The "SSO Tax" is a pricing pattern where a vendor's basic SSO support — the thing that takes one engineer-week to ship — costs 10x the regular plan. Standard tier $20/mo, "business" tier with SSO $200/mo. Sentry, Datadog, Slack, half the SaaS market does this.
It's a defensible pricing strategy: enterprise procurement budgets are larger than individual budgets, large customers do extract more value, and SSO is the wedge feature that signals "this customer can pay more". Vendors aren't wrong to charge it.
But it creates worse incentives.
What the SSO Tax incentivizes
For the vendor: build a tiering system. Designate features as "premium". Hold back common-sense features (audit log, role-based access, the thing teams have asked for) to give the next tier upsell room. Roadmaps stop being "what should we build next" and become "what's the next gate".
For the customer: shop for the cheapest plan that has the one feature you genuinely need. End up paying $200/mo for SSO + a bunch of "business" features you don't use. Or — and this is the bad outcome — skip SSO and let employees use shared logins, because the price spike isn't worth it.
For the market: alternatives like sso.tax exist as protests. Customers move to vendors who don't gate basics behind enterprise pricing. The original vendor wins the high-margin enterprise customer and loses everyone else.
What lrok charges
$9/mo flat. One Pro plan. Includes:
- Unlimited tunnels (vs ngrok's per-tunnel pricing).
- Unlimited reserved subdomains.
- Custom domains (BYO).
- TCP tunnels.
- HTTP basic-auth gating.
- The request inspector.
- Email support (which is just me, but real people answer).
We don't have SSO yet. When we add it (likely Q3 when there's enough demand to justify the engineering), it'll be on the same $9/mo plan. Not $99/mo with SSO + audit + RBAC bundled.
Why this works for us
A few constraints make $9/mo flat work:
Single-product focus. lrok does one thing. There's no "platform" complexity that pushes per-seat pricing — you don't need 14 features, just the tunnel.
Low marginal cost. A user on the Pro plan costs us pennies in bandwidth + cents in CPU. The marginal cost of supporting one more user is dominated by support time (which I cap by writing good docs).
EU infrastructure (Helsinki edge). Hetzner is 4-10x cheaper than AWS for the same hardware. That cost difference is absorbed at the bottom of the funnel; we don't need to recover it via tiering.
No VC rocket-ship. No board pushing for "expand revenue per customer" via tier upsells. We grow by adding customers, not by moving the same customers up the tiers.
What we'd lose if we tiered
The story stops being "lrok is $9/mo, end of decision" and becomes "lrok starts at $9/mo, but you'll need the $39 plan if X". The signup conversion math gets worse. The marketing copy gets longer. The customer is making a procurement decision instead of a "is $9/mo less than the time I'd spend trying to roll my own" decision.
The latter close in 30 seconds. The former takes meetings.
What we don't lose
Enterprise customers exist who actually want SOC 2, audit log retention, granular RBAC. We're not trying to win that market; ngrok is great for it. We're trying to win the solo dev / small team / OSS contributor / hobbyist market. $9/mo flat works there.
Two markets, two pricing strategies. Both viable.
The takeaway
If you're building a devtool: think hard before you tier. The SSO Tax pattern isn't strictly bad, but the incentives it creates can take priority off product and onto pricing-engineering. We're betting the simpler pricing wins more customers than tiering captures revenue from each one.
We'll see in 18 months whether the bet was right.
Free Pro
───────────────── ─────────────────
1 reserved subdomain Unlimited reservations
1 active tunnel Unlimited tunnels
HTTP only HTTP + TCP
Basic auth Basic auth
Inspector Inspector
Custom domains
$0/mo $9/mo flat