Introducing the next era of Duende IdentityServer.
Duende gives teams full control over their identity infrastructure while delivering the stability business leaders depend on. Explore plans, features, and licensing options designed for organizations where control and reliability are non-negotiable.
When you build with Duende, you get more than a single solution. You get the infrastructure, documentation, and expert support to design and implement modern identity infrastructure with confidence.
Billed annually
Talk to an Expert1 Production Deployment
2 Client IDs/Connected Apps
2 BFF Front-Ends
Core Protocol Support
Unlimited APIs
10,000 User Management Users
Community Support
For small teams shipping a focused product
Billed annually
Talk to an Expert1 Production Deployment
10 Client IDs
10 BFF Front-Ends
Extended Protocol Support
Unlimited APIs
Server-Side Sessions
Add-ons Eligible: SAML, Automatic Key Management, Financial-Grade Security & Conformance, and User Management
100,000 User Management Users
Priority Support: 2 Support Escalations Per Year
For growing teams managing multiple applications in production
MOST POPULAR
Billed annually
Talk to an Expert2 Production Deployments
30 Client IDs
30 BFF Front-Ends
Extended Protocol Support
Unlimited APIs
Server-Side Sessions
Dynamic Authentication Providers
SAML
Automatic Key Management
Add-ons Eligible: Financial-Grade Security & Conformance, Multi-Issuer, and User Management
500,000 User Management Users
Priority Support: 2 Business Day SLA, 4 Escalations Per Year
For organizations with advanced architectures and technical demands
Billed annually
Talk to an ExpertFor enterprises needing unlimited scale and enhanced support
Only pay for production.
Scale-based
User Management
A user store, built for what’s next. A first-party, .NET SDK for user management, profiles, authentication, and lifecycle management tightly integrated with Duende IdentityServer. Passwords, MFA, and passkeys are built in.
$2,000/year
Automatic Key Management
Eliminate one of the most common and most preventable causes of identity infrastructure outages. Automated lifecycle management for signing and validation keys: generation, rotation, propagation, and retirement. Native to IdentityServer. No external tooling. No manual processes.
$4,000/year
SAML
Native SAML 2.0 in both directions. Provide SAML SSO to downstream partners and accept SAML assertions from upstream enterprise IdPs, all from the IdentityServer your team already controls.
$1,500/year
Financial-Grade Security & Conformance
Validate your existing Duende IdentityServer configuration against FAPI 2.0 and OAuth 2.1 requirements and produce an audit-supporting conformance report with remediation guidance.
$7,500/year
Multi-Issuer
Enables a single Duende IdentityServer deployment to serve multiple issuer URLs. Tokens carry the iss claim that matches the URL used to obtain them, in full compliance with OpenID Connect specification.
Scale-based
Redistribution Rights
Include IdentityServer as an integrated component of a product that you redistribute to your customers or third parties.
We provide the capabilities development teams need to extend authentication, integrate new systems, and adapt identity architecture over time. Explore our full set of features and compare plans to find the option that best fits your needs.
# of Deployments
A single deployment acts as a single OpenID Connect / OAuth authority hosted at a single URL. It can consist of multiple physical or virtual nodes for load-balancing or fail-over purposes.
1
1
2
Up to Unlimited
# of Client IDs/Connected Apps
A unique OAuth client, such as a web application, SPA, native, mobile, or daemon application.
2
10
30
Up to Unlimited
# of BFF Front-Ends
Backend for Frontend
2
10
30
Up to Unlimited
User Management Users
10,000
100,000
500,000
Up to Unlimited
Core Protocol Support
The OpenID Connect (OIDC) and OAuth 2.0 foundations that most applications need. Includes recommended flows and critical security features such as Pushed Authorization Requests (PAR) and Demonstration of Proof-of-Possession (DPoP).
Extended Protocol Support
Extended protocols address requirements that go beyond typical web and API scenarios. Includes Mutual TLS (mTLS), JAR, Resource Indicators, Client-Initiated Backchannel Authentication (CIBA), Device Authorization Grant and Dynamic Client Registration (DCR).
Server-Side Sessions & Session Coordination
Allows for advanced session management scenarios including session revocation, inactivity timeouts, and more.
Dynamic Auth Providers
Annual Priority Escalations
Community
2
4
Up to Unlimited
Expert SLA
2 Business Days
1 Business Day
Annual Architectural Review and Code Validation
Duende Open Source Support
Dedicated Technical Account Manager
SAML
Add-on
Automatic Key Management
Add-on
Financial Grade Security and Conformance (FGSC)
Add-on
Add-on
Add-on
Multi-Issuer
Add-on
Add-on
Additional User Management Users
Scale-based
Scale-based
Up to Unlimited
Additional BFF Front-Ends
Scale-based
Scale-based
Up to Unlimited
Redistribution Rights
License to integrate and redistribute IdentityServer to your customers, based on # of client IDs/connected apps and # of redistributions
Scale-based
Scale-based
Scale-based
Scale-based
$5,750
$12,500
$24,900
Flexible
# of Deployments
A single deployment acts as a single OpenID Connect / OAuth authority hosted at a single URL. It can consist of multiple physical or virtual nodes for load-balancing or fail-over purposes.
1
1
2
Up to Unlimited
# of Client IDs/Connected Apps
A unique OAuth client, such as a web application, SPA, native, mobile, or daemon application.
2
10
30
Up to Unlimited
# of BFF Front-Ends
Backend for Frontend
2
10
30
Up to Unlimited
User Management Users
10,000
100,000
500,000
Up to Unlimited
Core Protocol Support
The OpenID Connect (OIDC) and OAuth 2.0 foundations that most applications need. Includes recommended flows and critical security features such as Pushed Authorization Requests (PAR) and Demonstration of Proof-of-Possession (DPoP).
Extended Protocol Support
Extended protocols address requirements that go beyond typical web and API scenarios. Includes Mutual TLS (mTLS), JAR, Resource Indicators, Client-Initiated Backchannel Authentication (CIBA), Device Authorization Grant and Dynamic Client Registration (DCR).
Server-Side Sessions & Session Coordination
Allows for advanced session management scenarios including session revocation, inactivity timeouts, and more.
Dynamic Auth Providers
Annual Priority Escalations
Community
2
4
Up to Unlimited
Expert SLA
2 Business Days
1 Business Day
Annual Architectural Review and Code Validation
Duende Open Source Support
Dedicated Technical Account Manager
SAML
Add-on
Automatic Key Management
Add-on
Financial Grade Security and Conformance (FGSC)
Add-on
Add-on
Add-on
Multi-Issuer
Add-on
Add-on
Additional User Management Users
Scale-based
Scale-based
Up to Unlimited
Additional BFF Front-Ends
Scale-based
Scale-based
Up to Unlimited
Redistribution Rights
License to integrate and redistribute IdentityServer to your customers, based on # of client IDs/connected apps and # of redistributions
Scale-based
Scale-based
Scale-based
Scale-based
Review our licensing packages on our pricing page. We offer a variety of licensing options designed for your architectural and business requirements. Not sure which license is right for you, or require a custom package? Reach out to our team to learn more.
If you are a current IdentityServer4 user, book a free 30-minute IS4 upgrade assessment with our team.
A connected app is any application or service registered with your Duende IdentityServer instance that relies on it for identity, access, or federation. Each connected app has a unique registration that defines how it interacts with IdentityServer and what it is allowed to do.
Connected apps fall into four categories:
1. Interactive applications use OpenID Connect (OIDC) to authenticate users and obtain tokens. These include web apps, native mobile or desktop applications, and SPAs, each identified by its own Client ID.
2. Machine-to-machine clients request access tokens without user interaction, typically using the client credentials grant. Background services, APIs calling other APIs, and MCP clients are common examples.
3. Third-party API consumer that requires a client ID and client secret, typically in a SaaS situation or B2B situation.
4. SAML Service Providers use SAML 2.0 to establish federated trust with IdentityServer acting as the Identity Provider (IdP), enabling single sign-on for apps that rely on SAML-based authentication.
You do not need a license for development, testing, or trial. Download and use our library from NuGet and get started with trial mode. Start learning with the Duende IdentityServer quickstart tutorials.
Upgrading is simple and flexible – you can do so at any time. We'll issue a new license for your updated term and ensure you receive prorated credit for the remaining unused time on your existing license.
Redistribution occurs when you bundle Duende IdentityServer as an integrated component of a product or service that you sell, lease, or provide to third parties.
Redistribution typically applies to Independent Software Vendors (ISVs) who ship IdentityServer as part of a larger solution that customers host on their own local or cloud infrastructure. Each customer installation of IdentityServer is considered a separate redistribution.
Can’t find what you’re looking for?
Start a free trial to explore Duende in your environment, or connect with our team to discuss plans, licensing, and implementation.
