What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

IAM for Indian Startups: Build vs Buy vs Managed Keycloak

The Authentication Decision That Compounds Over Time

Every startup faces the authentication question early. It seems like a minor technical choice — pick a library, wire up a login form, move on. But the decision compounds. The identity system you choose at 50 users is the system your engineers are still debugging at 500,000 users, the system your compliance officer is auditing when your first enterprise customer arrives, and the system your investors are questioning when a data breach hits the news.

Indian startups have a specific version of this problem. The three most common choices — build it yourself, buy a SaaS IdP like Auth0 or Firebase, or run a managed open-source deployment like Keycloak — each have different cost curves, compliance profiles, and operational implications in the Indian market.

This guide is a decision framework, not a vendor pitch. The right answer depends on where you are in your growth curve.

Option 1: Build Authentication Yourself

What "Build" Actually Means

Building authentication in-house means writing and maintaining your own registration, login, password reset, session management, MFA, and token issuance code. Most Indian startups that choose this path use a language-specific library (Passport.js, Devise, Spring Security) and assume the library handles the hard parts.

The library handles some hard parts. It doesn't handle:

Token storage and rotation: Where refresh tokens live, how they expire, how to revoke them on logout without impacting other sessions
MFA implementation: TOTP seed generation, backup codes, rate limiting on OTP attempts
Session security: Session fixation attacks, cookie security flags, concurrent session limits
Brute force protection: Account lockout, IP-based rate limiting, credential stuffing detection
Audit logging: Every authentication event with timestamp, IP, user agent — for CERT-In and DPDP compliance
Multi-device management: Letting users see and revoke active sessions across devices
Consent management: DPDP-compliant consent collection, versioning, and withdrawal

None of these are impossible to build. All of them take time that isn't spent on your product.

When Build Makes Sense

Building authentication makes sense in almost no startup scenario. The only credible cases:

Your product is authentication infrastructure (building a competitor to Auth0 or Keycloak)
You have extremely unusual requirements that no existing system can meet (specific hardware integration, proprietary protocol)
You're building for a classified environment with no internet access and no existing open-source solution is acceptable

If you're building a SaaS product, an app, or a platform — build authentication is almost always the wrong answer. The opportunity cost (2–6 engineering months for a basic implementation) exceeds the value of the control you gain.

The Hidden Cost

Beyond initial development: authentication requires ongoing maintenance. Security vulnerabilities require patches. New MFA methods emerge. DPDP Rules create new consent and erasure obligations. PCI DSS 4.0 changes authentication requirements. Every engineering hour spent maintaining auth is an hour not spent on the product that customers pay for.

Option 2: Buy a SaaS IdP (Auth0, Firebase, Cognito)

The Default Choice

For most Indian startups, the default choice is a managed SaaS identity provider. Auth0, Firebase Authentication, and AWS Cognito dominate this space. They offer quick setup, good documentation, and handle the security infrastructure.

This is a reasonable choice at early stages. The problems appear as you scale.

The Cost Curve in INR

SaaS IdP pricing is per Monthly Active User (MAU). At early stages (under 10,000 MAU), most services are free or nearly free. The cost curve inflects significantly above 50,000 MAU.

Auth0 (approximate INR pricing at ₹84/USD):

Free: 7,500 MAU
₹1,750/month: 1,000 MAU (B2B)
₹15,500/month: 10,000 MAU
₹1,54,000/month: 100,000 MAU
Enterprise pricing starts at ~₹42L/year for Series B+ scale

Firebase Authentication: Free for most authentication operations (first 10,000 phone verifications/month at ₹0; ₹0.58/verification after). The "free" framing obscures SMS OTP costs — at 100,000 monthly logins with SMS MFA, SMS costs alone run ₹50,000–₹60,000/month.

AWS Cognito: Free tier covers 50,000 MAU. After that: ₹42–50/MAU/month in ap-south-1. At 500,000 MAU: ₹2.1–2.5L/month in MAU fees alone, before SMS costs. Advanced Security features (adaptive authentication, risk scoring) add ~₹21/MAU/month — for 500,000 MAU that's ₹1.05 crore/month extra.

The DPDP Problem

The fundamental problem with foreign-hosted SaaS IdPs for Indian startups: consent state lives in their infrastructure.

When a user registers on your platform, their consent to data processing is managed by Auth0, Firebase, or Cognito's servers — in the US or EU. DPDP Act Section 6 requires purpose-specific consent, consent versioning, and withdrawal mechanisms that block further processing. None of the major SaaS IdPs implement DPDP-compliant consent flows.

What this means in practice: you can add a consent checkbox to your frontend. You can store consent records in your own database. But the IdP will issue a valid token regardless of consent state — it doesn't know about DPDP. Enforcing consent withdrawal requires your application to intercept every token issuance and check consent state. This is a distributed compliance problem that application-layer code cannot cleanly solve.

As your first enterprise customers arrive — banks, insurers, large enterprises — they will send vendor security questionnaires. Question: "Where is user authentication data stored?" Answer: "US East (Auth0)" or "EU West (Firebase)" is an increasing problem for enterprise contracts that include DPDP compliance clauses.

The Lock-In Problem

SaaS IdPs don't expose password hashes. Users can't be migrated without forcing a password reset. At 10,000 users, a forced reset is a support burden. At 500,000 users, it's a customer satisfaction crisis.

Okta and Auth0 have a history of aggressive price increases. The Auth0 acquisition by Okta in 2021 was followed by significant pricing changes. Enterprise contracts from 2022 were repriced at renewal in 2024–2025. Indian companies that built their authentication around these platforms found themselves negotiating from a position of architectural dependence.

Option 3: Managed Keycloak

What Managed Keycloak Is

Keycloak is open-source identity software — Apache 2.0 license, no per-user fees, full feature parity with enterprise IdPs, backed by Red Hat (now IBM). A managed Keycloak deployment means running Keycloak on your cloud infrastructure (AWS Mumbai, Azure India) with a managed service provider handling operations.

The cost structure is fundamentally different from SaaS IdPs: you pay for infrastructure (fixed) and operations (fixed monthly fee), not per user.

The Cost Comparison at Scale

For a startup growing from 50,000 to 500,000 MAU:

Stage	Auth0 (estimated)	Firebase + SMS	Managed Keycloak (KeycloakPro)
10,000 MAU	₹15,500/month	₹5,000–8,000/month	₹67,200/month
50,000 MAU	₹52,000/month	₹25,000–40,000/month	₹67,200/month
1,00,000 MAU	₹1,05,000/month	₹55,000–80,000/month	₹84,000/month
5,00,000 MAU	₹4,20,000/month	₹2,75,000–3,50,000/month	₹1,26,000/month
10,00,000 MAU	₹7,00,000+/month	₹5,00,000+/month	₹1,47,000/month

The crossover point varies by SaaS provider and specific configuration, but for most Indian startups with significant user growth, managed Keycloak becomes cost-competitive between 50,000 and 100,000 MAU.

Note: These figures exclude Auth0's enterprise features (MFA at enterprise tier, Identity Governance) and Firebase's actual SMS costs, which can make SaaS costs significantly higher at scale.

DPDP Compliance Out of the Box

Keycloak's consent management is built into the authentication layer. KeycloakPro configures this for DPDP:

Purpose-specific consent scopes: Each OAuth scope maps to a documented processing purpose, labeled in plain language
Consent versioning: When your privacy policy changes, users are prompted to re-consent at next login
Consent audit log: Every grant, update, and withdrawal is recorded with timestamp, IP address
Consent withdrawal that blocks tokens: Consent revocation prevents new token issuance immediately — no application-layer interception needed
Right-to-erasure workflow: User record anonymization with audit trail for DPDP §8(7) and §12(4) compliance
India data residency: Everything in ap-south-1 (Mumbai) — no cross-border transfer to document

What You're Not Managing

With a managed Keycloak service, you're not managing:

Keycloak version upgrades (Keycloak releases major versions every 6 months — each requires a migration)
High availability configuration (multi-node cluster, session replication)
Database backups and recovery
Certificate rotation
Security patch application
24/7 monitoring and incident response
Infrastructure scaling during peak loads

The Decision Framework

Use SaaS (Auth0/Firebase/Cognito) When:

You're pre-product/market fit — Under 10,000 MAU with standard authentication requirements, the SaaS free tier is genuinely free. Use it to validate your product. Don't build infrastructure for a product that may pivot.

Your requirements are genuinely standard — Social login, email/password, basic MFA. No enterprise SAML requirements, no LDAP federation, no custom authentication logic, no DPDP consent management.

Your team has no operations capacity — A 5-person team building product cannot also manage Keycloak infrastructure. If you don't have at least one engineer who can own infrastructure operations, SaaS makes sense until you do.

Switch to Managed Keycloak When:

You hit the DPDP compliance trigger — Your first enterprise customer asks for data residency documentation or DPDP compliance evidence. This typically happens at Series A or when you start selling to banks, insurance companies, or large Indian enterprises.

MAU-based pricing becomes material — When your Auth0 or Firebase bill exceeds ₹1L/month, the economics of Keycloak start working. Run the numbers for your next 12 months of projected MAU growth.

You need enterprise SAML — Enterprise B2B customers want to use their corporate IdP (ADFS, Okta, Azure AD) to log into your product via SAML. Auth0 handles this, but per the Okta pricing model, the enterprise features that enable this are in higher tiers. Keycloak handles SAML natively.

You need LDAP/Active Directory federation — Workforce IAM that federates to an existing AD domain. AWS Cognito has no native LDAP support. Firebase has no LDAP support. Keycloak does.

Custom authentication flows — KYC checks in the auth flow, transaction-specific step-up authentication, risk-based MFA decisions that require sub-millisecond evaluation. Cognito's Lambda trigger architecture introduces cold start latency. Keycloak's SPI model runs in the same JVM.

Keep Building In-House When:

Almost never. See the "Build" section above.

Common Questions from Indian Startup CTOs

"We're a 15-person startup. Isn't Keycloak overkill?"

Managed Keycloak at the early tier (under 100K MAU) is the same monthly cost as Auth0 at 10,000 MAU — roughly ₹67,000–84,000/month. If you're going to spend that anyway, spending it on infrastructure you own — with no per-user price escalation and India data residency — is worth evaluating seriously. That said, if your team needs to move fast and Auth0's free tier covers you, use it now and plan the migration when you approach the pricing cliff.

"How do we handle the migration when we do switch?"

The migration complexity depends on your existing IdP. Auth0 migrations typically take 4–6 weeks. Firebase migrations take 6–10 weeks (Firebase doesn't expose password hashes; JIT migration is required). The migration cost is a one-time expense; the ongoing savings compound every month.

"What if Keycloak is acquired or the community dies?"

Keycloak is backed by Red Hat (IBM) and has an active community. The codebase is Apache 2.0 licensed — if Red Hat abandoned it, the community would fork it. More practically: your Keycloak data is in a PostgreSQL database you own, on your cloud account. You're not locked in to any vendor's data format.

"Our CTO says we should just use Firebase and migrate later."

This is a reasonable position before product/market fit. The migration later is real work — plan for 6–10 engineering weeks. Build the migration plan now so when you pull the trigger, you're executing a plan, not discovering the scope.

The Migration Trigger Checklist

You should start evaluating managed Keycloak when any of these conditions are met:

First enterprise customer asks about data residency or DPDP compliance
Monthly SaaS IdP bill exceeds ₹1 lakh
Projected MAU will double in the next 12 months
Enterprise customer requires SAML SSO
Engineering team is spending more than 2 days/month on authentication-related issues
You need custom authentication logic (KYC step, step-up auth, risk scoring)
Board/investors are asking about data sovereignty or compliance posture

If any three of these are checked, the migration ROI analysis is worth doing now.

Getting the Numbers for Your Specific Situation

The decision hinges on your specific growth curve, current IdP costs, and compliance requirements. A migration assessment covers:

Your current authentication stack and monthly cost
Projected cost at your target MAU over 24 months (SaaS vs managed Keycloak)
DPDP compliance gap analysis for your current configuration
Migration complexity estimate for your specific tech stack
A timeline and phased migration plan

Book your free IAM assessment for Indian startups →