an exercise for your engineering team.

The polite name for all of this is "value-based pricing," and in plenty of businesses that's a perfectly fair idea. Auth has an uglier version of it, because the features being gated are the security and compliance ones: exactly the features you are least able to refuse. You can live without a nicer dashboard. You cannot live without SSO when your biggest prospect's procurement team demands it, or without MFA when your own SOC 2 auditor does. So the industry learned to put precisely those features behind the highest-margin door. It's a tax on doing the responsible thing, collected at the exact moment you have the least leverage to say no.

So what should you pay an auth provider for? The things that genuinely cost them money. Scale costs money: more monthly active users means more sessions, more tokens, more storage, more egress, real resources that grow as you grow. Support costs money: humans answering hard questions at 2am is a real, recurring expense. Pay for those, gladly. That's an honest invoice. What you should never pay for is the privilege of switching on code that's already written and already deployed for everyone else on the platform.

This is the entire reason Authagonal's pricing is shaped the way it is. We charge for scale and for support, and that's the end of the list. Plans differ by how many monthly active users you have and how much hand-holding you want, because those are the only things that actually cost us more as you use more. Everything else is included at every tier, starting from the entry plan: unlimited SSO and SAML connections, SCIM provisioning, MFA, role-based access control, audit logs, and custom branding on your own domain. Not "included on Enterprise." Included. The cheapest plan and the largest plan run the identical feature set; the only thing that changes is how big you're allowed to get.

Because whether SAML is switched on for your tenant is a pricing decision, not an engineering one. The work is done either way. Charging you extra to enable it isn't recovering a cost. It's measuring how much you'll tolerate before you walk. We'd simply rather not run that experiment on our own customers. Build the features once, ship them to everyone, and make money the boring, honest way: when the people using you grow.

You can tell a lot from how a company prices. Most auth vendors charge for things that cost them close to nothing; ours comes down to one line: pay for how big you get, not for which switches you're allowed to flip.

If that's the invoice you'd rather receive, here's exactly who charges for what. SSO's on our side of the table, at no extra charge.