Skip to content

Join our Episode Series: Identity Security – Unleashed for the AI Era →

Akeyless Unit Economics: Pricing & Counting

Introduction

This document outlines the core usage metrics, definitions, and counting methods for Akeyless services. It serves as a reference for understanding how usage is measured and billed across various Akeyless product offerings. Each section includes a clear definition of the resource being measured (e.g., Clients, Certificates, Transactions) as well as details on how usage is counted and reconciled over monthly and annual billing cycles.


1. Clients (SM, SRA & PWM)

Definition

Clients are human users, applications, or servers that initiate a remote session with Akeyless services. Multiple instances of the same application count as a single client. A single user with multiple authentication methods is also counted once. For more details on client counting, refer to Akeyless Clients.

How We Count

  • Monthly Tracking: The total number of distinct clients is counted at the end of each month.
  • Annual Quota: Unused monthly client capacity can be carried over and applied toward the annual quota (monthly quota × 12).
  • Overage & True-Ups: If usage is projected to exceed or has reached the annual client quota, Akeyless will notify the Customer in writing. Any overage is invoiced at the end of the 12-month contract period based on actual usage.


2. Certificates (CLM)

Definition

A Certificate refers to any digital certificate (e.g., SSL/TLS, code-signing, client authentication) that is managed through the Akeyless Certificate Lifecycle Management (CLM) service.

How We Count

  • Annual Tracking: The count is based on valid (non-expired) certificates in the platform over the contract year.
  • Quota Utilization: Customers purchase an annual package of X certificates. The maximum number of active certificates at any point during the year must not exceed this quota.
  • Overage & Notification: If usage surpasses the purchased quota, Akeyless issues a written notification. Overage fees are calculated and invoiced at the end of the contract year, based on the highest peak usage of valid certificates.


3. Transactions (KMS)

Definition

A Transaction is a discrete interaction involving the creation, retrieval, management, or usage of cryptographic keys and associated encryption/decryption operations. Examples include key generation, key retrieval, key rotation, key deletion, encryption operations, decryption operations, and access control modifications.

How We Count

  • Monthly Tracking: The total number of transactions is counted at the end of each month.
  • Annual Quota: Unused monthly transactions carry over toward the annual quota (monthly quota × 12).
  • Overage & True-Ups: Akeyless notifies the Customer upon reaching the annual transaction quota. Any overage is invoiced at the end of each 12-month contract period based on actual consumption.


4. KMIP/TDE Applications (KMS)

Definition

KMIP/TDE Applications are software applications, databases, or services that integrate with Akeyless via the Key Management Interoperability Protocol (KMIP) or by leveraging Transparent Data Encryption (TDE) features. Each unique integration or deployment—such as a separate database server configured to use Akeyless TDE—counts as one application.

How We Count

  • Monthly Tracking: Each distinct KMIP client connected to the Akeyless KMIP server is counted. For TDE, a TDE license is counted as up to 5 databases or 1 database server (whichever is higher). Includes 10M monthly transactions; additional transactions are available at extra cost.
  • Notifications & Reconciliation: If monthly usage nears or exceeds the purchased quota, Akeyless may issue a notification. At the end of the annual billing cycle, total usage is reconciled against the annual quota.


5. Tokenizers (KMS)

Definition

A Tokenizer is an instance of Akeyless’s data tokenization engine, dedicated to protecting sensitive data by replacing it with format-preserving tokens.

How We Count

  • Monthly Tracking: The platform counts each Tokenizer object at the end of each month. Includes 10M monthly transactions; additional transactions are available at extra cost.
  • Notifications & Reconciliation: If monthly usage nears or exceeds the purchased quota, a notification may be sent. Final usage is reconciled against the annual purchase at the end of the billing cycle.


6. Cloud Account (Cloud KMS Orchestrator) (KMS)

Definition

A Cloud Account is any individual public cloud account,  such as an AWS account, an Azure subscription, or a Google Cloud project,  that is connected to and orchestrated by the Akeyless Cloud KMS Orchestrator. Each unique cloud account identifier counts as one Cloud Account.

How We Count

  • Monthly Tracking: The platform counts the total number of cloud accounts that have keys synced to them each month. Includes 10M monthly transactions; additional transactions are available at extra cost.
  • Notifications & Reconciliation: Any usage nearing or exceeding the quota may prompt a notification. Annual reconciliation is conducted at the end of the billing cycle.


7. Connectors (USC)

Definition

Connector is an object in the Akeyless Platform used to synchronize and manage secrets stored in external vaults defined as:

  • AWS Secret Manager – Per unique target defined in Akeyless, where each target points to a specific AWS Secrets Manager Service by Account & Region. Note: Multiple USCs associated with the same target count as one license. However, distinct targets (even if linking to the same AWS Account & Region) count separately.
  • Azure Key Vault –  Per Azure Key Vault.
  • GCP Secret Manager – Per unique target defined in Akeyless, where each target points to a specific GCP Project. Note: Multiple USCs associated with the same target count as one license. However, distinct targets (even if linking to the same GCP Project) count separately.
  • Kubernetes Secrets – Per Kubernetes cluster, up to 10 namespaces. For every additional block of up to 10 namespaces beyond the initial 10, an additional connector license is required.
  • HashiCorp Vault – Per Vault.

How We Count

  • Monthly Tracking: Each distinct Connector object in the Akeyless Platform is counted monthly.
  • Notifications & Reconciliation: Customers approaching or exceeding the purchased quota may receive a notification. Final usage is reconciled at the end of the contract year.


8. HSM Integration (Add-On)

Definition

HSM Integration refers to connecting the Akeyless Gateway with an external Hardware Security Module (HSM) for storing or protecting the Customer Fragment and obtaining entropy for encryption/decryption operations.

How We Count

  • Annual Tracking: Each distinct integration between the Akeyless Gateway and an external HSM is counted on an annual basis.
  • Overage & Invoicing: If the total number of HSM integrations exceeds the purchased quota, a written notification is sent. Overage fees are invoiced at the end of the contract year.
Subscribe to Newsletter
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_EasiestToUse_Enterprise_EaseOfUse
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Nps

© 2026 AKEYLESS. All rights reserved