FusionAuth Scales Secure Identity with groundcover

About FusionAuth

FusionAuth is a developer-focused Customer Identity and Access Management (CIAM) platform providing authentication, authorization, and user management for modern applications. Serving industries including retail, gaming, and healthcare, FusionAuth enables organizations to implement secure identity workflows with SSO, MFA, and social logins  through flexible APIs.

One of FusionAuth’s defining strengths is deployment flexibility. Customers can run FusionAuth on a hosted SaaS platform, in their own cloud, or even on a laptop with minimal dependencies (Postgres and Elasticsearch) and no lock-in. That same philosophy guided the team’s approach to observability.

The Challenge

As a platform responsible for authentication and user identity, FusionAuth operates in a high-stakes environment where performance, reliability, and security are non-negotiable. As the team grew and traffic scaled, their existing tooling started showing cracks.

John Jeffers, Staff SRE at FusionAuth, had been running Grafana Cloud as the team’s primary observability stack. It wasn’t working well enough due to limited visibility, integration friction, and a setup that demanded ongoing maintenance. He had also used Datadog at previous companies and respected the product, but its pricing was prohibitive for a team of FusionAuth’s size.

The core challenges were:

• Limited visibility into authentication flows, token exchanges, and edge cases
• High and unpredictable cost from usage-based observability pricing
• Difficulty debugging distributed identity workflows end-to-end
• Operational overhead from managing observability infrastructure
• Engineers self-censoring on what data to collect to avoid blowing up costs

Why groundcover?

John found groundcover through a Google search, looking for alternatives to his existing stack. What caught his attention immediately was the BYOC (Bring Your Own Cloud) model.

1. Full data ownership at predictable cost

With BYOC, groundcover runs entirely inside FusionAuth’s own AWS account which is a fully isolated Kubernetes cluster with its own storage. All observability data stays within FusionAuth’s infrastructure. The cost is simply what AWS charges for object storage and RDS, with no per-seat or per-event pricing layer on top.

This changed how the team thought about instrumentation. John no longer has to tell engineers to hold back.

“Don’t worry about it — collect whatever you want.” 

- John Jeffers, Site Reliability Engineer, FusionAuth

2. eBPF-powered visibility with minimal setup

groundcover’s eBPF sensor was a standout for John. Without requiring code changes or manual instrumentation, the agent automatically picks up service-level telemetry across FusionAuth’s Kubernetes clusters. Setup is limited to configuring the Helm chart to distribute the agent. And after that, it just works.

FusionAuth also uses the trace anonymisation capabilities to protect customer data. Because customers sometimes pass sensitive values like passwords in query strings, the team intentionally scans and anonymises trace data before it’s ingested.

3. Grafana compatibility for a smooth migration

The team had invested in Grafana dashboards over time. Rather than rebuilding from scratch, John was able to lift and shift existing dashboards into groundcover with minimal changes by adjusting metric labels where needed, but preserving the structure and logic of what was already built.

4. Minimal operational burden

For a lean SRE team, the cost of managing observability tooling itself is real. groundcover eliminated that overhead.

“My favorite thing about groundcover is how little I have to do with it. I go in, update the agent, and I’m done. There’s never anything that breaks.” 

- John Jeffers, Site Reliability Engineer, FusionAuth

Impact

Full, unsampled visibility into identity flows

• Complete observability across login flows, token exchanges, and authorization workflows
• Faster root cause analysis for authentication and identity-related issues
• Logs, metrics, and traces in a single platform with no more correlating across tools

Cost control at scale

• Ability to ingest large volumes of identity data without budget concerns
• Engineers empowered to collect full telemetry without budget anxiety
• No unpredictable per-event or per-seat pricing

Increased developer efficiency

• Reduced time spent stitching together data from multiple tools
• Minimal ongoing maintenance: agent updates are the primary operational touchpoint
• Dashboard migration required only minor label adjustments

Stronger reliability and user experience

• Faster detection and resolution of authentication issues
• Improved performance across critical identity services

Future Outlook

FusionAuth is actively evaluating groundcover’s synthetic monitoring capabilities. As a global SaaS platform, FusionAuth runs approximately 1,000 synthetic checks per minute to verify that customer-facing endpoints are healthy from locations around the world. John sees geographically distributed synthetic agents that all report into a single console as the next major capability to migrate to groundcover, eliminating another expensive third-party dependency.

The team is also tracking groundcover’s expanding support for multi-step synthetic tests and browser-based testing via Playwright, which would enable more sophisticated end-to-end validation of authentication flows.

Want full visibility into your most critical systems without the cost and complexity?
Try groundcover free today.