Pricing
Straightforward pricing for platform teams
Priced by workloads under management, not seats. A team with 5 engineers might have 200 workloads — per-seat pricing is the wrong unit. Security tools shouldn't require a vendor negotiation to get started.
Up to 10 workload identities. Full feature set, single workspace, forever free.
- Up to 10 workload identities
- SPIFFE/SPIRE attestation
- Kubernetes service account integration
- GitHub Actions OIDC
- mTLS + OIDC token issuance
- 30-day audit log retention
- Community support
For growing platform teams. Up to 100 workload identities, 14-day free trial, no credit card required.
- Up to 100 workload identities
- All Starter features
- Audit log export
- Multi-cloud identity federation
- SSO
- 90-day audit log retention
- Email support
Unlimited workloads, SLA 99.9%, dedicated onboarding, and SIEM integration.
- Unlimited workload identities
- All Growth features
- SOC 2 controls documentation
- SIEM integration
- 1-year audit log retention
- SLA 99.9%
- Dedicated onboarding engineer
Pricing questions
A workload identity is a unique runtime service — a Kubernetes pod, a Lambda function, a CI/CD job, or a long-running process that needs to authenticate to other services. Replicas of the same service share one identity. We count distinct workload registrations, not replicas.
No. Aembit is a secretless platform. We issue short-lived OIDC tokens at runtime based on workload attestation. Your API keys, database passwords, and service credentials never enter our system. We don't need them to.
Aembit is not a replacement for Vault's dynamic secrets engine — it's complementary. Vault can serve as an attestation source while Aembit handles workload-to-workload token exchange at the proxy layer. If you're moving away from static secrets entirely, our migration guide walks through the transition over 2–3 sprints.
On Starter, new workload registrations are blocked (existing ones continue working). On Growth, you get a 14-day grace period with email notification before your plan auto-upgrades. We never silently drop authentication for running workloads.
Yes. Annual billing on Growth is $2,990/year — equivalent to two months free. Scale tier is $8,990/year on annual terms. Contact us for details.
Yes. Scale tier prospects can run a 30-day POC with dedicated engineering support. We'll help you instrument 2–3 services, wire up attestation, and demonstrate zero-secret auth from workload attestation through token issuance. Contact us to schedule.