Building a Production-Grade SSO Platform on a $10 Server
Benchmarks are useful only when they buy you a product.
In “Anatomy of a Bottleneck”, the Rust and SQLite auth service proved it could handle load equivalent to more than 500,000 monthly active users on a tiny $10 server.
The number matters because of what it makes possible: a complete, open-source, multi-tenant Single Sign-On platform that does not need a hosted identity vendor to become serious.
Performance was the floor. The product is the claim.
A Login Box Is Not Enough
The optimizations were not academic. They cleared enough room to build the actual platform without abandoning the simple architecture.
The result is an identity system for B2B2C products, not a dressed-up login form.
Bring Your Own OAuth (BYOO) Tenants can connect their own OAuth2 applications for providers like GitHub, Google, and Microsoft. Their secrets are encrypted at rest using AES-GCM.
Complete Platform Governance A Platform Owner role gives the system a real control plane: organization approval, tier management, and a platform-wide audit log.
Comprehensive Analytics Suite The platform tracks login, growth, and activity metrics at both organization and platform level.
Full Identity & End-User Management Users can link and unlink multiple social accounts to a single profile. Organization admins can manage customers, view subscriptions, inspect linked identities, and revoke all active sessions.
Secure by Design The system includes JWT-based sessions with server-side revocation, granular role-based access control (RBAC), and the Device Authorization Flow (RFC 8628) for CLIs and headless applications.
Keep The Shape Small
The platform stays monolithic because that is still the right shape. Three packages. One repository. No distributed ceremony.
sso/
├── api/ # Rust (Axum) backend API
├── sso-sdk/ # TypeScript SDK for the API
└── web-client/ # Vue.js admin dashboard
The API is the Rust core. The SDK is a strongly typed, zero-dependency interface for JavaScript applications. The Web Client is the administrative UI and a real example of the SDK in use.
The Economics Are The Feature
A well-tuned monolith is leverage.
With the product built on top of the optimized engine, the cost comparison gets harder to ignore. This platform covers the core functionality many teams buy from commercial identity providers, but the operating cost is tiny.
For 500,000 Monthly Active Users (MAU):
| Service | Estimated Monthly Cost at 500,000 MAU |
|---|---|
| Our Rust + SQLite Platform | ~$10 |
| Supabase / Firebase Auth | ~$1,350 |
| Clerk.dev (Pro Plan) | ~$10,000 |
| Auth0 / Okta (Professional / Custom) | ~$15,000+ |
That is more than $100,000 per year that can stay inside the business.
The old argument was convenience. Pay the vendor, move fast, avoid the scary parts. Modern tooling and efficient stacks like Rust change that calculation. With AI-assisted development, the markup for a managed identity service deserves a harder look.
Run It If You Want To Judge It
The project is open-source. The repository includes runnable examples for the key SDK flows:
examples/sample-app: A Vue.js web app demonstrating the end-user redirect flow and the browser-based UI for activating a device.examples/sample-byoo-cli: A Node.js CLI that uses the Device Authorization Flow, showing how a tenant’s own application would authenticate its users.examples/sample-admin-cli: A CLI demonstrating the secure device flow for platform-level administrative tasks.
To get the full system running locally:
# 1. Run the backend API
cd sso/api
cp .env.example .env && # Fill in your secrets
docker-compose up --build -d
# 2. Run the administrative web client
cd ../web-client
npm install
npm run dev # App available at http://localhost:5173
The Well-Built Monolith Still Wins
Small teams do not need to rent complexity by default.
A simple architecture can carry serious features when the implementation is disciplined. Rust, SQLite, a TypeScript SDK, and one repository are enough to build an identity platform that is fast, inspectable, and cheap to run.
The repository is there for inspection. The important claim is that a small, disciplined system can own identity without renting the whole stack from a vendor.
