Four tiers ship today: Free, Starter, Pro, Enterprise. Each tier carries a different cap profile across quotas, feature flags, and rate limits. This page documents what each tier includes.
The Billing surface in the console (/dashboard/billing) isn't fully wired yet for self-serve upgrades. To move between tiers right now, contact your IntelliAuth account team. The cap profiles below are accurate, but the UI for changing tiers will land in a future release.
At a glance
Section titled “At a glance”| Cap | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Active tenants per org | 3 | 25 | 100 | Unlimited |
| Users per tenant | 1,000 | 10,000 | 100,000 | Unlimited |
| MFA enrollments per tenant | 100 | 5,000 | unlimited | Unlimited |
| Audit retention | 30 days | 1 year | 3 years | 7 years |
| Members per org | 5 | 25 | 100 | Unlimited |
| Custom domains per tenant | — | 1 | 5 | Unlimited |
| Webhook subscriptions per tenant | — | 5 | 50 | Unlimited |
"Unlimited" in practice means caps high enough you won't reach them in normal operation.
Feature flags by tier
Section titled “Feature flags by tier”| Feature | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Email + password authentication | ✓ | ✓ | ✓ | ✓ |
| Social federation (Google, GitHub, Microsoft, Apple) | ✓ | ✓ | ✓ | ✓ |
| MFA (TOTP, SMS) | ✓ | ✓ | ✓ | ✓ |
| WebAuthn / passkeys | — | ✓ | ✓ | ✓ |
| SAML federation | — | — | ✓ | ✓ |
| Custom domains | — | ✓ | ✓ | ✓ |
| Webhook subscriptions | — | ✓ | ✓ | ✓ |
| Per-tenant plan overrides | — | — | ✓ | ✓ |
| Audit log export (CSV / JSON) | — | ✓ | ✓ | ✓ |
| Adaptive (risk-based) MFA | — | — | ✓ | ✓ |
| Custom MFA factors | — | — | — | ✓ |
| SSO into the control plane | — | — | — | ✓ |
| Multi-region tenants | — | — | — | ✓ |
| 24/7 phone support | — | — | — | ✓ |
A "—" means the feature isn't available on that tier. Members on a tier without a feature won't see the corresponding UI surface in the console.
Where rate limits land
Section titled “Where rate limits land”Rate limits are documented separately in Rate limits. At the highest level: each tier gets a requests-per-minute ceiling on the public authentication API, with Enterprise scaling roughly linearly with reserved capacity.
What's the right tier?
Section titled “What's the right tier?”A rule of thumb, not a hard recommendation:
- Free — proof of concept, internal-only auth, evaluating IntelliAuth.
- Starter — small product launches, single-tenant deployments, low-volume B2C.
- Pro — multi-tenant SaaS at moderate scale, SAML-needing customers, audit export for compliance.
- Enterprise — large multi-tenant platforms, custom factors, multi-region needs, 24/7 support.
If you're between tiers (Starter's user cap fits but you need SAML), the cleaner move is usually the higher tier — the cap profile is over-provisioned but the feature set unlocks what you actually want.
Downgrade constraints
Section titled “Downgrade constraints”A downgrade is constrained by your current usage. The platform refuses a downgrade if it would put you over the new tier's caps. For example:
- You're on Pro with 30 tenants. You can't downgrade to Starter (cap 25) until you decommission 5 tenants.
- You're on Pro with SAML federations active. You can't downgrade to Starter (SAML unavailable) until you remove those federations.
The downgrade page surfaces the specific blockers so you know what to trim.