The auth platform that doesn't make you choose between Auth0, Clerk, WorkOS, Stripe, Paddle, Twilio, and SendGrid. Bastionary ships them all behind one API, one binary, one bill — and beats every one of them on price, speed, and security.
No assembling 7 SaaS subscriptions. No glue code between Auth0 and Stripe. Just one API.
JWT (RS256/ES256/EdDSA), WebAuthn passkeys, TOTP MFA, SMS auth, social OAuth (Google, GitHub, Discord, Slack, GitLab, LinkedIn), magic links, guest tokens.
SAML 2.0, OIDC, SCIM provisioning, LDAP sync. Self-serve enterprise connections — no sales call required to flip on Okta.
Stripe, Paddle, Lemon Squeezy, PayPal, Coinbase Commerce. Switch processors without rewriting checkout. One license model. Never get stuck on one rail again.
Every login scored. New device, new geo, no MFA, weird hours — composite score forces step-up before the bad guys are inside.
Zanzibar-style relation-based access control. Plus RBAC + ABAC + role hierarchies + nested orgs. Pick your poison — they all compose.
SMS via Twilio, Vonage, AWS SNS, MessageBird, Plivo. Email via SendGrid, Postmark, Mailgun, AWS SES, Resend, SMTP. One API, six vendors each.
Namespace-scoped authorization rules evaluated at runtime. POLICY.EVAL returns allow/deny/challenge per request context. No external policy server needed.
Pause, resume, downgrade, cancel — with prorations. Dunning management, grace periods, overdue suspension. Full billing lifecycle without Stripe Billing lock-in.
JWK lifecycle (create, rotate, revoke, JWKS endpoint). Vault-style secret leasing and rotation. TLS cert issuance via ACME/Let's Encrypt. DPoP support built in.
Service registry, health checks, canary deployments, config management, LB strategies, network isolation. The infra primitives you'd otherwise bolt on separately.
Define products (one-time, subscription, usage). Gate downloads by license. Manage installs per device. Floating licenses. Entitlements. Update channels.
55+ built-in admin pages covering all 341 commands: users, teams, billing, audit, webhooks, feature flags, DPoP bindings, JIT provisioning, threat intel, session management, app registry, auth methods, and more — no custom dashboard to build.
A single /api/v1/execute endpoint runs all 341 commands. Or use the typed SDK. Or the CLI.
# Switch payment processor at runtime — no code changes $ bastionary providers set-default payments paddle # Score a login attempt $ bastionary exec RISK.ASSESS --params '{"is_new_device": true, "mfa_enabled": false}' { "score": 35, "band": "medium", "reasons": ["no_mfa_enrolled", "new_device"] } # Or hit the API directly — same surface $ curl -X POST https://your-instance/api/v1/execute \ -H "Authorization: Bearer $TOKEN" \ -d '{"command": "PAYMENT.CHECKOUT", "params": {"product_slug": "pro"}}'
Lock-in is theft. Bastionary speaks every major provider so you can change your mind on Tuesday.
| Bastionary | Auth0 | Clerk | WorkOS | Stripe | |
|---|---|---|---|---|---|
| Authentication | ✓ | ✓ | ✓ | ✓ | ✗ |
| SAML / SCIM | ✓ | ✓ (Enterprise) | ✓ (Pro) | ✓ | ✗ |
| Multi-PSP Payments | ✓ 5 vendors | ✗ | ✗ | ✗ | Stripe only |
| Multi-vendor SMS | ✓ 6 vendors | ✗ | ✗ | ✗ | ✗ |
| FGA / ReBAC | ✓ | ✓ (FGA addon) | ✗ | ✗ | ✗ |
| Adaptive Risk Engine | ✓ Built-in | ✓ (Enterprise) | ✗ | ✗ | ✗ |
| Policy Engine (OPA-style) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Subscription lifecycle | ✓ Full | ✗ | ✗ | ✗ | ✓ |
| Signing key management | ✓ JWK+ACME | ✓ (managed) | ✓ (managed) | ✓ (managed) | ✗ |
| Software licensing | ✓ Built-in | ✗ | ✗ | ✗ | ✗ |
| Admin dashboard | ✓ 50+ pages | ✓ | ✓ | ✓ | ✓ |
| Self-hostable | ✓ | ✗ | ✗ | ✗ | ✗ |
| One bill | ✓ | ✗ | ✗ | ✗ | ✗ |
Not a six-week vendor evaluation.