Serve your free, freemium
and enterprise customers

Included in all plans

No credit card required

  • 10,000 Monthly Active Users (MAUs)
  • Full-featured authentication, including multi-factor (MFA)
  • Password, passwordless, social login, SSO, TOTP authenticator
  • Role-based access control (RBAC)
  • Tools to migrate your system, including import & export
Get started
$24 /mo
For individuals and projects with basic auth needs
Most popular
$140 /mo
For teams that serve organizations with custom access control
$680 /mo
For businesses starting to serve enterprise customers
Contact us
For businesses that serve many enterprise & advanced customers
  • Data residency & GDPR
  • Volume discounts
  • Custom integration
  • Implementation services
30-day free trial for paid plans
10% discount for annual payment

Add Ons

$100 /mo per 1,000
  • Organizations allow multiple users to share a tenant
  • You choose the role for each user in the organization
Enterprise orgs
$100 /mo each
  • Enterprise orgs have authentication configured specifically for the org, including custom SSO, SAML, MFA, and more
  • Also includes custom access control at the org level, and access control nesting for sub-orgs
Additional team members
$20 /mo each
  • Team members can view and administer your workspace via the Userfront dashboard.
API-generated access tokens
$100 /mo per 50,000
  • Programmatically generate secure, custom JSON Web Tokens (JWTs) on demand.
  • Can be used for custom authentication flows and machine-to-machine (M2M) authentication.

Plan comparison

Included Usage
Monthly Active Users (MAUs)
Enterprise orgs
Team members
Custom JWTs for M2M authentication
Included Features
Custom roles
Custom JWT endpoint
M2M authentication
SMS sending
By webhook
By Twilio or webhook
By Userfront, Twilio, or webhook
Tenant-specific auth
Tenant nesting
SOC 2 report
Advanced analytics

All plans include

10,000 Monthly Active Users (MAUs)

MAUs are users who have performed an authentication action in the last 30 days.

User import

Add new users in bulk by API or CSV upload.

User export

Download a CSV file of users and their data from Userfront.


Allow authentication using a secret string of characters. Learn more


Allows users to access your application without the need for a password, using alternate verification methods.

Social SSO (Google, GitHub, etc.)

Allow users to authenticate using their Google, Facebook, LinkedIn, Apple, Azure, or GitHub accounts.

Unlimited social SSO connections

Connect as many social SSO connections to your application as you want.

TOTP authenticator

Allow users to authenticate using a time-based one time password (TOTP).

Common TOTP applications include Authy, Google Authenticator, Okta, and Microsoft Authenticator.

Email login links

A secure link sent to a user's email address which, when clicked, grants them access to your application without needing a password.

Email verification codes

A one-time code sent to a user's email to confirm their identity, often used as a second authentication factor.

Email sending by Userfront or webhook

Userfront can send emails on your behalf (default), or can provide you with webhooks to send fully customized email messages.

PKCE / mobile login

Support for Proof Key for Code Exchange (PKCE) to enable secure mobile app authentication.

Multi-factor authentication (MFA)
Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is included as an option for all free & paid plans. MFA requires users to verify their identity using two methods, such as a password and a TOTP authenticator code.

All authentication methods

Any authentication factor can be used as a first factor or a second factor.

Access control
Role-Based Access Control (RBAC)

Role-based access control (RBAC) allows you to define levels of access based on a user’s role(s).

On Userfront, users can have multiple roles in an organization and roles across multiple organizations, and organizations can have multiple users with roles.


Tenants allow you to store "account-level" data the same way for individual customers, organizations, and enterprises.

Start with tenants early to avoid having to re-architect your application down the road as you move from serving individual customers to organizations.

Global roles

Global roles are application-wide roles that allow your team to have access at a level above your end users' access.

Federated authorization

By default, Userfront includes a user's roles in their JWT access token. This allows you to verify their roles on your server without needing to contact Userfront with each request.

Real-time authorization

For applications that require realtime access control checks on each request, Userfront has endpoints to return a user's access on demand.

Tokens & API keys
Refresh tokens

Refresh tokens allow your end users to securely re-authenticate in your application without requiring another login. This can give your application a better end user experience.

Session management

Manage your end users' sessions and maintain user authentication state between calls to your application.

Custom JWT expiration

Define custom duration times for the JWT access tokens issued to your end users. Shorter durations improve security, while longer durations can improve user experience.

    User created, updated, deleted

    Configure Userfront to make a callback request to your server each time a user is created, updated, or deleted.

    Tenant created, updated, deleted

    Configure Userfront to make a callback request to your server each time a tenant (individual, organization, or enterprise org) is created, updated, or deleted.

    Verification code email / SMS text message

    Configure Userfront to make a callback request to your server when an email or SMS verification code is requested.

    Login link / passwordless email

    Configure Userfront to make a callback request to your server when an emailed login link is requested.

    Custom forms

    Create custom signup, login, and password reset forms to match your branding and authentication needs.

    Remove Userfront branding

    Add forms to your website or application without Userfront branding.

    Send your own emails (optional)

    Configure Userfront to send a webhook so that you can send emails through your own infrastructure.

    Send your own SMS text messages (optional)

    Configure Userfront to send a webhook so that you can send SMS text messages through your own infrastructure.

    Dashboards & analytics
    Total user count

    The number of unique users that register for your application.

    Monthly active users

    The number of unique users that have signed into your application in the last 30 days.

    Daily active users

    The number of unique users that sign in to your application within a given day.

    Daily new users

    The number of new users that sign up for your application each day.

    Service Level Agreement (SLA)
    Service Level Agreement (SLA)

    Userfront maintains a service level agreement (SLA) that provides uptime guarantees for the service. Learn more