One login across
every app you ship.

Add MFA, social logins, and role-based access without building any of it yourself.

Choose your plan Log into dashboard
Open standards (OIDC / OAuth2)
Self-host option
Cancel anytime
scroll
How it works

Up and running in three steps.

1 Pay & get your credentials
Stripe is the signup.

Pay through Stripe and you get credentials in your inbox.

2Register yourapplications
Create your clients

Add the apps that need to share a login. Each one gets its own public and confidential client

3Connect via OIDC
Set up OIDC with us

Point your apps at our OIDC endpoint. That's it - they now share a single sign-on.

Features

What you get
on day one.

Feature
What it does
Status
Realm
A namespace that owns its users, clients, and sessions — isolate tenants or environments cleanly.
Live
Public client
For browser and mobile apps — no server-side secret, PKCE flow out of the box.
Live
Confidential client
Server-to-server clients that authenticate with a client secret — safe for backend and CLI flows.
Live
RBAC
Assign roles to users and gate access to resources — no more ad-hoc permission booleans.
Soon
Social logins
Google, GitHub, Discord, and more — one toggle per provider, zero OAuth boilerplate.
Soon
Pricing

Simple pricing.
No MAU surprises.

Early access: join the waitlist to be first when checkout opens.

// managed
Single Tenant

Ship auth today. One project, fully managed.

$19.99/ month
  • 1 realm
  • 3 apps
  • MFA
No setup fee · cancel anytime
MOST POPULAR
// pro
Pro

Scale your identity layer across products.

$49.99/ month
  • Multiple realms
  • 20 apps
  • Priority support
  • Advanced setup
  • RBAC
Includes everything in Single Tenant
// self-host
Self-Hosted

For teams that need it on their own infrastructure. Starts with a discovery call.

$200deposit · final price after the call
  • 1-hour scoping call to size the deployment
  • Custom quote for your infra, scale & compliance needs
  • $200 credited toward the final invoice if we move forward
  • If we don't, the call still pays for itself — keep the architecture notes
Initial phase only · final price set after the call
FAQ

Questions
and answers.

Do I have to use a special SDK? +
No. thesso speaks OIDC and OAuth 2.1 — that's the whole point. Use openid-client, NextAuth, oauth2-proxy, Devise + omniauth, or whatever your framework already ships. There is no thesso-react package to lock you in.