Skip to Content
Beta DocsYou are viewing preview documentation that may change.Switch to stable v1
Plans & EnforcementPlan Overview

Plan Overview

AuditAuth operates at the application level.

Each application has an associated plan and a lifecycle state.

The combination of plan and state determines:

  • Available features
  • Capacity limits
  • Retention policies
  • Enforcement behavior

Billing is not only a commercial concern.

It directly affects how identity infrastructure behaves.

Application as an Operational Unit

In AuditAuth, an Application is an isolated identity boundary.

Each application has:

  • Its own configuration
  • Its own user base
  • Its own observability scope
  • Its own audit trail
  • Its own subscription state

Application state is independent from user authentication state.

A user may be authenticated, while the application itself may be restricted.

Plan-Driven Capabilities

Every application is assigned a plan.

The plan defines:

  • Authentication provider availability
  • Maximum number of users
  • Feature access flags
  • Audit log retention
  • Metrics retention and sampling
  • Whitelabel behavior

Plans define permission boundaries.

They are enforced deterministically by the system.

State-Driven Enforcement

Applications also have a lifecycle state.

Examples of lifecycle states include:

  • active
  • past_due
  • suspended
  • cancelled

Lifecycle state affects enforcement independently from plan permissions.

For example:

An application in past_due status enters a grace period of one month.

During this period:

  • Core identity functionality remains operational.
  • Enforcement continues normally.
  • Administrators are expected to resolve billing status.

If the grace period expires without resolution, the application may transition to a restricted state.

Grace Period Model

When an application becomes past_due:

  • A one-month grace period begins.
  • Authentication continues to function.
  • Session enforcement remains active.
  • No immediate disruption occurs.

After the grace period:

  • Enforcement behavior may change.
  • Feature access may be restricted.
  • Administrative access may be limited.

Grace periods are designed to avoid abrupt identity disruption.

Separation of Concerns

Billing state does not invalidate issued tokens immediately.

Identity state and subscription state are separate concerns.

However:

Application lifecycle state may restrict:

  • New authentications
  • Access to dashboards
  • Feature-level capabilities
  • API usage beyond defined limits

Enforcement remains deterministic and application-scoped.

Deterministic Infrastructure Behavior

AuditAuth guarantees that:

  • Plan permissions are enforced consistently.
  • Lifecycle state transitions are explicit.
  • Grace periods are time-bound.
  • Feature access reflects subscription state.

There is no implicit fallback behavior.

Application state always governs capability boundaries.

Next Step

To understand how plans define capabilities, continue with:

  • Application Model
  • Plan Model
Last updated on
OverviewFeature Gating