Pure SaaS or Hybrid SaaS:
Choose the Deployment That Works for You
Pure SaaS delivers the simplicity and scalability of a fully cloud-managed solution for rapid deployment and minimal operational overhead.
Hybrid SaaS combines all the benefits of SaaS with the added control of on-premise gateways and Zero-Knowledge encryption, enabling you to control your secrets and identity data within your private infrastructure while meeting compliance and regulatory requirements.
| Feature | Pure SaaS | Hybrid SaaS |
|---|---|---|
| Deployment & Management | Fully cloud-managed | On-premise gateways included |
| Infrastructure | No infrastructure maintenance | Low maintenance, advanced control |
| Scalability | Cloud-native scalability | Scalable, with customer- controlled environments |
| Control | Cloud-managed | Zero-Knowledge, full organizational control |
| Starter Tier Inclusion | Included | 1 gateway included for exploration |
| Ideal For | Fast, maintenance-free, cloud-native use cases | Compliance-heavy, highly controlled environments |
Need more information? Learn more about how we price our products.
Pricing Units and Plans
Pricing Units
Clients
Definition
Clients are human users, applications, or servers that initiate a remote session with Akeyless services. Multiple instances of the same application count as a single client. A single user with multiple authentication methods is also counted once. For more details on client counting, refer to Akeyless Clients.
How We Count
- Monthly Tracking: The total number of distinct clients is counted at the end of each month.
- Annual Quota: Unused monthly client capacity can be carried over and applied toward the annual quota (monthly quota × 12).
- Overage & True-Ups: If usage is projected to exceed or has reached the annual client quota, Akeyless will notify the Customer in writing. Any overage is invoiced at the end of the 12-month contract period based on actual usage.
HSM Integration
Definition
HSM Integration refers to connecting the Akeyless Gateway with an external Hardware Security Module (HSM) for storing or protecting the Customer Fragment and obtaining entropy for encryption/decryption operations.
How We Count
- Annual Tracking: Each distinct integration between the Akeyless Gateway and an external HSM is counted on an annual basis.
- Overage & Invoicing: If the total number of HSM integrations exceeds the purchased quota, a written notification is sent. Overage fees are invoiced at the end of the contract year.
Connectors
Definition
A Connector is an object in the Akeyless Platform used to synchronize and manage secrets stored in external vaults (e.g., AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Kubernetes Secrets, HashiCorp Vault).
How We Count
- Monthly Tracking: Each distinct Connector object in the Akeyless Platform is counted monthly.
- Notifications & Reconciliation: Customers approaching or exceeding the purchased quota may receive a notification. Final usage is reconciled at the end of the contract year.
Certificates
Definition
A Certificate refers to any digital certificate (e.g., SSL/TLS, code-signing, client authentication) that is managed through the Akeyless Certificate Lifecycle Management (CLM) service.
How We Count
- Annual Tracking: The count is based on valid (non-expired) certificates in the platform over the contract year.
- Quota Utilization: Customers purchase an annual package of X certificates. The maximum number of active certificates at any point during the year must not exceed this quota.
- Overage & Notification: If usage surpasses the purchased quota, Akeyless issues a written notification. Overage fees are calculated and invoiced at the end of the contract year, based on the highest peak usage of valid certificates.
1. Transactions
Definition
A Transaction is a discrete interaction involving the creation, retrieval, management, or usage of cryptographic keys and associated encryption/decryption operations. Examples include key generation, key retrieval, key rotation, key deletion, encryption operations, decryption operations, and access control modifications.
How We Count
- Monthly Tracking: The total number of transactions is counted at the end of each month.
- Annual Quota: Unused monthly transactions carry over toward the annual quota (monthly quota × 12).
- Overage & True-Ups: Akeyless notifies the Customer upon reaching the annual transaction quota. Any overage is invoiced at the end of each 12-month contract period based on actual consumption.
2. KMIP/TDE Applications
Definition
KMIP/TDE Applications are software applications, databases, or services that integrate with Akeyless via the Key Management Interoperability Protocol (KMIP) or by leveraging Transparent Data Encryption (TDE) features. Each unique integration or deployment—such as a separate database server configured to use Akeyless TDE—counts as one application.
How We Count
- Monthly Tracking: Each distinct KMIP client connected to the Akeyless KMIP server, as well as each database instance using Akeyless TDE, is counted.
- Notifications & Reconciliation: If monthly usage nears or exceeds the purchased quota, Akeyless may issue a notification. At the end of the annual billing cycle, total usage is reconciled against the annual quota.
3. Tokenizers
Definition
A Tokenizer is an instance of Akeyless’s data tokenization engine, dedicated to protecting sensitive data by replacing it with format-preserving tokens.
How We Count
- Monthly Tracking: The platform counts each Tokenizer object at the end of each month.
- Notifications & Reconciliation: If monthly usage nears or exceeds the purchased quota, a notification may be sent. Final usage is reconciled against the annual purchase at the end of the billing cycle.
4. Cloud Accounts (Cloud KMS Orchestrator)
Definition
A Cloud Account is any individual public cloud account, such as an AWS account, an Azure subscription, or a Google Cloud project, that is connected to and orchestrated by the Akeyless Cloud KMS Orchestrator. Each unique cloud account identifier counts as one Cloud Account.
How We Count
- Monthly Tracking: The platform counts the total number of cloud accounts that have keys synced to them each month.
- Notifications & Reconciliation: Any usage nearing or exceeding the quota may prompt a notification. Annual reconciliation is conducted at the end of the billing cycle.
Clients
Definition
Clients are human users, applications, or servers that initiate a remote session with Akeyless services. Multiple instances of the same application count as a single client. A single user with multiple authentication methods is also counted once. For more details on client counting, refer to Akeyless Clients.
How We Count
- Monthly Tracking: The total number of distinct clients is counted at the end of each month.
- Annual Quota: Unused monthly client capacity can be carried over and applied toward the annual quota (monthly quota × 12).
- Overage & True-Ups: If usage is projected to exceed or has reached the annual client quota, Akeyless will notify the Customer in writing. Any overage is invoiced at the end of the 12-month contract period based on actual usage.
Plan Limits
| Plan Limits | FREE | ENTERPRISE |
|---|---|---|
| Clients |
5
|
 |
| MAIN FEATURES | ||
| Static Secret |
500
|
|
| Dynamic Secret |
5
|
|
| Rotated Secret |
5
|
|
| Universal Secret Connector |
1
|
|
| Plugins for SM (K8S, etc) |
|
|
| Secret Sharing |
|
|
| Personal Folder |
|
|
| Browser Extensions |
|
|
| Mobile App |
|
|
| Target |
3
|
|
| OIDC App |
1
|
|
| SSH Cert Issuer |
1
|
|
| PKI Cert Issuer |
1
|
|
| Encryption Key (DFC/Classic) |
1
|
|
| AUTHENTICATION METHODS (Identities) | ||
| Email Access |
|
|
| Cloud workload authentication (AWS IAM, Azure AD, GCP IAM) |
|
|
| API-Key-based authentication |
|
|
| Kubernetes authentication |
|
|
| Authentication via SAML/OIDC/LDAP |
 |
|
| Advanced Secure Authentication (Universal Identity) |
|
|
| Certificate-based authentication |
|
|
| AUTHORIZATIONS | ||
| Roles |
|
|
| Groups |
|
|
| AKEYLESS GATEWAY | ||
| Gateway Clusters |
1 Cluster
|
|
| AUDIT LOGGING & ANALYTICS | ||
| Audit Logs Retention |
3 days
|
|
| Audit Logs Retention |
3 days
|
|
| Event Center |
|
|
| Log/Event Forwarding |
|
|
| SECURITY & PERFORMANCE | ||
| Zero Knowledge Mode |
|
|
| Internal Caching |
|
|
| HSM Integration |
|
|
| Plan Limits | FREE | ENTERPRISE |
|---|---|---|
| Clients |
5
|
|
| MAIN FEATURES | ||
| Universal Secret Connector |
1
|
|
| Encryption Key (DFC/Classic) |
1
|
|
| AUTHENTICATION METHODS (Identities) | ||
| Email Access |
|
|
| Cloud workload authentication (AWS IAM, Azure AD, GCP IAM) |
|
|
| API-Key-based authentication |
|
|
| Kubernetes authentication |
|
|
| Authentication via SAML/OIDC/LDAP |
|
|
| Advanced Secure Authentication (Universal Identity) |
|
|
| Certificate-based authentication |
|
|
| AUTHORIZATIONS | ||
| Roles |
|
|
| Groups |
|
|
| AKEYLESS GATEWAY | ||
| Gateway Clusters |
1 Cluster
|
|
| AUDIT LOGGING & ANALYTICS | ||
| Audit Logs Retention |
3 days
|
|
| Event Center |
|
|
| Log/Event Forwarding |
|
|
| SECURITY & PERFORMANCE | ||
| Zero Knowledge Mode |
|
|
| Internal Caching |
|
|
| Plan Limits | FREE | ENTERPRISE |
|---|---|---|
| Managed Certificates |
5
|
|
| MAIN FEATURES | ||
| Cert Issuer (SSH/PKI) |
1
|
|
| CAs integrations |
1
|
|
| Certificate |
5
|
|
| Certificate Auto Renewal |
|
|
| Certificate Provisioning |
|
|
| Certificate Discovery |
|
|
| ACME Protocol |
|
|
| Encryption Key (DFC/Classic) |
|
|
| AUTHENTICATION METHODS (Identities) | ||
| Email Access |
|
|
| Cloud workload authentication (AWS IAM, Azure AD, GCP IAM) |
|
|
| API-Key-based authentication |
|
|
| Kubernetes authentication |
|
|
| Authentication via SAML/OIDC/LDAP |
|
|
| Advanced Secure Authentication (Universal Identity) |
|
|
| Certificate-based authentication |
|
|
| AUTHORIZATIONS | ||
| Roles |
|
|
| Groups |
|
|
| AKEYLESS GATEWAY | ||
| Gateway Clusters |
1 Cluster
|
|
| AUDIT LOGGING & ANALYTICS | ||
| Audit Logs Retention |
3 days
|
|
| Event Center |
|
|
| Log/Event Forwarding |
|
|
| SECURITY & PERFORMANCE | ||
| Zero Knowledge Mode |
|
|
| Internal Caching |
|
|
| HSM Integration |
|
|
| Plan Limits | FREE | ENTERPRISE |
|---|---|---|
| Transaction |
1K per day
|
|
| MAIN FEATURES | ||
| Encryption Key (DFC/Classic) |
5
|
|
| Encryption Operation |
Limited
|
|
| Multi-Cloud KMS |
5
|
|
| Tokenization |
1
|
|
| Code Signing |
1
|
|
| KMIP/TDE |
1
|
|
| AUTHENTICATION METHODS (Identities) | ||
| Email Access |
|
|
| Cloud workload authentication (AWS IAM, Azure AD, GCP IAM) |
|
|
| API-Key-based authentication |
|
|
| Kubernetes authentication |
|
|
| Authentication via SAML/OIDC/LDAP |
|
|
| Advanced Secure Authentication (Universal Identity) |
|
|
| Certificate-based authentication |
|
|
| AUTHORIZATIONS | ||
| Roles |
|
|
| Groups |
|
|
| AKEYLESS GATEWAY | ||
| Gateway Clusters |
1 Cluster
|
|
| AUDIT LOGGING & ANALYTICS | ||
| Audit Logs Retention |
3 days
|
|
| Event Center |
|
|
| Log/Event Forwarding |
|
|
| SECURITY & PERFORMANCE | ||
| Zero Knowledge Mode |
|
|
| Internal Caching |
|
|
| HSM Integration |
|
|
| Plan Limits | FREE | ENTERPRISE |
|---|---|---|
| Users |
5
|
|
| MAIN FEATURES | ||
| Static Secret |
5
|
|
| Dynamic Secret |
5
|
|
| Rotated Secret |
5
|
|
| Password Sharing |
|
|
| Personal Folder |
|
|
| Browser Extensions |
|
|
| Mobile App |
|
|
| Target |
3
|
|
| Session Management |
|
|
| Session Recordings |
|
|
| Desktop application |
|
|
| SSH Cert Issuer |
1
|
|
| PKI Cert Issuer |
1
|
|
| Encryption Key (DFC/Classic) |
|
|
| AUTHENTICATION METHODS (Identities) | ||
| Email Access |
|
|
| API-Key-based authentication |
|
|
| Authentication via SAML/OIDC/LDAP |
|
|
| Advanced Secure Authentication (Universal Identity) |
|
|
| Cloud workload authentication (AWS IAM, Azure AD, GCP IAM) |
|
|
| Kubernetes authentication |
|
|
| Certificate-based authentication |
|
|
| AUTHORIZATIONS | ||
| Roles |
|
|
| Groups |
|
|
| AKEYLESS GATEWAY | ||
| Gateway Clusters |
1 Cluster
|
|
| AUDIT LOGGING & ANALYTICS | ||
| Audit Logs Retention |
3 days
|
|
| Event Center |
|
|
| Log/Event Forwarding |
|
|
| SECURITY & PERFORMANCE | ||
| Zero Knowledge Mode |
|
|
