Infisical Pricing and Auth-Tier Research
Status: research-only. This document does NOT constitute legal or tax advice. Before acting on cost or licensing decisions, consult a technology attorney or CPA licensed in Pennsylvania. Last updated: 2026-05-12 UTC. Verify all pricing at source before acting — SaaS pricing changes without notice.
1. Executive Recommendation
Path B (CF Access gates the URL, Infisical native login handles the app) is the lowest-friction option pre-launch and costs $0 extra. The one fact that drives it: Infisical Cloud Pro is $18/seat/month as of 2026, and for a solo operator with one human identity that is $216/year just to eliminate a second login prompt — not a good pre-launch spend. Path B's double-prompt friction is real but manageable for a single operator. Pay for Infisical Pro only after the team grows past one, or if a SOC 2 auditor specifically requires SSO as a compensating control. If the double-prompt becomes intolerable before then, Path C (native WebAuthn MFA inside Infisical, no CF OIDC) is feasible — WebAuthn/passkey MFA was shipped in Infisical's codebase (PR #4896, merged January 2026), though its tier-gating on self-hosted is not definitively documented by Infisical and requires direct confirmation with sales.
2. Infisical Pricing Table
2a. Cloud SaaS (app.infisical.com)
| Plan | Price | Identities | Projects | Environments | SSO |
|---|---|---|---|---|---|
| Free | $0/mo | Up to 5 | Up to 3 | Up to 3 | Google SSO + GitHub SSO only |
| Pro | $18/identity/month | Unlimited | Unlimited | Up to 12 | SAML 2.0 + OIDC (both included) |
| Enterprise | Custom (contact sales) | Unlimited | Unlimited | Unlimited | SAML + OIDC + LDAP + SCIM |
Source: https://infisical.com/pricing (retrieved 2026-05-12)
Solo-operator reality (1 identity, Pro): $18/month flat. No minimum-seat floor is published on the pricing page. Annual vs. monthly discount: not publicly listed — ask sales.
Startup program: A startup-credits aggregator listing exists at https://startupcredits.io/s/infisical but shows no confirmed discount terms. No public startup program page on Infisical's own site as of this research. Confirm with sales@infisical.com.
Next tier jump: Free → Pro is $18/mo. Pro → Enterprise is custom pricing (undisclosed). The pricing page lists no per-seat upper bound for Pro before the Enterprise conversation starts.
2b. Self-Hosted
The self-hosted binary is MIT-licensed and free. Feature-gating above the Community feature set requires a license key purchased from Infisical:
- Community (no license key): Core secrets management, basic audit logs, unlimited users, unlimited secrets. OIDC SSO and SAML SSO are NOT included without a license.
- Self-Hosted Pro/Enterprise License: Contact
sales@infisical.com. Pricing is NOT publicly listed. There is no separate "Self-Hosted Pro" SKU on the public pricing page — the license key is sold by the sales team. Multiple secondary sources describe it as analogous to the Cloud Pro per-seat price, but this is unsourced — confirm with sales.
Key reference: https://infisical.com/docs/self-hosting/ee (retrieved 2026-05-12)
OIDC SSO docs: https://infisical.com/docs/documentation/platform/sso/general-oidc/overview
3. Feature Matrix
| Feature | Free / Community | Pro (Cloud $18/seat/mo) | Enterprise (Custom) | Self-Hosted (no license) | Self-Hosted (licensed) |
|---|---|---|---|---|---|
| OIDC SSO | No | Yes | Yes | No | Yes (license required) |
| SAML 2.0 SSO | No | Yes | Yes | No | Yes (license required) |
| LDAP | No | No | Yes | No | Yes (Enterprise license) |
| Google / GitHub OAuth (social login) | Yes | Yes | Yes | Yes | Yes |
| WebAuthn / Passkey — primary passwordless login | Not documented; likely not supported yet | Unknown — confirm with Infisical | Unknown | Not documented | Not documented |
| WebAuthn / Passkey — as MFA second factor | Partially — PR #4896 (Jan 2026) added WebAuthn as 3rd MFA method; tier-gating on self-hosted unclear | Likely yes | Yes | Unclear — code references ee/services path |
Unclear |
| TOTP MFA (Authenticator app) | Yes (all tiers) | Yes | Yes | Yes | Yes |
| Email MFA | Yes (all tiers) | Yes | Yes | Yes | Yes |
| Audit Logs — basic access | Yes | Yes (90-day retention) | Yes (custom retention + streaming) | Yes (present in community) | Yes |
| Audit Log Streaming | No | No | Yes | No | Yes (Enterprise) |
| Approval Workflows | No | Yes | Yes | No | Yes (licensed) |
| Access Requests | No | No | Yes | No | Yes (Enterprise) |
| Secret Versioning | No | Yes | Yes | No | Yes (licensed) |
| Point-in-Time Recovery | No | Yes | Yes | No | Yes (licensed) |
| Secret Rotation | No | Yes | Yes | No | Yes (licensed) |
| Dynamic Secrets | No | No | Yes | No | Yes (Enterprise) |
| IP Allowlisting | No | Yes | Yes | No | Yes (licensed) |
| SCIM Provisioning | No | No | Yes | No | Yes (Enterprise) |
| Custom Roles | No | No | Yes | No | Yes (Enterprise) |
| User Groups | Limited | Limited | Yes | Limited | Yes (Enterprise) |
| Multi-environment | Yes (3 envs) | Yes (12 envs) | Unlimited | Unlimited | Unlimited |
| Priority Support | No | Yes | Yes + dedicated engineer | No | Varies |
| SOC 2 / Pentest reports | No | No | Yes | No (self-attest) | No (self-attest) |
| FIPS 140-3 compliant instance | No | No | Yes (separate instance) | No | No |
Sources:
- https://infisical.com/pricing
- https://infisical.com/docs/documentation/platform/sso/overview
- https://infisical.com/docs/documentation/platform/mfa
- https://infisical.com/docs/documentation/platform/audit-logs
- GitHub PR #4896: https://github.com/Infisical/infisical/pull/4896
Important caveats on the passkey/WebAuthn rows: The official MFA docs as of 2026-05-12 document only email MFA and TOTP. PR #4896 added WebAuthn as a third MFA method (January 2026 merge) but the tier-gating for self-hosted is not clearly documented. The PR description references ee/services code paths, which conventionally means Enterprise Edition gating in Infisical's codebase. Verify directly with support@infisical.com before treating this as a free-tier unlock.
4. Three-Path Cost + UX + Risk Matrix
Path A — Pay Infisical Pro, configure OIDC with CF JWT
| Dimension | Detail |
|---|---|
| Cost | $18/month Cloud Pro (1 identity). Self-hosted license: price not public, contact sales. If similar to Cloud Pro, ~$18/mo. |
| What it buys | OIDC endpoint inside Infisical trusts the CF Access JWT. One-click login: browser → CF Access (Google passkey) → CF issues JWT → Infisical validates JWT → user is in. Single auth surface. |
| UX gain | Eliminates the second login prompt. Passkey at CF layer = phishing-resistant primary auth. No Infisical-side password to manage or rotate. |
| Technical caveat | CF Access does NOT have a published OIDC discovery document in the standard IdP sense. CF Access issues a JWT that can be validated, but configuring Infisical's OIDC SSO to trust it requires mapping CF's JWT public keys to Infisical's OIDC expected claims. This is not documented in either Infisical or Cloudflare's official docs. A community workaround (cf-access-workers-oidc by eidam: https://github.com/eidam/cf-access-workers-oidc) uses a Cloudflare Worker to wrap CF Access as a standards-compliant OIDC provider — but that is a community project, not a supported integration. Confirm technical feasibility with Infisical support before purchasing. |
| Lock-in risk | Medium. If Infisical is ever replaced, the OIDC config migrates to the new vault (OIDC is standard). But the CF Access JWT wrapper approach is brittle to CF API changes. |
| Auditability gain | Infisical Pro includes 90-day audit log retention. All secret accesses logged and queryable. |
| Pre-launch timing | Could be set up in 1–2 days after purchase confirmation. Not blocking launch (Path B works fine at launch). |
| Verdict | Right call when the team reaches 2–3 people and double-prompt friction becomes a multi-person coordination tax, OR if SOC 2 audit requires SSO. Not justified pre-launch for solo. |
Path B — CF Access gates URL, Infisical native login at app (current state, $0)
| Dimension | Detail |
|---|---|
| Cost | $0 incremental. |
| Login flow | 1) Navigate to vault.raxx.app. 2) CF Access checks for valid CF_Authorization cookie; if absent, redirects to Google. 3) Operator completes Google passkey. 4) CF sets cookie, forwards to Infisical. 5) Infisical login form appears. 6) Operator enters Infisical credentials (email + TOTP or email MFA). Total: ~6–8 clicks per fresh session. |
| Security posture | CF Access (Google passkey) provides phishing-resistant outer perimeter — an attacker who steals the Infisical password still can't reach the login form from the public internet. Infisical password is the weakest link but it only matters once CF Access has been bypassed, which requires compromising Google + passkey. Posture is acceptable for solo pre-launch. |
| Friction for solo | Manageable. CF Access cookies persist in the browser (configurable session duration). Daily use: one Google passkey tap, then Infisical TOTP. |
| Friction at team of 3 | Each new team member needs a CF Access seat (Cloudflare Teams Free covers up to 50 users for Zero Trust with some limits; confirm current CF Zero Trust pricing). Each also needs an Infisical account. Onboarding is two-step. Offboarding requires revoking both CF Access and Infisical separately — gap risk. |
| Friction at team of 10 | The dual-revocation offboarding gap becomes a real risk. If a team member is removed from Google Workspace but someone forgets to revoke Infisical, they could still reach the Infisical login form (CF Access would block, but the Infisical account stays active). Path A or dedicated SCIM provisioning (Enterprise) is the right answer at this scale. |
| Recommendation | Use now. Revisit at first team member addition. |
Path C — Drop CF Access OIDC layer, use Infisical native WebAuthn as primary
| Dimension | Detail |
|---|---|
| Feasibility | Uncertain. WebAuthn as MFA second factor was merged in PR #4896 (Jan 2026). Whether it works as a passwordless primary factor (no password at all) is not documented. The official MFA docs as of 2026-05-12 do not mention passkeys. Verify with Infisical before treating this as a viable option. |
| Tier requirement for self-hosted | Unknown. Code references ee/services path (Enterprise Edition gating). If it IS enterprise-gated on self-hosted, this path has similar cost implications to Path A. |
| What you lose | CF Access as the outer perimeter. Vault.raxx.app becomes accessible to the public internet (someone can reach the Infisical login form without CF Access challenge). CF can still provide IP/geo-blocking at the WAF layer, but the OIDC authentication gate is gone. Loses CF-side access logs for vault access. Loses Google Workspace as authoritative identity root for vault access. |
| What you gain | Single auth surface. No double-prompt. No CF JWT complexity. If passkey-primary is available on free tier, it's $0. |
| Risk | Removing CF Access from vault.raxx.app expands the attack surface. The current CF Access layer provides defense-in-depth. The security tradeoff likely doesn't favor this path unless Infisical's native WebAuthn is confirmed production-ready and passkey-primary (not just MFA) on your tier. |
| Verdict | Do not pursue until (a) Infisical confirms WebAuthn-primary is available on free/community self-hosted, AND (b) you've assessed the attack-surface cost of removing CF Access from vault. Likely not worth it — the double-prompt in Path B is less bad than the surface expansion in Path C. |
5. Pivot-Vendor Comparison
Use this section if Infisical Pro pricing or the CF-OIDC technical gap drives a vendor re-evaluation.
| Vendor | Model | Cost for Solo | OIDC/SSO Tier | Passkey Support | Migration from Infisical | Verdict |
|---|---|---|---|---|---|---|
| HashiCorp Vault Community | Self-hosted, open source (BSL license since 2023) | $0 software + infra (~$5–$15/mo on Heroku/Railway) | OIDC auth method included FREE in Community — no license required | Not natively; relies on upstream IdP | High effort: no direct migration path; manual secret re-import | Best choice IF technical depth is available and you want OIDC free. Steep operational overhead (HA storage backend, TLS mgmt, Raft quorum). Not recommended pre-launch. |
| Bitwarden Secrets Manager | Cloud SaaS (self-hosted "coming soon") | Free (2 users, 3 projects) or $6/user/mo Teams | SSO requires Enterprise ($12/user/mo) | FIDO2/WebAuthn for 2FA: Teams + Enterprise. Not confirmed as passwordless primary. | Medium: CLI export/import tooling available | More expensive than Infisical for SSO (requires Enterprise vs Pro). Self-hosted not GA for Secrets Manager as of 2026-05-12. |
| Doppler | Cloud SaaS only | Free (3 users); $21/user/mo Team | SAML SSO at Team ($21/user/mo). OIDC not explicitly listed. | Not documented on any public tier. | Medium-high: Doppler has no self-hosted option; moves you fully to cloud | $21/mo for SSO vs Infisical's $18/mo. More expensive. No self-host option = less control. |
| AWS Secrets Manager | Cloud (AWS-native) | ~$0.40/secret/mo + $0.05/10k API calls | IAM-based auth; OIDC via IAM Identity Center (SSO) — requires AWS SSO setup | Not applicable (AWS console auth handles operator MFA, including passkeys via IAM) | Low effort for AWS-resident workloads; operator secrets would need client-side tooling (AWS CLI) instead of Infisical's web UI | Already in use for workload secrets (per memory: feedback_aws_workloads_use_ssm_not_vault). Absorbing operator UI secrets here would mean losing Infisical's web dashboard. Use for workload secrets, keep Infisical for developer-facing UX. |
| 1Password Business | Cloud SaaS | $7.99/user/mo (annual) | OIDC SSO via "Unlock with SSO" — included in Business | Passkeys as primary login: YES, documented for Business tier | Medium: 1Password has CLI + Secrets Automation but different mental model | Cheapest SSO-inclusive option at $7.99/mo vs Infisical's $18/mo. BUT Secrets Automation (injecting into CI/CD) requires Business plan + separate integration work. Not a like-for-like vault replacement without engineering work. |
Brutal assessment
Infisical Pro at $18/month is the only option that gets you native OIDC SSO in the same product you're already running, with zero migration cost. If $18/month is acceptable (it's $216/year — less than one attorney hour), it's the clean choice. The only reason to migrate is if:
- You determine CF Access cannot serve as a standards-compliant OIDC provider for Infisical (technical gap), AND
- You still want single-prompt passkey auth, AND
- You're unwilling to pay $18/mo.
In that specific scenario, 1Password Business at $7.99/mo with Unlock with SSO is the only cheaper option that includes SSO — but it requires migrating your secrets and rethinking the CI/CD injection layer.
HashiCorp Vault Community is the right long-term answer at scale (OIDC free, full control) but has 2–4 days of pre-launch setup cost and ongoing operational overhead that is disproportionate pre-launch.
6. Legal and Compliance Notes
This section identifies publicly documented compliance considerations. It does not constitute legal advice. Verify with a technology attorney.
Export control: No EAR/ITAR classification identified for secrets-management SaaS switching. Infisical, Doppler, 1Password, and HashiCorp are US-incorporated companies. Switching tiers or vendors does not trigger export control review for this use case. Unsourced — confirm with technology attorney if Raxx ever handles defense-sector customer data.
SOC 2 and SSO: SOC 2 Type II auditors may include SSO as an expected compensating control for logical access. The relevant criterion is CC6.1 (logical access controls). Whether a specific auditor will accept CF Access + Infisical native login as equivalent to SSO-gated access depends on the audit firm. This is not a concern pre-launch but surfaces at the first enterprise customer or Series A diligence. Source: AICPA SOC 2 criteria (unsourced at this level of specificity — confirm with a SOC 2 readiness consultant when relevant).
Data residency: Infisical Cloud (app.infisical.com) offers a US region and an EU region (eu.infisical.com). If Raxx ever accepts EU customers and processes their secrets through Infisical Cloud, the EU region is available without a tier upgrade. Source: https://infisical.com/ (homepage feature list, retrieved 2026-05-12). Self-hosted at vault.raxx.app keeps data in the operator's own infrastructure — data-residency question reduces to where vault.raxx.app is hosted.
Infisical license change risk: Infisical's core is MIT-licensed. The EE (Enterprise Edition) features are source-available but not open-source — the license terms for EE code are controlled by Infisical. HashiCorp changed Vault's license from MPL 2.0 to BSL in 2023; Infisical could do the same. Self-hosting on MIT core mitigates this partially. Source: https://github.com/Infisical/infisical (LICENSE file). Unsourced on BSL-risk for Infisical specifically — confirm with technology attorney if vendor lock-in is a diligence concern.
GDPR / data processor framing: If Raxx uses Infisical Cloud (app.infisical.com) to store secrets that include customer PII (e.g., customer API tokens with embedded identifiers), Infisical becomes a data processor under GDPR. Infisical's DPA (Data Processing Agreement) availability: not confirmed in this research — request from sales@infisical.com before accepting EU customers if using Cloud SaaS. Self-hosted eliminates this exposure.
7. Open Questions for Operator
These are questions this research cannot answer from public sources. Each requires action before a decision is final.
-
[Infisical sales — pricing] What is the self-hosted Pro/Enterprise license fee for a single-identity org? Is there a startup program or annual pre-pay discount? Contact:
sales@infisical.com -
[Infisical support — technical] Can CF Access at
moosequest.cloudflareaccess.comserve as a standards-compliant OIDC provider for Infisical's SSO configuration? Specifically: does Infisical support JWT-only validation against a JWKS endpoint without a full OIDC discovery document? Contact:support@infisical.com -
[Infisical support — passkey tier] Is WebAuthn/passkey MFA (PR #4896) available on self-hosted Community (no license key), or is it gated behind an EE license? Is passwordless-primary (no password + passkey only) supported at all? Contact:
support@infisical.com -
[Cloudflare — OIDC provider capability] Does CF Access expose a standards-compliant OIDC discovery endpoint (
.well-known/openid-configuration) that a downstream app can consume? The community projectcf-access-workers-oidcsuggests the answer is "not natively" but this should be confirmed with Cloudflare support before building on it. Reference:https://github.com/eidam/cf-access-workers-oidc -
[CPA] Is the $18/month Infisical Pro subscription a deductible business expense for MooseQuest LLC? (Almost certainly yes as software/SaaS operational expense — but confirm.)
-
[Decision gate — launch timing] Does any of the three paths create a pre-launch blocker before 2026-05-23? Path B does not. Paths A and C could require investigation time. Confirm: is the current double-login UX (Path B) acceptable for the launch date?
8. Decision-Ready Summary
If you want single-prompt passkey login to vault.raxx.app and are willing to pay $18/mo: Choose Path A. Purchase Infisical Cloud Pro (or request a self-hosted license quote). First confirm with Infisical support whether CF Access can serve as the OIDC provider — if it can't without the community Worker shim, you may need Google Workspace to serve as the OIDC provider directly (bypassing CF Access OIDC, though CF Access can still protect the URL). At $18/mo for one identity, this is $216/year.
If you want $0 incremental cost and can tolerate two login prompts: Stay on Path B. CF Access (Google passkey) gates the URL. Infisical's native email+TOTP handles the app login. Re-evaluate when the team grows or at first SOC 2 conversation.
If you want to eliminate the double-prompt without paying Infisical: Investigate Path C — but only after confirming with Infisical that WebAuthn MFA is available on self-hosted community tier AND that passkey-primary (not just MFA-second-factor) is supported. Do not pursue Path C without those confirmations; the attack-surface cost of removing CF Access without a passkey replacement is not worth it.
If Infisical Pro costs more than $25/month for self-hosted or the CF OIDC integration is technically infeasible: Evaluate 1Password Business at $7.99/mo as the cheapest SSO-inclusive alternative. Accept the migration cost (2–3 days of engineering).
Pre-launch recommendation (by 2026-05-23): Stay on Path B. Zero cost, zero setup time, acceptable friction for one operator. Queue the Infisical sales conversation as a post-launch task.
Sources
https://infisical.com/pricing— Infisical pricing page (retrieved 2026-05-12)https://infisical.com/docs/documentation/platform/sso/overview— SSO overview, tier requirementshttps://infisical.com/docs/documentation/platform/sso/general-oidc/overview— OIDC SSO configuration, self-hosted license requirementhttps://infisical.com/docs/self-hosting/ee— Self-hosted enterprise edition docshttps://infisical.com/docs/documentation/platform/mfa— MFA methods (email, TOTP; passkeys not in official docs)https://infisical.com/docs/documentation/platform/audit-logs— Audit log documentationhttps://github.com/Infisical/infisical/pull/4896— WebAuthn + PAM session MFA PR (merged Jan 2026)https://www.doppler.com/pricing— Doppler pricing (Developer free, Team $21/user/mo)https://bitwarden.com/help/secrets-manager-plans/— Bitwarden Secrets Manager pricinghttps://1password.com/pricing/password-manager— 1Password Business $7.99/user/mohttps://developer.hashicorp.com/vault/docs/auth/jwt— HashiCorp Vault JWT/OIDC auth (free in Community)https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/— CF Access as OIDC consumer (not provider)https://github.com/eidam/cf-access-workers-oidc— Community project wrapping CF Access as OIDC providerhttps://infisical.com/docs/documentation/platform/sso/overview— SAML+OIDC both at Pro tierhttps://aws.amazon.com/secrets-manager/pricing/— AWS Secrets Manager $0.40/secret/mo (cross-reference:https://ranthebuilder.cloud/blog/secrets-manager-vs-parameter-store-which-one-should-you-really-use/)