CIAM pricing guide: how vendors actually charge

CIAM pricing is deliberately opaque. List prices are partial, the features you need are often in a higher tier, and quotes from two vendors rarely compare line for line. This guide shows what to look for before you take a sales call.

The pricing models

Per monthly active user (MAU): the dominant model. You pay for users who authenticate in a billing period. It punishes growth and seasonal spikes, and the definition of “active” varies by vendor.
Per monthly active token / machine identity: relevant once you have APIs and non-human identity.
Flat tiers with caps: simpler, but you hit a ceiling and jump a tier.
Per feature: the real cost driver, because the headline MAU price rarely includes what you need.

Where the cost actually hides

The MAU rate is the number vendors advertise. The bill is set by what is gated above it:

Enterprise SSO (the “SSO tax”) and SCIM, often top-tier only. If these close deals, price them against deal size.
Adaptive MFA and passwordless / passkeys, frequently gated.
SMS OTP, usually a pass-through telecom cost on top of the license.
Premium support and SLAs.
Data residency (EU hosting) as an add-on.

How to compare quotes

Project MAU at 12 and 24 months, not today. Model the growth curve.
List your must-have features and find which tier each requires, per vendor.
Get the all-in number for that tier at projected scale, including SMS and support.
Ask about the annual increase and the overage rate when you exceed your committed MAU.
Estimate the migration cost off the platform. Lock-in is a price.

The honest summary

Two vendors with the same MAU rate can differ 3x once features and scale are included. Never compare on the advertised number. Use the vendor matcher to shortlist by the features you actually need, then run this checklist against each quote.