Curity
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
Curity is the standards-purist enterprise CIAM in 2026, among the most spec-correct OAuth 2.0 / OIDC implementations available, with strong FAPI and Open Banking support that suits financial services and regulated workloads. The configuration-as-code model treats identity like infrastructure-as-code, which appeals to engineering-mature enterprises. Outside the standards-correctness or FAPI use cases, the enterprise pricing and learning curve make broader-scope CIAM (Auth0, Ping) more practical.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Financial services and Open Banking deployments needing FAPI compliance
- Pricing
- enterprise-quote
- Free tier
- Unlimited
- Deployment
- cloud-saas, self-hosted, on-prem
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- Undisclosed
- Latest round
- Series A · 2023
- Years in business
- 11 yrs
- Round led by
- GRO Capital
- Profitable
- Not disclosed
Investors
Stockholm OAuth/OIDC token-server specialist; growth round from GRO Capital (2023), amount undisclosed.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Among the most spec-correct OAuth 2.0 / OIDC implementations in the industry, used by financial services and regulated workloads needing strict standards compliance.
- Strong on financial-grade APIs (FAPI) and Open Banking specifications, uncommon outside the most enterprise-focused vendors.
- Configuration-as-code model (XML or CLI) treats identity configuration like infrastructure-as-code, with full audit and version control.
- EU-headquartered with EU data residency.
Limitations
- Enterprise-only commercial editions with opaque pricing; Community Edition has feature limits.
- Configuration-as-code model has a learning curve compared to admin-UI-driven competitors.
- Smaller community than incumbent enterprise CIAM.
- No FedRAMP, no PCI DSS direct attestation.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Partial |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, java, python, go, dotnet |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | Yes |
| Extension model | Plugins (Java) + Configuration as Code (XML / CLI) |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Partial |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | Yes |
| MCP support | Partial |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | Partial |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Yes |
|---|---|
| Preference center | Yes |
| Purpose-specific consent | Yes |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | Quote required |
|---|---|
| 100,000 MAU | $4,500/mo |
| 500,000 MAU | $14,000/mo |
| 1,000,000 MAU | $25,000/mo |
- Curity Identity Server Community Edition is free (with feature limits)
- Standard / Enterprise / Pro editions priced via enterprise quote
- Strong fit for OAuth-and-OIDC-spec-correct deployments and financial services
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Financial services and Open Banking deployments needing FAPI compliance
- Standards-purist deployments needing spec-correct OAuth / OIDC
- EU-based regulated workloads needing on-prem deployment with sovereignty
Not for
- Greenfield SaaS prioritizing developer velocity over standards depth
- Workloads requiring FedRAMP authorization
- Teams uncomfortable with configuration-as-code identity management
FAQ
- What is FAPI and why does it matter?
- FAPI (Financial-grade API) is a profile of OAuth 2.0 / OIDC for high-security financial scenarios, Open Banking, payment APIs, fintech. It tightens token, signing, and registration requirements beyond stock OAuth. Curity is among the most-deployed CIAM in production FAPI deployments globally.
- Is Curity Community Edition usable for production?
- Yes within the feature limits, basic OAuth / OIDC, password authentication, and standard flows are supported. Production B2C-or-B2B-SaaS deployments typically need the Standard or higher edition for advanced authentication, custom flows, and clustering.
- How does Curity compare to Ping Identity?
- Both are enterprise-focused with strong on-prem deployment options. Curity is materially smaller, more standards-purist, and EU-headquartered; Ping is larger, more federation-broad, and US-headquartered with FedRAMP. For FAPI / Open Banking specifically, Curity is often the better choice; for general enterprise federation, Ping has broader reach.
Sources
- Curity Identity Server documentationaccessed 2026-04-22
- Curity productsaccessed 2026-04-22
What Curity is
Curity launched in 2015 in Stockholm with a standards-purist thesis: the OAuth 2.0 and OIDC specifications had matured enough to enable a CIAM built around spec-correctness, particularly for financial services and Open Banking scenarios that require Financial-grade API (FAPI) compliance. The product is the Curity Identity Server, sold in Community (free with feature limits), Standard, Enterprise, and Pro editions.
Where Curity wins
Among the most spec-correct OAuth 2.0 / OIDC implementations available, meaningful in regulated environments where strict standards compliance is auditable. Strong FAPI and Open Banking support uncommon outside the most enterprise-focused vendors. Configuration-as-code treats identity like infrastructure-as-code, with full audit and version control. EU-headquartered with EU data residency.
Where Curity hurts
Enterprise-only commercial editions with opaque pricing exclude mid-market evaluation, although the Community Edition (free with feature limits) provides a partial on-ramp for proof-of-concept work. The configuration-as-code model imposes a learning curve compared to admin-UI-driven competitors, particularly for teams used to Auth0's dashboard or Okta's console. The community is smaller than incumbent enterprise CIAM like Ping or ForgeRock, which means fewer Stack Overflow answers and fewer partner integrations. No FedRAMP authorization, no PCI DSS direct attestation.
How Curity compares
The closest comparisons are Auth0 vs Curity, Ping Identity vs Curity, and Curity vs ForgeRock for the standards-correctness call. For OSS alternatives with similar deployment autonomy, Keycloak and WSO2 IS are the comparisons.