Open-source auth & billing platform

Ship auth, billing, and RBAC
in one weekend

AuthGate is the open-source platform that gives your SaaS authentication, billing, RBAC, and organization management — configured in TypeScript, deployed anywhere.

Start buildingView on GitHub
auth.ts

Works with your stack

One platform, three pillars

Everything your SaaS needs, nothing it doesn't.

Authentication

5 OAuth providers, email/password, magic links, MFA, session management. Drop-in React hooks and Next.js middleware.

Google
GitHub
Discord
Apple

Billing-as-Code

Define plans in TypeScript, sync to Stripe via CLI. Entitlements, usage tracking, hybrid pricing — all version-controlled.

authgate.billing.ts
export default defineBilling({
  // Your plans here
})
Stripe Synced

Organizations & RBAC

Multi-tenant orgs with RBAC-as-code. Define roles and permissions in TypeScript, sync with one command, enforce with type-safe hooks.

Acme Corp
Admin
jane@acme.com
Developer
bob@acme.com
alice@acme.com
Viewer
guest@partner.com

Authentication that just works

From OAuth to MFA in minutes, not months

Multi-provider OAuth

Google, GitHub, Discord, Azure, Apple with zero config.

Email + magic links + SMS

Multiple auth methods for every user preference.

MFA policies

TOTP, SMS, backup codes. Enforce per role or globally.

Session management

JWT + refresh tokens, revocation, configurable expiry.

app/api/auth/[...authgate]/route.ts
// app/api/auth/[...authgate]/route.ts
import { AuthGate } from '@auth-gate/nextjs'

const auth = AuthGate({
  providers: ['google', 'github', 'discord'],
})

export const { GET, POST } = auth.handlers

Billing-as-Code

Define your pricing in TypeScript. Sync to Stripe with one command. No billing surcharge — ever.

authgate.billing.ts
import { defineBilling } from '@auth-gate/billing'

export default defineBilling({
  features: {
    api_calls: { type: 'metered', resetPeriod: 'monthly' },
    analytics: { type: 'boolean' },
  },
  plans: {
    starter: {
      name: 'Starter',
      entitlements: { api_calls: { limit: 1000 } },
      prices: [
        { amount: 999, currency: 'usd', interval: 'monthly' },
        { amount: 9999, currency: 'usd', interval: 'yearly' },
      ],
    },
    pro: {
      name: 'Pro',
      entitlements: {
        api_calls: { limit: 50000 },
        analytics: true,
      },
      prices: [
        { amount: 2999, currency: 'usd', interval: 'monthly' },
        { amount: 29999, currency: 'usd', interval: 'yearly' },
      ],
    },
  },
})
Terminal
$ npx @auth-gate/billing sync

AuthGate Billing Sync — DRY RUN

+ CREATE plan "starter"
  entitlements: api_calls (limit: 1000)
  + price: $9.99/mo (usd)
  + price: $99.99/yr (usd)

+ CREATE plan "pro"
  entitlements: api_calls (limit: 50000), analytics
  + price: $29.99/mo (usd)
  + price: $299.99/yr (usd)

Summary: 2 creates, 0 updates, 0 archives.
Run with --apply to execute.

Multi-Environment

Same config, different targets. Sync to dev, staging, or production with environment-scoped API keys.

GitHub Action

Post billing diffs as PR comments with revenue impact. Review price changes like code changes.

Type-Safe Codegen

Generate Plans, Features, and Limits constants from your config. Full autocomplete in your editor.

Entitlements & usage tracking

Boolean gates and metered limits. Type-safe checks in your app, beautiful dashboards for your users.

billing.ts
import { billing } from '@auth-gate/billing'

// 1. Bill metered usage for a subscription
await billing.reportUsage({
  subscriptionId: 'sub_xyz',
  metric: 'api_calls',
  action: 'set', // supports 'increment' | 'decrement'
  quantity: 8500
})

// 2. Adjust limits for a given plan dynamically
await billing.updatePlanLimits({
  planId: 'pro',
  limits: {
    api_calls: 50000
  }
})
Simulate Live Usage & Limits:

Current billing period

Feb 1 – Feb 28, 2026

Pro plan
API Calls8,500 / 50,000

17% of limit used

Storage78 GB / 100 GB

78% of limit used

Seats9 / 10

90% of limit used

Resets in 28 days · Overage charged at $0.002 / extra call

Acme Corp
Admin
jane@acme.com
Developer
bob@acme.com
alice@acme.com
Viewer
guest@partner.com

Multi-tenant organizations

Typed roles, permissions, invitations, and org-level billing. Define access in code, enforce with full autocomplete.

app/rbac.ts
import { createRbacHooks } from '@auth-gate/react'
import { rbac } from '../app/rbac'

export const { useRbac, RbacGate } =
  createRbacHooks(rbac)
settings.tsx
  • RBAC-as-code — define roles and permissions in TypeScript
  • Type-safe permission checks with full IDE autocomplete
  • Invitation flows with email + role assignment
  • Org-level billing — charge the org, not individuals

RBAC-as-Code

Define resources, roles, and permissions in TypeScript. Sync to AuthGate with one command. Full type inference — like tRPC, but for access control.

app/rbac.ts
import { defineRbac } from '@auth-gate/rbac'

export const rbac = defineRbac({
  resources: {
    documents: { actions: ['read', 'write', 'delete'] },
    billing:   { actions: ['read', 'manage'] },
    members:   { actions: ['invite', 'remove'] },
  },
  roles: {
    viewer: {
      name: 'Viewer',
      grants: { documents: { read: true } },
    },
    editor: {
      name: 'Editor',
      inherits: ['viewer'],
      grants: { documents: { write: true } },
    },
    admin: {
      name: 'Admin',
      inherits: ['editor'],
      grants: {
        documents: { delete: true },
        billing:   { read: true, manage: true },
        members:   { invite: true, remove: true },
      },
    },
  },
})
Terminal
$ npx @auth-gate/rbac sync

AuthGate RBAC Sync — DRY RUN

  Resources

+ CREATE resource "documents"
  actions: [read, write, delete]
+ CREATE resource "billing"
  actions: [read, manage]
+ CREATE resource "members"
  actions: [invite, remove]

  Roles

+ CREATE role "viewer"
+ CREATE role "editor"
  inherits: [viewer]
+ CREATE role "admin"
  inherits: [editor]

Summary: 6 creates, 0 updates, 0 archives.
Run with --apply to execute.

Role Inheritance

Additive-only inheritance — child roles get all parent permissions plus their own grants. Cycle detection at validation time.

Type-Safe Permissions

Permission strings flow as literal unions from config to hooks. can("documents:write") autocompletes — typos are compile errors.

Dashboard Coexistence

Config-managed roles appear read-only in the dashboard. Dashboard-created roles are unaffected by sync.

One platform, every framework

First-class SDKs for web, mobile, and server. TypeScript-first with full type safety.

app/api/auth/[...authgate]/route.ts
// app/api/auth/[...authgate]/route.ts
import { AuthGate } from '@auth-gate/nextjs'

const auth = AuthGate({
  providers: ['google', 'github'],
  callbacks: { onSignIn: (user) => /* ... */ },
});

export const { GET, POST } = auth.handlers
export const { auth: getSession } = auth

@auth-gate/core

Framework-agnostic auth client

@auth-gate/nextjs

Next.js middleware + handlers

@auth-gate/react

React hooks + billing components

@auth-gate/react-native

React Native with secure storage

@auth-gate/billing

Billing-as-code CLI + config

@auth-gate/rbac

RBAC-as-code CLI + config

@auth-gate/billing-action

GitHub Action for PR diffs

@auth-gate/testing

E2E, billing & RBAC test helpers

Built for developers who ship

TypeScript-first, config-as-code, and tools that meet you where you work.

Config-as-Code

Define auth providers, billing plans, roles, and permissions in TypeScript. Version control everything.

MCP Server

AI assistants can create projects, configure billing, and set up roles through the Model Context Protocol.

Testing Toolkit

createTestBilling() for unit tests. @auth-gate/testing for E2E with real sessions. No mocks needed.

CLI Toolchain

sync, pull, init, check, migrate. Billing and RBAC CLIs with dry-run by default, CI/CD ready.

Self-Hosting

Deploy on your own infrastructure. Docker, Vercel, bare metal. The entire platform is open source.

Multi-Environment

Dev, staging, production. Same config, different Stripe connections. Environment-scoped API keys.

Ship with AI, not just for AI

Your AI assistant configures auth, billing, and RBAC through the Model Context Protocol.

Claude Code
> Set up a Pro plan at $29/mo with 10 seats and API access

  create_billing_plan({ name: "Pro", price: 2900, interval: "month" })
 Created plan "Pro" — $29/mo

  set_entitlements({ plan: "Pro", seats: 10, api_access: true })
 Added entitlements: seats: 10, api_access: true

> Now create an admin role with billing and user management

  create_role({ name: "admin", permissions: ["billing.*", "users.*"] })
 Created role "admin" with 2 permission scopes

> Enable Google and GitHub auth

  configure_auth_providers({ providers: ["google", "github"] })
 Enabled google, github
Works withClaude CodeCursorWindsurf
mcp.json
{
  "mcpServers": {
    "authgate": {
      "url": "https://<your-project>.authgate.dev/api/mcp",
      "headers": {
        "Authorization": "Bearer ag_live_..."
      }
    }
  }
}

Security is not optional

Every layer is encrypted, signed, and auditable.

AES-256-GCM encryption at rest

PKCE + HMAC-signed OAuth state

Rate limiting on all endpoints

Automatic token rotation

Signed webhooks (HMAC-SHA256)

Full audit trail

Self-host for data sovereignty

SOC 2 Type II

Simple, transparent pricing

Start free. Add billing or RBAC as your needs grow. Bundle both and save.

MonthlyYearly~20% off

Free

Auth forever free. Build and ship with zero cost.

Freeforever
  • Unlimited MAUs
  • All OAuth providers
  • Email/password + magic links
  • SMS OTP + MFA
  • Session management
  • Organizations
  • Security monitoring
  • Email customization
  • All SDKs
Get started free

Billing-as-Code

Stripe sync, entitlements, usage tracking — flat fee, zero percentage.

$19/ month
  • Everything in Free
  • Stripe sync via CLI
  • Entitlement engine + codegen
  • Usage tracking + forecasting
  • Subscriptions + plan migrations
  • Webhooks (HMAC-signed)
  • Coupons + promo codes
  • GitHub Action (PR diffs)
  • Billing test SDK
  • Custom domain
  • MCP Server
Get started

RBAC-as-Code

Type-safe permissions, role inheritance, multi-tenant org roles.

$9/ month
  • Everything in Free
  • CLI sync
  • Role inheritance
  • Type-safe hooks + helpers
  • RbacGate component
  • Org-level roles
  • ABAC conditions
  • Custom domain
  • MCP Server
Get started
Best value

All-in-One

Auth + Billing + RBAC. The complete platform at a bundled price.

$25/ month
  • Everything in Free
  • Full Billing-as-Code
  • Full RBAC-as-Code
  • Custom domain
  • MCP Server
Get started

Enterprise

Unlimited everything. Compliance, SLA, dedicated support.

Contact us
  • Everything in All-in-One
  • Unlimited projects, seats, envs
  • 1-year audit trail + SIEM export
  • Custom SMTP
  • QuickBooks integration
  • SOC 2 Type II report
  • 99.95% SLA
  • Dedicated support + Slack
  • Self-hosted deployment help
Contact sales

Cost comparison calculator

Save $7.7K/mo

100K MAU · $100.0K MRR

Auth0 + Stripe Billing$7.7K/mo
Auth0: $7.0KStripe: $700
AuthGate All-in-One$25/mo

At this scale AuthGate saves you $7.7K/mo — that's $92.1K/yr back in your runway.

Platform limits

FeatureFreeProEnterprise
MAUsUnlimitedUnlimitedUnlimited
Projects13Unlimited
Team seats13Unlimited
Environments12Unlimited
Audit trail7 days30 days1 year + export
Custom domain
MCP Server
SupportCommunityEmail (48h)Dedicated + SLA
Uptime SLA99.5%99.95%
Prefer to self-host? Everything is free and open source, forever.

Frequently asked questions

Ready to stop rebuilding auth?

Free and open source. Set up auth, billing, and orgs in under an hour. No credit card. No vendor lock-in.

Start building for freeView docs