Every few months, another beloved open-source tool quietly takes something back. A feature that used to be free moves behind an "Enterprise" tier. A license you trusted flips to something you can't legally build a business on. A self-hosted app you've run for years suddenly caps you at five users.
The community has a name for the most common version of this: the SSO tax — when single sign-on, the one feature any serious deployment actually needs, gets locked behind a paywall. But it goes further than SSO, and it has a pattern.
We spent a lot of time verifying that pattern. What follows is a tracker of open-source tools that pulled the rug — every entry checked against primary sources (GitHub license history, release notes, the original community threads), with the tools that didn't deserve the accusation deliberately left off. For each one, we tell you how long it was genuinely open before the change, exactly what was taken, and — most importantly — what to run instead.
The number that stings: how long they were open first
The betrayal lands harder when you see the runway. These tools were genuinely, OSI-open-source for years before the change:
- Redis — 15 years (BSD, 2009) before relicensing to SSPL/RSALv2 in 2024
- Akka — 13 years before going Business Source License
- Elasticsearch — 11 years before SSPL
- MinIO — 10 years before it gutted the free admin console
- Rocket.Chat — 8 years before it silently capped self-hosting at 25 users
- Invoice Ninja — 7 years before relicensing to a non-open license
That's not a startup pivoting early. That's a decade of community contributions, tutorials, bug reports, and goodwill — and then the door closes.
The Self-Hosted Hall of Shame
These are the tools self-hosters actually run that took a previously-free capability away — by removing it, capping it, relicensing the whole project, or closing the source entirely.
| Tool | Category | Open for | What they took | Run instead |
|---|---|---|---|---|
| MinIO | Object storage | 10 yrs | Stripped the admin console — including LDAP/OIDC login — from the free edition | Garage, SeaweedFS |
| Rocket.Chat | Team chat | 8 yrs | Capped previously-unlimited self-hosting at 25 users, with no changelog entry | Mattermost, Matrix/Element |
| NocoDB | Airtable alternative | 4 yrs | Relicensed the whole AGPL core to a non-open "fair-code" license (Jan 2026) | Grist, Teable |
| Cal.com | Scheduling | 5 yrs | Went fully closed-source (April 2026) | cal.diy |
| Mattermost | Team chat | 9 yrs | Paywalled group calls; added a 10,000-message cap to the free tier | Matrix, Zulip |
| Plane | Jira alternative | 1 yr | Pulled SSO out of the free Community edition | OpenProject, Taiga |
| Formbricks | Surveys/forms | 2 yrs | Moved previously-free SSO behind Enterprise | LimeSurvey |
| Portainer | Docker UI | 4 yrs | Took a community-contributed OAuth feature and made it paid | Dockge, Komodo |
| Budibase | Internal tools | 2 yrs | Capped previously-unlimited self-hosting at 20 users | Appsmith |
| Netdata | Monitoring | 8 yrs | Capped the local dashboard at 5 nodes (Jan 2025) | Zabbix, Beszel |
| Stirling PDF | PDF toolkit | 2 yrs | Capped the built-in login at 5 users | self-host + Authelia |
| Invoice Ninja | Invoicing | 7 yrs | Relicensed to the non-open Elastic License 2.0 | Crater, InvoicePlane |
| Akaunting | Accounting | 6 yrs | Relicensed to BSL with a brutal 2-user / 1,000-invoice cap | Firefly III, ERPNext |
| Outline | Team wiki | 2 yrs | Relicensed BSD → BSL (no offering it as a service) | BookStack, Docmost |
| Typebot | Form builder | 2 yrs | Relicensed AGPL → source-available FSL | Formbricks |
| Novu | Notifications | 3 yrs | Removed free multi-user team management (capped at 1) | Notifo |
| PhotoPrism | Photo manager | 4 yrs | Moved the high-res maps behind a sponsorship wall | Immich |
In their users' words
The frustration is consistent, and it's rarely about the money. It's about trust.
MinIO: "A lot of users are unhappy with the removal of the admin console… it's not a feature issue. It's a trust issue." — dani, GitHub
Plane: "Why on earth would you make OAuth a 'premium' feature?" — dojoca, GitHub
Rocket.Chat: "That such a breaking change is not even documented in the changelog smells of malice." — krumelmonster, GitHub
Stirling PDF: "I have like 100 users using Google SSO… we cannot afford to pay dollars for this software, since we live in a 3rd[-world] country. $12 is more than I make in a full day of work." — thiagoor-cpu, GitHub
Akaunting: "Stop it with the open-washing already!" — mgulick, Hacker News
When Formbricks moved SSO to its paid tier, one self-hoster put the SSO tax perfectly:
"SSO isn't just an 'advanced feature' — for many home-labbers, families and small startups, it's a basic expectation for security and ease of use." — beposec, GitHub
(The vendor's own defense, for fairness: shipping SSO for free "was a strategic mistake, which we are correcting now.")
The big infrastructure relicenses
You've probably heard about these. They're less "homelab" and more "the database under your stack," but they set the template — and the runways are staggering.
| Tool | Open for | The move | Open fork |
|---|---|---|---|
| Redis | 15 yrs | BSD → SSPL/RSALv2 (2024) | Valkey |
| Akka | 13 yrs | Apache → BSL (2022) | Apache Pekko |
| Elasticsearch | 11 yrs | Apache → SSPL (2021) | OpenSearch |
| Terraform | 9 yrs | MPL → BSL (2023) | OpenTofu |
| HashiCorp Vault | 8 yrs | MPL → BSL (2023) | OpenBao |
| MongoDB | 9 yrs | AGPL → SSPL (2018) | FerretDB |
| Sentry | 10 yrs | BSD → BSL → FSL (2019) | GlitchTip |
| Sourcegraph | 6 yrs | Apache → fully closed (2024) | Zoekt |
The good news, and it's a real pattern: nearly every one spawned a community fork that picked up where the original left off. Rug pulls don't kill open source — they relocate it.
And the ones that didn't rug-pull (so we don't repeat a myth)
A tracker like this is only worth reading if it's honest about the tools people wrongly accuse. We checked these and cleared them:
- Metabase — the rumor that it moved LDAP login to a $500/mo paywall is false. It was announced, then walked back; basic LDAP is still free today.
- Bitwarden — the 2024 SDK licensing scare was reversed within two weeks. Still free software.
- Audacity — never changed its license and never shipped telemetry; "spyware" was hyperbole.
- Gitea — the 2022 drama was a governance/trademark dispute (which produced Forgejo), not a feature paywall. SSO stays free.
- Grafana and Element/Synapse moved to AGPLv3 — still genuine open source, just stronger copyleft.
- Appwrite — despite a widely-repeated claim, it did not relicense to BSL. It's been BSD-3 since 2019.
✅ The Good Guys: tools that keep SSO free
Here's the part that should shape what you actually deploy. These tools have been adversarially checked and ship free single sign-on in their self-hosted editions — and several have made explicit, on-the-record promises never to paywall features:
- Authentik — written policy not to move features to Enterprise; it even moved Remote Access Control into the open-source edition.
- Zitadel — free SAML/OIDC/SCIM; relicensed to AGPL (more open, not less).
- Immich — "there will never be any paywalled features." OAuth/OIDC included.
- Jellyfin — every feature free, SSO via an open plugin. Born when Emby closed its source — the fork that won.
- Ghost — a genuine non-profit; the full membership-and-newsletter stack ships in the open self-hosted build.
- Zammad — foundation-owned helpdesk with free SAML/LDAP/OIDC.
Also clean and recommended: Keycloak, Authelia, Pomerium, Coolify, Documenso, Paperless-ngx, Nextcloud, Supabase, Standard Notes, Seafile. And on the SSO question specifically — Grafana (only SAML is Enterprise), GitLab CE (only group SAML+SCIM is paid), and Vaultwarden all give self-hosters real single sign-on without a bill.
What to take from this
Open source isn't dying — but "open core" has taught a generation of companies that you can build an audience on a free license and then meter the exits. The defense is the same as it's always been: prefer tools with copyleft licenses, independent or non-profit governance, and a track record of keeping the basics free — and know the open fork or alternative before you need it.
Every tool in the "run instead" columns above is a self-hostable, genuinely-open alternative. If you're migrating off a tool that pulled the rug, that's the place to start.
Methodology: every entry was verified against primary sources — GitHub repository creation dates, license commit history, release notes, vendor pricing pages, and the original community discussions — by a multi-pass research and adversarial fact-checking process. Tools whose "rug pull" stories didn't hold up were removed, not published. Community quotes are verbatim from Hacker News and GitHub, with author and date preserved. Spotted an error or a tool we missed? Let us know.