Balancing Open Source and Business: Autional's Open Source Strategy and Business Model
To be frank, Autional’s open source strategy has been controversial from the start.
There were heated internal debates — some argued “if you’re doing open source, open everything, otherwise it’s fake open source,” while others countered “how can we sustain the team with fully open source, selling T-shirts?” We ultimately chose a middle path: the Open Core model. This article honestly discusses the rationale behind this decision, our two years of practice, and the pitfalls we’ve encountered.
Compliance disclaimer: Compliance frameworks mentioned in this article (SOC 2, GDPR, etc.) represent Autional’s design alignment goals and do not constitute a legal statement of certification achievement. Security audit responsibility for open source code rests with the user.
What is the Open Core Model
The core logic of the Open Core model is simple:
- Core features open source: The foundational capabilities of identity authentication — user registration and login, OAuth authorization, MFA multi-factor authentication, session management — are all open source on GitHub under the Apache 2.0 license. Anyone can download, deploy, and modify them for free.
- Premium features commercial: Enterprise-grade capabilities — compliance management (SOC 2/GDPR automation), billing system, advanced security (UEBA behavioral analytics), enterprise SSO connectors, SLA guarantees, dedicated technical support — are provided as SaaS subscriptions or private deployment licenses.
The essence of this model is: We open source the foundation layer that solves common needs, and commercialize the value-added layer that solves enterprise scenarios. It’s not bait-and-switch — the identity system you see on GitHub is a fully functional identity system. We don’t deliberately leave gaps in the open source version and say “this feature is only available in the paid version.”
Why Not Fully Open Source
This is the question we get asked most often. The answer has two parts: ideals and reality.
The Ideal Answer
We believe in the value of open source — transparency builds trust, community drives innovation, users don’t have to worry about vendor lock-in. If we could open source everything without going bankrupt, we’d do it without hesitation.
But identity authentication is a special domain. It’s not like a frontend framework or programming language — an identity system carries users’ most sensitive credential data. Open source means anyone can read your password hashing logic, your session token generation algorithm, your OAuth authorization flow. This is great for security auditing, but if the business model is unsustainable, the open source project eventually becomes an unmaintained ghost town — and that’s the greatest irresponsibility to users.
We don’t want Autional to be another open source story of “maintainer burnout, project archived.” A sustainable business model is the greatest respect to the open source community.
The Real Answer
Autional is currently a team of 15 people, with monthly infrastructure costs (databases, caches, message queues, monitoring, CDN) requiring ongoing investment. If we were fully open source without commercial services, we couldn’t pay these bills.
Full open source also means competing with cloud vendors. AWS could package our code as a managed service and sell it at zero cost, while we foot the server bills and maintenance costs. This isn’t alarmism — both Elasticsearch and MongoDB went through this struggle, ultimately having to modify their open source licenses to cope.
The Open Core model allows us to do two things simultaneously: win developers’ trust and community feedback with the open source version, and generate sustainable revenue with the commercial version to reinvest in open source development.
What’s Open Source
Our open source scope has been carefully defined:
Core Open Source (GitHub, Apache 2.0):
| Module | Description |
|---|---|
| identity-service | User registration, login, password management, JWT issuance |
| oauth-service | OAuth 2.1 / OIDC authorization server |
| mfa-service | TOTP, SMS, WebAuthn multi-factor authentication |
| session-service | Session creation, validation, invalidation management |
| profile-service | User profile management |
| tenant-service | Multi-tenant base management |
| gateway-service | API gateway, route aggregation |
| All foundational libraries | base/, util/, micro-middleware/, micro-share/ fully open source |
Commercial License (SaaS / Private Deployment):
| Module | Description |
|---|---|
| compliance-service | SOC 2 / GDPR / classification compliance automation |
| billing-service | Billing, plans, invoices |
| audit-service premium features | Hash chain integrity verification, SIEM integration, compliance reports |
| Enterprise SSO connectors | SAML, LDAP, Azure AD, Okta integration |
| UEBA behavioral analytics | User entity behavior analysis, risk scoring engine |
| Dedicated support | SLA guarantees, architecture consulting, security incident response |
Key principle: The integrity of core authentication capabilities is not affected by the commercial license. Even using only the open source version, you can run a fully functional identity system — registration, login, MFA, OAuth, session management — every essential feature included.
The Benefits of This Model
Transparency Builds Trust
The security of an identity system must be verified through auditing. Open source means any security researcher can review our code without signing an NDA or becoming a paying customer. This isn’t marketing speak — in 2025, we received 17 security vulnerability reports from the community, 3 of which were critical severity. These reports helped us find and fix issues faster than our closed-source competitors.
Our customers also benefit. One fintech company directly reviewed our OAuth implementation source code during their security due diligence, rather than relying solely on our security architecture documents and verbal commitments.
Community-Driven Innovation
The feedback speed of the open source community far exceeds any internal testing team. Several of our key feature improvements came directly from the community:
- WebAuthn implementation optimizations for Passkey support from a PR by a German developer
- gRPC inter-service communication performance tuning suggestions from an issue by a Russian engineer
- Multilingual i18n framework extensibility improvements from contributions by the Japanese community
Community contributors don’t need to be full-time employees — they just need to find problems and propose solutions in their own usage scenarios. This distributed innovation is impossible to replicate in a closed-source model.
Sustainable Business Cycle
The open source version is the product’s strongest sales channel. Developers first use the open source version in their own projects; when their team grows and needs compliance support or enterprise features, they naturally transition to the commercial version. We don’t need cold-start enterprise sales — users are already using it; they’re buying an upgrade, not an unknown product.
The cycle looks like this:
Open source version → Developer experience → Team adoption → Enterprise need arises → Commercial subscription
↑ │
└──────────────── Income reinvests in open source development ←────────────────────────┘The Challenges of This Model
To be honest, the Open Core model isn’t perfect. Here are the real issues we’ve encountered in practice:
Boundary Management: What to Open Source, What Not To
This is the hardest decision. Every time we develop a new feature, the team debates: is this foundational or value-add?
Our decision framework:
- Does this feature affect the integrity of core authentication capabilities? → Yes → Open source
- Is this feature only needed by scaled enterprises? → Yes → Commercial
- Could this feature become an industry standard? → Yes → Open source (we don’t want Autional’s unique implementation to become a barrier to user migration)
But the framework isn’t foolproof. Is MFA’s advanced policy engine (adaptive risk scoring) foundational or value-add? The team debated for two weeks before reaching consensus: basic MFA (TOTP, WebAuthn) is open source, the adaptive risk engine is commercial. Some will say this is an arbitrary split — we understand that skepticism, but it’s also reality: the risk engine’s development and maintenance requires ongoing threat intelligence investment that an open source community volunteer model can’t sustain.
Community Trust: Avoiding “Fake Open Source”
The biggest risk of the Open Core model is being perceived as “fake open source” — a marketing gimmick for GitHub Stars with an unusable actual product.
We mitigate this risk in several ways:
- The open source portion is feature-complete and independently usable. Not a demo, not a neutered version.
- Public roadmap. Both open source and commercial feature plans are visible on GitHub Projects.
- No deployment scale restrictions on the open source version. No limits like “the open source version supports max 1000 users.”
- Community contribution PRs won’t be rejected. As long as code quality meets standards, community-contributed features are merged into the open source version — even if they overlap with some commercial feature.
Enterprise Requirements: Private Deployment with Source Code Access
Some enterprise clients request source code access even in private deployments. Our solution: the commercial license includes source code access — clients can review, modify, but cannot redistribute. This balances the client’s security audit needs with our commercial sustainability.
Validation from Other Companies
The Open Core model isn’t Autional’s invention. A number of successful companies have validated its feasibility:
- GitLab: Open source self-hosted version (CE) and Enterprise Edition (EE). The open source version is feature-complete enough to make GitLab a major GitHub competitor, but enterprise features (compliance, advanced security scanning, Epic hierarchy) are the commercial version’s core value.
- Supabase: Open source core (database, auth, storage), commercial version provides hosting, auto-scaling, SOC 2 compliance. Their open source version is self-hosted by tens of thousands of developers, while the commercial version serves enterprises needing SLA guarantees.
- Grafana: Open source monitoring visualization platform, commercial version provides enterprise plugins, LDAP integration, audit logs.
What these companies have in common: The open source version is a great product in itself, not an advertisement for the commercial version. This is the standard Autional strives to meet.
Our Commitment to Developers
If you’re an individual developer or small team looking for an identity solution for your project:
- Autional’s open source version is completely free for you, with no feature restrictions or user count limits
- If one day you no longer need Autional, your data can be exported through standard APIs — we won’t lock you in
- We won’t suddenly change the open source license — Apache 2.0 is permanent and irrevocable
If you’re an enterprise client already using Autional:
- Your commercial subscription directly funds open source development — the fees you pay allow individual developers and small teams to use Autional for free
- If you have feedback on a commercial feature, you can submit a feature request — our roadmap priority is largely driven by paying customer needs
- If you have feedback on an open source feature, you can submit a PR — just like any open source project
We’re Still Figuring It Out
The Open Core model allows the project to sustain continuous R&D investment and gradually grow the team. But we’re also aware that this model requires ongoing trust maintenance.
Every time we add a commercial feature, someone questions whether “Autional is moving toward closed source.” We understand this concern and can only respond with action — over the past two years, our open source codebase has grown 3x, and the list of open source features is longer than the commercial feature list.
Transparency isn’t a one-time declaration; it’s a daily choice. This article itself is part of that transparency — we don’t want you to imagine Autional as a perfect open source utopia, but to understand our real trade-offs and struggles.
If you have questions or suggestions about our open source strategy, feel free to raise them directly on GitHub Discussions. We’ll respond there — publicly, no private tickets.