Skip to content

Pricing

Start free — 10K attestations a month, no card.

Pro is $99 for 250K. Business is $899 for 2.5M. Overage gets cheaper as you scale. Move the calculator below to find your cheapest plan.

Plans

One clear comparison

Free

$0

10,000 attestations / month

  • All 40 vendor trust anchors + 2,093 intermediates
  • All built-in TPM-class policies
  • Dashboard, live event tail, per-tenant ban list
  • Community support
Start free
Most popular

Pro

$99 / month

250,000 included · $1.50 / 1K overage

  • Everything in Free
  • Customer-authored acceptance policies
  • Email support · < 24h response
  • Custom domain add-on (coming soon)
Start free, upgrade in-app

Business

$899 / month

2,500,000 included · $0.75 / 1K overage

  • Everything in Pro
  • Custom domain (auth.acme.com) — coming soon
  • Cross-tenant reputation (opt-in)
  • Uptime + latency SLA
  • Priority email + Slack channel support
Talk to sales

Enterprise

Custom

Annual commit · volume pricing

  • Everything in Business
  • Dedicated trust-anchor refresh cadence
  • SOC 2 audit packet (in progress) · 90-day deprecation windows
  • Single-tenant deployment available
  • Named CSM · on-call escalation path
Contact sales

Calculator

Find your cheapest plan

Slide the inputs to your real numbers. The calculator picks the cheapest tier that covers your volume, shows the bill math, and projects the savings versus paying CAPTCHA solver farms to defeat your own defenses (the industry baseline at $2 / 1K fake signups).

From 100 to 1,000,000 (log scale)

Includes step-up + re-attest cadence (default 1.2)

% of attempted signups that are currently bots / fakes

Effective attestations / month

60,000

50,000 signups × 1.2 att/user

Your monthly Root Herald bill

$99.00

$99 base — 60,000 attestations ≤ 250,000 included

Recommended tier

Most popular

Pro

Pro covers your volume at the lowest total cost.

Projected savings vs CAPTCHA solver farms

At your current abuse rate, solver-farm cost is below the platform fee. The win is structural — once fakes can't bypass, attackers stop trying.

Feature matrix

Every feature, every tier

FeatureFreeProBusinessEnterprise
Volume
Included attestations / month10K250K2.5MCustom
Overage price (per 1K)$1.50$0.75Volume
Hard quota cutoff
Platform
All TPM-class trust anchors
Built-in acceptance policies
Customer-authored policies
Cross-tenant reputationOpt-in (read-only)Opt-inOpt-in + contribution credits
Deployment
Default (rootherald.io)
Custom domainComing soonComing soonComing soon
Customer-proxy transport mode
Single-tenant deployment
Support & SLA
Community / docs
Email support< 24hPriorityNamed CSM
Shared Slack channel
Uptime + latency SLA
SOC 2 audit packet (in progress)
Wire-protocol deprecation window90 days90 days90 days90 days

Comparison

What you'd otherwise pay

Different tools, different failure modes. Here's the honest read: cost, user friction, and what eventually defeats each.

ApproachCostUser frictionDefeated by
CAPTCHA solver farms (Turnstile / hCaptcha bypass)$1–$3 per 1,000 solves to attackerVisible challenge to real usersDefeated by solver farms within hours
Fingerprinting (FingerprintJS Pro) + anti-detect browsers$200/mo for 100K + $30–60/mo anti-detect licenseSilent · but blocks legitimate privacy-conscious usersDefeated by GoLogin, Multilogin, AdsPower, Kameleo + residential proxies
KYC (Persona, Sumsub, Onfido)$0.50 – $3 per check + PII handling costGovernment ID + selfie: kills signup conversionDoesn't bind to device; valid ID + valid selfie still abusable at scale
Root Herald Shield$0 for 10K · $99 for 250K · $899 for 2.5MSilent · invisible to users · no PIITier 1 defeated cryptographically; Tier 3+ becomes capital-bound (~$30/device + detectable)

FAQ

Pricing FAQ

What counts as an attestation?

Any completed verification of device evidence through our API counts as one attestation. That includes signup checks, step-up re-attests, and periodic posture re-checks.

Failed-evidence calls (the device returned a malformed PCR quote, the EK chain failed verification, etc.) do not count against your quota. You only pay for completed verdicts.

Do retries count?

Each challenge nonce is single-use, so retrying the same nonce can't be billed twice: a consumed or expired nonce is rejected rather than re-metered. Retries with a fresh nonce (e.g., the user got logged out and re-attested) count separately, which matches reality, since each is a separate attestation event with a separate cryptographic verdict.

What happens when I hit my Free-tier quota?

The Free tier has a hard quota cutoff. Once you hit 10,000 attestations in a calendar month, the API returns HTTP 429 quota_exceeded with Retry-After set to the next billing cycle start. Paid tiers do not cut off; they bill overage at the per-1K rate listed.

You can upgrade in-app at any moment. The change applies immediately; the calendar-month quota resets and overage billing kicks in from that moment forward.

How will the custom-domain add-on work?

Custom domains are on the roadmap, not live yet.The planned flow: you point a CNAME at your tenant's Root Herald edge, for example auth.acme.comtenant-domains.rootherald.io, we provision a certificate and validate it via DNS, and your SDKs see your domain in their attestation callbacks. The design lives in the transport-modes guide.

When it ships it'll be a $49/month add-on on Pro and part of Business and Enterprise. Until then, every tenant runs on the default rootherald.io edge.

What if I need a self-hosted / on-prem deployment?

Enterprise tier only. We'll ship you a single-tenant container stack, a trust-anchor refresh feed, and a managed sign-key escrow. Pricing is on a per-deployment basis; talk to sales.