SlashID
Last verified 2026-04-24 · Reviewed by guptadeepak
Editorial verdict
SlashID is a 2022-vintage passwordless-first developer CIAM with API-first design and EU-sovereign positioning. Smaller and younger than incumbents, with narrower compliance, but the passwordless-by-default thesis and clean API surface are competitive for greenfield projects committed to the model. Worth shortlisting alongside Stytch and Hanko for passwordless-first B2C and B2B SaaS at startup scale.
Last verified by @guptadeepak on 2026-04-24.
At a glance
- Best for
- Greenfield apps committed to passwordless from day one
- Pricing
- tiered-mau
- Free tier
- 5,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $8.8M
- Latest round
- Seed · $8.8M · 2022
- Years in business
- 4 yrs
- Round led by
- Alven
- Profitable
- Not disclosed
Composable identity/token platform founded by ex-offensive-security engineers; $8.83M seed (2022).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Passwordless-by-default, passwords are not part of the default flow, removing a class of legacy auth concerns.
- API-first design with idiomatic SDKs across major languages.
- EU-headquartered with EU data residency.
- Per-MAU pricing model favorable for early-stage SaaS.
Limitations
- Very young (2022), small customer base, limited battle-test coverage.
- Compliance footprint is narrow, SOC 2 only.
- No native FGA, no adaptive MFA, no managed bot defense.
- Smaller community than developer-first incumbents.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | No |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, python, go |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | No |
| Extension model | Webhooks + custom auth flows |
| Bot detection | No |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $49/mo |
|---|---|
| 100,000 MAU | $350/mo |
| 500,000 MAU | $1,400/mo |
| 1,000,000 MAU | $2,700/mo |
- Passwordless-first design, no passwords by default
- Per-MAU pricing with B2B Organizations included
- API-first product surface
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Greenfield apps committed to passwordless from day one
- Early-stage B2B SaaS that wants modern API-first auth
- EU-based products needing GDPR-first design
Not for
- Workloads requiring HIPAA, FedRAMP, ISO 27001, or PCI DSS
- Apps requiring password fallback for legacy compatibility
- Mid-large enterprise federation needs
FAQ
- What does SlashID's passwordless-by-default mean?
- Passwords are not part of the default registration or login flow. Users authenticate via magic links, OTP, social login, or passkeys. Teams can opt into passwords if needed for legacy compatibility, but the design center assumes passwordless. This contrasts with most CIAM where passwords are the default and passkeys are added on top.
- How does SlashID compare to Stytch?
- Both are passwordless-first developer CIAM. Stytch is more mature (2020 launch, Twilio-backed since 2025) with broader features and customer base; SlashID is younger, EU-headquartered, and more aggressively scoped to API-first design. For US-based customers, Stytch wins on maturity; for EU-sovereign or smaller-deployment use cases, SlashID is a credible pick.
- Is SlashID a fit for B2C consumer apps?
- Yes for greenfield consumer apps committed to passwordless. The B2C feature set is more limited than Auth0 or Stytch on progressive profiling and fraud signals; for high-fraud-pressure consumer apps, look at Auth0 with Authsignal or Transmit Security.
Sources
- SlashID Pricingaccessed 2026-04-22
- SlashID Developer Documentationaccessed 2026-04-22
What SlashID is
SlashID launched in 2022 in London with a passwordless-by-default thesis: most CIAM ships passwords as the default and passkeys / passwordless on top, which preserves legacy attack surface. SlashID inverts this, the default flow is passwordless, with passwords available as opt-in for legacy compatibility. The product is API-first with clean SDK ergonomics and EU data residency.
Where SlashID wins
Passwordless-by-default removes a category of attack surface and aligns with the 2026 industry direction toward passkey-first auth. API-first design with idiomatic SDKs. EU-headquartered with EU data residency. Per-MAU pricing favorable for early-stage SaaS.
Where SlashID hurts
Very young, small customer base, narrow compliance (SOC 2 only). No native FGA, no adaptive MFA, no managed bot defense. Smaller community than incumbents.
How SlashID compares
SlashID positions itself between Stytch (more mature, US-headquartered, broader feature set) and Hanko (open-source, passkey-orchestration-first) on the passwordless-first spectrum. The differentiators are EU-sovereign data residency by default and a strict passwordless-by-default product design that Stytch and Hanko both opt into rather than enforce. The closest direct comparisons are Stytch vs SlashID, Auth0 vs SlashID, and Hanko vs SlashID. For broader OSS-leaning passwordless, Hanko is the alternative.
Editorial changelog (1 entry)
Routine profile review: capabilities, pricing, and editorial verdict re-verified.