Authress
Last verified 2026-04-30 · Reviewed by guptadeepak
Editorial verdict
Authress is the authorization-first developer CIAM in 2026, native ReBAC and Zanzibar-style FGA at a price point materially below Auth0 FGA or WorkOS FGA. For B2B SaaS designing fine-grained per-resource permissions where authorization is the binding constraint rather than authentication, Authress removes the two-vendor split (full CIAM plus separate authz service) most teams end up running. For teams whose binding constraint is auth methods or B2C scale, look elsewhere.
Last verified by @guptadeepak on 2026-04-30.
At a glance
- Best for
- B2B SaaS that needs serious authorization (FGA / ReBAC) without buying a separate authz vendor
- Pricing
- tiered-mau
- Free tier
- 1,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Bootstrapped
- Total raised
- None
- Latest round
- None disclosed
- Years in business
- 6 yrs
- Profitable
- Not disclosed
Privately held by Rhosys AG (Switzerland); no disclosed institutional funding.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Authorization-first design, native ReBAC and Zanzibar-style FGA at a price point below Auth0 FGA or WorkOS FGA.
- Strong B2B multi-tenant model with per-resource permission evaluation.
- Includes authentication and authorization in one product without forcing a two-vendor split.
- Modern API design with typed SDKs across major languages.
Limitations
- Smaller community than Auth0 / Clerk; fewer integrations and partner connectors.
- Authentication features are competitive but not the differentiator; teams picking on auth alone usually go elsewhere.
- Compliance footprint is solid for B2B (SOC 2, ISO 27001) but lacks HIPAA, FedRAMP, PCI DSS.
- No managed bot defense or advanced fraud signals.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | No |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | No |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | Yes |
| FGA engine | Yes |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, python, go, java, dotnet |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Webhooks + custom rules |
| Bot detection | No |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $25/mo |
|---|---|
| 100,000 MAU | $350/mo |
| 500,000 MAU | $1,500/mo |
| 1,000,000 MAU | $2,900/mo |
- Authorization-first product, pay primarily for permission evaluations
- Auth (login flows) is the simpler product surface; authz is the depth
- B2B Organizations and per-resource permissions included at standard tier
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- B2B SaaS that needs serious authorization (FGA / ReBAC) without buying a separate authz vendor
- Apps with complex per-resource permission models
- Teams that prefer a single vendor for authn + authz
Not for
- Apps prioritizing best-in-class authentication features over authorization
- B2C consumer apps with serious progressive profiling and fraud needs
- Workloads requiring HIPAA, FedRAMP, or PCI DSS
FAQ
- What is ReBAC?
- Relationship-Based Access Control, a permission model derived from Google's Zanzibar paper where access decisions evaluate relationships between subjects and resources (e.g., "Alice is a member of Acme Corp's engineering team, which has read access to repo X"). ReBAC is more expressive than RBAC for SaaS multi-tenant scenarios; Authress, OpenFGA, Authzed, and Permify are the major implementations.
- How does Authress compare to WorkOS FGA or Auth0 FGA?
- All three ship Zanzibar-style FGA. WorkOS FGA and Auth0 FGA bundle FGA inside their broader CIAM product; Authress builds the entire CIAM around authz as the core, which makes the model more idiomatic for serious authorization scenarios. Authress is also materially cheaper at the FGA-evaluation tier.
- Should I use Authress for authn or authz?
- Both, but the authz product is the differentiator. If authentication is the binding constraint, look at Auth0, Clerk, or Stytch. If authorization is the binding constraint and you want one vendor for both, Authress.
Sources
- Authress Pricingaccessed 2026-04-22
- Authress Documentationaccessed 2026-04-22
What Authress is
Authress launched in 2020 in Auckland with an authorization-first thesis: most CIAM vendors treat authn as the headline product and authz as an afterthought, which leaves teams with serious permission requirements either running a second vendor (OpenFGA, Authzed, Permify) or building authz on top of CIAM RBAC primitives that don't scale. Authress builds the CIAM around Zanzibar-style ReBAC as the core, with authentication as the supporting layer.
Where Authress wins
Native ReBAC and FGA at a price point below Auth0 FGA or WorkOS FGA. B2B multi-tenant model with per-resource permission evaluation as the design center. Single vendor covers both authn and authz, which simplifies the architecture for teams that would otherwise run two services.
Where Authress hurts
Smaller community than incumbents; partner ecosystem is younger. Authentication features are competitive but not the differentiator. Compliance footprint is good for B2B (SOC 2, ISO 27001) but lacks HIPAA, FedRAMP, PCI DSS. For B2C consumer apps or for teams whose binding constraint is auth, look elsewhere.
How Authress compares
The closest comparisons are Auth0 vs Authress for the FGA-included CIAM choice and Authress vs WorkOS for the B2B-with-authz call. For pure authz services that pair with any CIAM, OpenFGA, Authzed, and Permify are the alternatives outside this index. For B2C focus, Auth0 and Stytch are the standard picks.
Editorial changelog (1 entry)
Profile reviewed: capabilities, pricing, and verdict checked against current public sources.