Straightforward pricing for platform teams

Priced by workloads under management, not seats. A team with 5 engineers might have 200 workloads — per-seat pricing is the wrong unit. Security tools shouldn't require a vendor negotiation to get started.

Starter
Free

Up to 10 workload identities. Full feature set, single workspace, forever free.

  • Up to 10 workload identities
  • SPIFFE/SPIRE attestation
  • Kubernetes service account integration
  • GitHub Actions OIDC
  • mTLS + OIDC token issuance
  • 30-day audit log retention
  • Community support
Start free
Scale
$899 /mo

Unlimited workloads, SLA 99.9%, dedicated onboarding, and SIEM integration.

  • Unlimited workload identities
  • All Growth features
  • SOC 2 controls documentation
  • SIEM integration
  • 1-year audit log retention
  • SLA 99.9%
  • Dedicated onboarding engineer
Contact us

Pricing questions

A workload identity is a unique runtime service — a Kubernetes pod, a Lambda function, a CI/CD job, or a long-running process that needs to authenticate to other services. Replicas of the same service share one identity. We count distinct workload registrations, not replicas.

No. Aembit is a secretless platform. We issue short-lived OIDC tokens at runtime based on workload attestation. Your API keys, database passwords, and service credentials never enter our system. We don't need them to.

Aembit is not a replacement for Vault's dynamic secrets engine — it's complementary. Vault can serve as an attestation source while Aembit handles workload-to-workload token exchange at the proxy layer. If you're moving away from static secrets entirely, our migration guide walks through the transition over 2–3 sprints.

On Starter, new workload registrations are blocked (existing ones continue working). On Growth, you get a 14-day grace period with email notification before your plan auto-upgrades. We never silently drop authentication for running workloads.

Yes. Annual billing on Growth is $2,990/year — equivalent to two months free. Scale tier is $8,990/year on annual terms. Contact us for details.

Yes. Scale tier prospects can run a 30-day POC with dedicated engineering support. We'll help you instrument 2–3 services, wire up attestation, and demonstrate zero-secret auth from workload attestation through token issuance. Contact us to schedule.

Start auditing your non-human identity surface.

The Starter tier is free, no credit card required. Your first 10 workload identities authenticated without stored secrets.