Tesseral
Last verified 2026-05-15 · Reviewed by guptadeepak
Editorial verdict
Tesseral is a 2024-vintage entrant in B2B-SaaS-OSS CIAM, with both managed cloud and self-hosted Apache 2.0 deployments. Smaller and younger than incumbents, but the pricing model and OSS option are competitive for early-stage B2B SaaS that wants the optionality. Worth shortlisting alongside Zitadel and SSOJet for B2B-only SaaS that values OSS self-host.
Last verified by @guptadeepak on 2026-05-15.
At a glance
- Best for
- B2B SaaS startups that want OSS self-host as an option without taking on Keycloak operational weight
- Pricing
- tiered-mau
- Free tier
- 10,000 MAU
- Deployment
- cloud-saas, self-hosted
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $3.3M
- Latest round
- Seed · $3.3M · 2025
- Years in business
- 2 yrs
- Round led by
- Y Combinator
- Profitable
- Not disclosed
Open-source B2B auth infrastructure; $3.3M seed at launch (2025).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- B2B SaaS focus with both managed cloud and open-source self-hosted deployments from one product.
- Modern Go-based architecture with idiomatic React/Next.js SDKs.
- Apache 2.0 licensed self-hosted edition, strict OSS compliance.
- Built B2B Organizations and tenant-aware login URLs into the core data model.
Limitations
- Very young (2024), small customer base, limited battle-test coverage.
- Compliance footprint is narrow, SOC 2 Type II only on the managed product.
- B2C consumer features are minimal.
- Smaller ecosystem than WorkOS or Frontegg.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, go, python |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Webhooks + custom claims |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $0/mo |
|---|---|
| 100,000 MAU | $290/mo |
| 500,000 MAU | $1,300/mo |
| 1,000,000 MAU | $2,500/mo |
- Open-source self-hosted edition available
- Managed Cloud priced per-MAU with B2B Organizations included
- Pre-built UI components in Next.js + React SDKs
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- B2B SaaS startups that want OSS self-host as an option without taking on Keycloak operational weight
- Teams comparing modern OSS B2B CIAM
- Apps that may need to switch between managed and self-hosted later
Not for
- B2C consumer apps
- Workloads requiring HIPAA, FedRAMP, ISO 27001, or PCI DSS
- Mid-large enterprise federation needs
FAQ
- How does Tesseral compare to Zitadel?
- Both are modern OSS B2B CIAM with managed and self-hosted options. Zitadel is more mature and has a larger feature surface; Tesseral is younger with tighter B2B-SaaS scope. For 2026 evaluations, Zitadel is the lower-risk pick; Tesseral is worth watching.
- Is Tesseral fully open source?
- Yes, Apache 2.0 self-hosted Community edition. Tesseral Cloud is the managed offering; both share the same codebase.
- Should I pick Tesseral over WorkOS?
- WorkOS is more mature and battle-tested. Tesseral's differentiator is the OSS self-host option WorkOS does not offer. For teams that want managed-only with maximum maturity, WorkOS; for OSS optionality, Tesseral.
Sources
- Tesseral Pricingaccessed 2026-04-22
- Tesseral Documentationaccessed 2026-04-22
What Tesseral is
Tesseral launched in 2024 as a B2B-SaaS-focused CIAM with both managed (Tesseral Cloud) and Apache 2.0 self-hosted Community editions sharing the same codebase. The thesis is similar to Zitadel's, modern OSS plus managed offering, but with tighter B2B-SaaS scope and Next.js / React-first DX.
Where Tesseral wins
Both deployment options from one product. Strict Apache 2.0 OSS licensing on the self-hosted edition. Modern Go-based architecture. Built B2B Organizations and tenant-aware login URLs into the core.
Where Tesseral hurts
Very young, 2024 founding means a small customer base and limited battle-test coverage compared to incumbents. Compliance footprint is narrow with SOC 2 Type II only on the managed product, no ISO 27001 / HIPAA / FedRAMP / PCI DSS attestations. B2C consumer features are minimal; the product is intentionally B2B-multi-tenant-shaped. For mid-large enterprise federation or for B2C consumer apps with serious progressive profiling and fraud needs, look elsewhere.
How Tesseral compares
The closest comparisons are Tesseral vs Zitadel, Tesseral vs WorkOS, and Tesseral vs SSOJet for the modern-B2B-CIAM call. For broader OSS without managed-cloud, Keycloak and Ory are the alternatives.
Editorial changelog (1 entry)
Full profile review: capability matrix, TCO bands, and editorial verdict re-verified against current public sources.