Skip to main content

The Token Tax — How Naive M2M Authentication Quietly Drains Your Cloud Budget

· 8 min read
Vladyslava Prykhodko
Vladyslava Prykhodko
Engineering Technical Lead & Architect

The cloud stopped being just infrastructure a long time ago. It's an economic model where every engineering decision has a direct impact on business costs. And that's exactly where the line between "works fine" and "designed well" is drawn.

Managed Services: What You're Actually Buying

Cloud platforms take an enormous amount off your team's plate: hardware management, baseline security, fault tolerance, scaling. Managed Kubernetes — Amazon EKS, Google Kubernetes Engine, or Azure Kubernetes Service — lets you spin up a production-ready cluster in a matter of hours. But here's the thing: you haven't eliminated complexity. You've moved it up a level.

The hybrid model — taking managed Kubernetes and deploying your own microservices inside it — is a reasonable trade-off. You don't own servers, you get multi-region deployment, and you pay only for what you use. But if architectural thinking doesn't show up at that higher level, costs start growing faster than load does.

Case Study: Identity in a Microservice Architecture

One of the most instructive examples is identity management. Using managed identity providers — Amazon Cognito, Auth0, Microsoft Entra External ID, or Okta — is an entirely rational choice. Building your own enterprise-grade authentication and authorization system from scratch means years of investment, continuous security audits, and a high risk of getting it wrong. Delegating that responsibility to the cloud reduces risk and accelerates time-to-market.

The problem doesn't come from choosing the service. It comes from how that service is used inside the architecture.

The Token Multiplication Effect

In most cloud identity solutions, billing correlates with the number of operations: authentications, token issuances, or monthly active users. In a monolithic system, this is barely noticeable. In a microservice architecture, a multiplicative effect kicks in that is rarely accounted for at design time.

A typical scenario: an incoming user request passes through an API gateway, then touches a chain of 10–20 services. Each of them, following zero-trust principles, requests an access token for its downstream call via the OAuth 2.0 Client Credentials flow. With a naive implementation, every service goes to the identity provider for a fresh token. A single user request generates dozens of operations. As load grows, this becomes an avalanche of token issuances with no connection to the actual business value of the request.

Without a proxy — every service fetches its own token:

With a token proxy — the IdP is called once per TTL, everything else is a cache hit:

Putting a Price on It

Even a relatively modest system puts meaningful pressure on the identity provider.

Load model (example):

User traffic:

  • 500 users/day × 5 actions × ~15 services per request → 37,500 token ops/day

Background processes (the real driver):

  • 3 syncs/day, each processing 50,000 records in batches of 100 → 500 batches per sync
  • Each batch passes through ~15 microservices → 3 × 500 × 15 = 22,500 token ops/day

Total: ~60,000 ops/day → ~1,800,000 ops/month

User traffic accounts for 62% of the load, while 3 background syncs account for the remaining 38%. This is a conservative model. Real systems with dozens of sync types or higher-frequency processes run 5–10× higher — and the bill scales linearly.

Cost at ~1,800,000 token operations/month (rates as of April 2026):

ProviderRateMonthly cost
Amazon Cognito$0.00225 / request~$4,050
Microsoft Entra External ID$0.001 / token~$1,800
Auth0 Professional$240/mo base + token add-onsEnterprise tier

In every case, the same rule applies: your costs become proportional not to your users, but to the number of internal service calls.

The Evolution of Solutions: From Naive to Correct

Level 1: Client-side caching

The instinctive fix is to add caching at the HTTP client layer inside each service. This does reduce requests, but the effect is bounded by the process boundary. In Kubernetes, every pod holds its own cache. As you scale horizontally, the number of caches grows linearly — a significant fraction of requests to the identity provider persists. This kind of cache is also hard to observe and gives you no centralized token management policy.

Level 2: Centralized cache (Redis)

Moving the cache to Redis looks like the logical next step. But a less obvious problem emerges here: the security model. An access token is a bearer credential — whoever holds it can use it. If you store tokens keyed by client_id or scope, any service with Redis access can potentially retrieve a token it was never meant to have. Adding ACLs at the Redis level partially addresses this, but it introduces complexity quickly and erodes system transparency.

Level 3: Token proxy service

The architecturally sound solution is to introduce a dedicated layer responsible for token lifecycle management. A lightweight proxy service deployed inside the cluster becomes the single controlled entry point for obtaining access tokens. It encapsulates all interaction with the identity provider, implements caching, and — critically — owns the access model.

Token Proxy Architecture: Technical Details

Token addressing

Instead of storing tokens against plain identifiers, the proxy uses a derived cache key formed by computing HMAC-SHA256 over the combination of client_id, client_secret, and scope, using an internal service secret. HMAC is deterministic — the same inputs always produce the same key, which is necessary for correct cache lookups — and irreversible without knowledge of the secret. Even if memory is dumped or leaked, the original credentials cannot be recovered. The service itself never handles secrets in plaintext outside the moment of the actual request to the identity provider.

In-memory storage

Tokens are stored in memory, not in an external store. This eliminates network latency on every lookup and reduces the attack surface. The cache TTL is set slightly below the token's actual expiry to guarantee proactive refresh before the token becomes invalid.

Cluster-level security

The service is deployed inside Kubernetes with no external ingress, restricted egress rules, and access limited to internal service accounts. Communication is additionally secured via mTLS, eliminating the risk of unauthorized access even within the cluster. The service is physically unreachable from outside the cluster perimeter.

High availability

Since the proxy is a critical dependency for every service in the cluster, it is deployed as 2–3 replicas. Each replica holds its own in-memory cache and independently fetches from the identity provider on a cache miss. A short warm-up period after a replica restart is an acceptable trade-off for eliminating a single point of failure.

The Economic Impact

The fundamental model shift: a token is requested once per TTL, then reused by all services authorized to receive it. The number of operations against the identity provider becomes proportional not to the number of internal calls, but to the number of unique client/scope combinations.

In the system described above, this means going from 1.8 million operations per month to ~14,400 — a 99.2% reduction.

The proxy service itself costs almost nothing: a few dozen megabytes of RAM per replica, minimal CPU. At typical cloud pricing, that's a few dollars a month across all replicas.

Assuming 20 unique client/scope combinations and 1-hour token TTL:

  • Refreshes per day: 20 × 24 = 480
  • Per month: ~14,400 operations instead of 1,800,000
Without optimizationWith token proxy
Token operations/month~1,800,000~14,400
Cognito~$4,050/mo~$32/mo
Entra External ID~$1,800/mo~$14/mo
Auth0Enterprise tierSelf-service plan
Proxy cost~$2–5/mo
Ops reduction99.2%

In absolute terms: $22,000–$48,000 per year — depending on provider — eliminated by a single lightweight service. As the system scales — more syncs, more services — costs grow linearly. The proxy cost does not.

Conclusion

This is exactly the kind of decision that separates using the cloud as a tool from using it as magic. The cloud genuinely lets you stop thinking about a huge range of low-level concerns. But it doesn't remove the need to think at the architecture level. If anything, it amplifies the consequences of architectural mistakes — because every inefficiency converts to money immediately.

Good cloud architecture isn't about rejecting managed services. It's about understanding their internal billing models and deliberately managing the points where those models start to conflict with your system.

Otherwise, you inevitably arrive at a situation where you're paying not for business growth, but for a lack of control over your own decisions.