Hidden Costs of Auth: What Pricing Pages Don't Tell You

Let me tell you about a founder I'll call Sarah. She launched her SaaS product with a popular authentication provider. Their pricing page was clear: free up to 5,000 users, then $25 per month for the Pro plan. Simple enough, right?

Six months later, she got a bill for $847.

What happened? The pricing page didn't mention that phone verification costs $0.04 per SMS, that SSO required a $100/month add-on, or that "5,000 users" actually meant "5,000 monthly active users"—and her app had 12,000 registered accounts, with 6,200 active that month. The overage fees alone were $240.

Sarah's experience isn't unique. Authentication pricing is designed to look affordable while hiding costs that only appear after you've integrated, migrated your users, and committed. This post reveals those hidden costs so you can make informed decisions before you're locked in.

The Pricing Page Illusion

Here's the thing about auth pricing pages: they're optimized to get you to sign up, not to show you what you'll actually pay. Every vendor knows that once you've integrated their SDK and migrated your users, switching providers is painful. The pricing page shows the hook—the real costs come later.

I'm not saying vendors are being dishonest (well, not all of them). But there's a difference between what's technically disclosed and what's clear to someone evaluating options at 11 PM while trying to ship their MVP.

Let's break down the hidden costs one by one.

Hidden Cost #1: MAU Counting Shenanigans

Most auth providers charge based on "Monthly Active Users" or MAU. Sounds straightforward, but here's where it gets tricky.

What Counts as "Active"?

Definitions vary wildly between providers:

• Some vendors: Any user who creates a session (logs in)
• Others: Any user whose token is validated (even from previous logins)
• Still others: Any user whose data is accessed via API

Let's say you have 10,000 registered users. If 5,000 log in this month, that's 5,000 MAU, right? Maybe. But if your app validates their session tokens throughout the month (which any reasonable app does), some providers count every unique user whose token gets validated. Suddenly you might be at 8,000 MAU.

The Pricing Cliff Problem

Here's the worst part. Many providers have dramatic pricing jumps:

Notice what happens when you go from 5,000 to 5,001 users? Your cost doesn't increase by a few cents—it jumps from $0 to $100. That's a cliff, not a slope. One additional user triggers a 100x cost increase.

Critical Question to Ask: "How exactly do you count MAUs? If a user logs in once but their session persists all month, is that one MAU or multiple? What happens if I hit 5,001 users—do I pay for the entire tier or just the overage?"

Hidden Cost #2: Feature Gating

The free tier looks generous until you realize it's missing features you'll actually need. Here are the most common gates:

Multi-Factor Authentication (MFA)

Almost every provider offers MFA, but check the pricing carefully:

• Auth0: MFA included in free tier (good!)
• Clerk: MFA requires $25/month Pro plan, plus $50/month MFA add-on
• Some providers: MFA available but SMS/OTP costs extra (see Hidden Cost #3)

Enterprise SSO (SAML/OIDC)

This is the big one. If you want to sell to enterprises, you'll need SSO. But it's almost always gated behind expensive add-ons:

The trap: You won't need SSO on day one. But the moment your first enterprise prospect asks "Do you support SSO?", you need to upgrade immediately. And you can't exactly pause the sales conversation to refactor your auth.

Advanced Security Features

Things like breached password detection, bot detection, and anomaly detection are often locked behind higher tiers or add-ons. These aren't just nice-to-haves—they're essential security features that should be standard.

Critical Question to Ask: "What features are included at each tier? If I need to add MFA or SSO later, what's the upgrade path and cost?"

Hidden Cost #3: SMS and OTP Charges

This one catches everyone off guard. You enable phone-based authentication or SMS-based two-factor auth, and suddenly you're getting charged per message.

Typical SMS Costs by Region

Doesn't sound like much, right? Let's do the math:

Real-World SMS Cost Example

Say you have 10,000 users sign up in a month, and 60% choose phone verification:

• 10,000 × 60% = 6,000 phone verifications
• 6,000 × $0.02 = $120 per month

Now add password resets via SMS (another 1,000 per month):

• 1,000 × $0.02 = $20

And SMS-based login for returning users (5,000 per month):

• 5,000 × $0.02 = $100

Total: $240/month in SMS costs—and that's with conservative US rates. If you have international users, costs can triple.

The Compounding Problem

SMS costs scale linearly with usage, but your revenue might not. If you're freemium, those 10,000 signups might convert to only 500 paying customers. You're paying SMS costs on all 10,000, but only 5% are generating revenue.

Critical Question to Ask: "What are your SMS/OTP rates by country? Are there volume discounts? Can I use my own Twilio account to control costs?"

Hidden Cost #4: Support Tier Upgrades

Here's what "support" means at each tier, translated from marketing speak:

The Support Crisis Scenario

Here's when this matters: Your auth system goes down at 2 AM on a Saturday. Users can't log in. Your $25/month plan gets you a "we'll look at it Monday" response. Your business loses thousands in revenue while you wait.

Real Example: Auth0 Support Pricing

• Developer (included): Community support only
• Essentials ($240/year): Email support, 24-48hr response
• Professional ($2,000/year): Phone support, 4-8hr response, 99.9% SLA
• Enterprise (call sales): Dedicated team, 1-4hr response, 99.99% SLA

That's an $1,800 jump to get an SLA that actually protects your business.

Critical Question to Ask: "What support is included at each tier? What are the response time commitments? Is there an SLA, and what does it cover?"

Hidden Cost #5: Compliance Add-ons

Compliance requirements can trigger unexpected costs that significantly impact your budget:

HIPAA Compliance

• BAA (Business Associate Agreement) is often locked behind enterprise plans
• Some vendors charge $500-2,000/month extra for HIPAA-compliant infrastructure
• You'll need the enterprise support tier anyway (additional cost)

SOC 2 Reports

• Many vendors don't provide SOC 2 reports on free/basic tiers
• Some charge $500-1,000 just to access the report
• Penetration test reports? Those cost extra too

GDPR Features

• Data export/deletion features might be self-service on higher tiers only
• Some vendors charge for "right to be forgotten" automation
• EU data residency requirements may require special configurations

Industry-Specific Compliance

• PCI compliance for storing payment-related data
• FedRAMP for government contracts (only a few providers even offer this)
• Financial services regulations (FINRA, SEC)

Critical Question to Ask: "What compliance certifications do you have? Are BAAs, SOC 2 reports, and compliance features included in all tiers, or are there additional costs?"

Hidden Cost #6: Rate Limits and Fair Use

Every vendor has "unlimited" API calls—until you hit their unwritten "fair use" limit. Then you get throttled or forced to upgrade.

Typical Rate Limits by Tier

The Viral Traffic Problem

Real scenario: You're on a $25/month plan. Your app goes viral on Product Hunt. You get 50,000 signups in a day. Your auth provider throttles your API, new users can't sign up, and you lose the momentum. By the time you upgrade to handle the traffic, the spike is over.

Fair Use Policies: The Fine Print

Read the fine print carefully. Terms like "reasonable use" and "typical usage patterns" mean they can tell you you're using too much and force an upgrade. What's "too much"? They'll let you know when you hit it.

Critical Question to Ask: "What are your rate limits at each tier? What happens if I exceed them? Can I burst above limits during traffic spikes?"

Hidden Cost #7: Integration and Migration Time

This isn't a line item on the invoice, but it's a real cost: engineering time. And engineering time is expensive.

Initial Integration Cost

Migration Cost (If You Switch Providers)

Vendor Lock-In Economics

This is why vendors can increase prices—they know switching is painful. Your initial decision has a 2-3 year time horizon, not a month-to-month one. The migration cost acts as a barrier to switching even when pricing becomes unreasonable.

Critical Estimate: Plan for 20-80 engineering hours depending on complexity, not the "2-hour integration" the marketing site promises.

Hidden Cost #8: Scaling Penalties

Some pricing models penalize growth with confusing tier structures that look like discounts but aren't.

Volume "Discounts" That Aren't

Wait, so going from 50,000 to 100,000 users costs $750 for 50,000 users, but going from 10,000 to 50,000 costs $720 for only 40,000 users? The per-user cost decreased, but the tier cost is higher. This is by design—it looks like a discount but softens the blow of large jumps.

"Contact Sales" Thresholds

Once you hit 100K+ users, pricing disappears from the website. You have to talk to sales. This means:

• Negotiated pricing (could be higher or lower, usually higher)
• Annual contracts (no month-to-month flexibility)
• Custom terms (volume commitments, penalties for downgrades)

Real example: Auth0 shows pricing up to 100K MAU ($1,800/month). Beyond that, "contact sales." In reality, some customers report being quoted $5,000-10,000/month for 250K-500K MAU—nearly 3x the implied rate.

Critical Question to Ask: "Show me the full pricing curve: what do I pay at 50K, 100K, 250K, 500K, 1M MAUs? When do I have to contact sales?"

The True Cost Calculator

Here's a framework for calculating actual costs before you commit:

Step 1: Calculate Base Subscription

Base subscription: $X/month (check which features are included)

Step 2: Add Recurring Costs

Use this checklist to identify hidden costs:

• [ ] SMS/OTP costs: (estimated verifications per month) × (rate per message)
• [ ] Overage fees: If you're near a tier boundary, assume you'll cross it
• [ ] Feature add-ons: SSO ($50-100/mo), advanced MFA ($50/mo), etc.
• [ ] Support upgrade: Do you need an SLA? Add $1,500-2,000/month
• [ ] Compliance: BAAs, reports, certifications ($500-2,000/month)

Step 3: Add One-Time Costs

• [ ] Integration engineering time: 20-80 hours × your blended rate
• [ ] Migration costs (if switching providers later): 40-68 hours × blended rate

Step 4: Calculate Total Cost of Ownership

Total monthly cost = Base + recurring add-ons

Total first-year cost = (Total monthly cost × 12) + one-time costs

Cost as % of revenue = Total monthly cost ÷ Monthly recurring revenue

Example Calculation

Let's say you're evaluating a provider for 25,000 MAU:

If you're generating $5,000 MRR, that's 13.8% of revenue going to authentication. That's substantial.

Compare this against your revenue projections. If you're paying $500/month in auth costs but only generating $2,000/month in revenue, that's 25% of revenue on auth alone—likely unsustainable.

Red Flags to Watch For

When evaluating providers, watch for these warning signs:

🚩 Red Flag Checklist

• [ ] "Contact us" where pricing should be: Means they'll charge whatever they think you can pay
• [ ] Dramatic tier jumps: Going from $0 to $100 for one extra user is a red flag
• [ ] Vague MAU definitions: "Active users" without specifics means surprise bills
• [ ] Hidden SMS costs: If SMS pricing isn't on the main pricing page, dig deeper
• [ ] Feature gates on security: Basic security (MFA, breached password detection) should be standard, not upsold
• [ ] No self-service: If you have to talk to sales to enable a feature, expect high prices
• [ ] No pricing beyond 100K users: Lack of transparency suggests expensive enterprise pricing
• [ ] Annual commitments required: Locks you in even if costs become unreasonable
• [ ] Unclear support SLAs: "Best effort" means no guarantees

If you see 3+ of these red flags, proceed with extreme caution.

Our Approach to Pricing (Honest Edition)

We have costs too—we want to be transparent about them:

What Costs Us Money (And Therefore Costs You Money)

• SMS/OTP messages: We pass through costs at our volume rate (typically $0.008-0.015 per domestic SMS)
• Infrastructure: We run on AWS, and high availability costs money
• Compliance: SOC 2 audits, penetration tests, security monitoring

What Doesn't Cost Extra

• SSO/SAML: Included in paid plans (no $100/month add-on)
• MFA: Included in all plans (except SMS costs, which we disclose)
• Standard support: Included with paid plans (24-hour response time)
• Security features: Breached password detection, rate limiting, etc. all included
• API usage: No rate limits based on tier (fair use applies to prevent abuse, but we're generous)

Our Pricing (As of 2025)

We publish everything because we think hidden costs are bad for customers and bad for trust. No surprise bills, ever.

Questions to Ask Every Vendor

Before committing, get answers to these 10 critical questions:

1. "How do you count MAUs? If a user logs in once but stays logged in, is that one MAU or multiple?"
2. "What's the exact cost if I exceed my tier by 1 user? By 10%? By 50%?"
3. "What features require tier upgrades? Specifically: MFA, SSO, breached password detection, bot detection?"
4. "What are your SMS/OTP rates by country? Can I see the complete rate card?"
5. "What support is included? What's the response time? Is there an SLA?"
6. "What compliance certifications do you have, and are they included in all tiers?"
7. "What are your API rate limits at each tier?"
8. "Show me the pricing curve from 10K to 1M MAUs—no 'contact sales' gaps."
9. "If I need to migrate away, do you support exporting password hashes? What format?"
10. "What happens during traffic spikes? Do you throttle, or do I get charged overage?"

If a vendor can't or won't answer these clearly, that's a red flag. Transparent vendors welcome these questions.

Making an Informed Decision

Here's the thing: I'm not saying all these costs are unfair. Running authentication infrastructure is expensive and complex. Vendors need to make money to deliver reliable service.

But you deserve to know what you're actually going to pay before you integrate, migrate users, and lock yourself in for years.

Hidden costs aren't just about money—they're about trust. When a founder feels surprised by a bill, it damages the relationship with the vendor. Transparent pricing, even when it's higher, builds trust and long-term relationships.

So before you pick an auth provider based on a clean-looking pricing page, do the math on the actual costs. Ask the uncomfortable questions. Get the answers in writing (email or sales call notes count).

Your future self (and your CFO) will thank you.

Summary Checklist

Before committing to an auth provider:

• [ ] Understand exactly how MAUs are counted (get specifics in writing)
• [ ] Calculate SMS/OTP costs for your expected volume (multiply by 2x for safety)
• [ ] Confirm which features require tier upgrades (especially MFA, SSO)
• [ ] Check support response times and SLAs (free tier rarely has guarantees)
• [ ] Verify compliance certifications are included (not add-ons)
• [ ] Understand rate limits and fair use policies (test with expected traffic)
• [ ] Get pricing for 2-3x your current scale (plan for growth)
• [ ] Calculate total first-year cost including engineering time (use table above)
• [ ] Ask about migration support (password hashes, data export formats)
• [ ] Read the contract's price increase terms (annual increases are common)

Don't sign until you understand the total cost—not just the number on the pricing page.

Ready for transparent pricing? [Link: anchor text "Compare our pricing →"] AuthHero publishes all our costs upfront—no surprise bills, no hidden add-ons, no "contact sales" pricing gaps.