SSubrupt
Skip to content

Best Passwordless Authentications of 2026

Updated · 7 picks · live pricing · affiliate disclosure

Passwordless-first dev API with PAYG MAU pricing, embedded magic links, and first-class passkeys.

BEST OVERALL9.3/10

Stytch (Twilio)

Passwordless-first dev API with PAYG MAU pricing, embedded magic links, and first-class passkeys.

Free 10K MAUs; cancel-anytime
Try Stytch (Twilio)See full review

How it stacks up

  • Free 10K MAUs

    vs Clerk flat $25 base

  • PAYG $0.05 per MAU

    vs Auth0 25K MAU cap (2026)

  • Enterprise custom

    vs WorkOS B2B SAML focus

#2
WorkOS9.3/10

Free

View
#3
Firebase Authentication7.8/10

Free

View

All picks at a glance

#PickBest forStartingScore
1Stytch (Twilio)Best passwordless-first dev API with PAYG MAU pricingFree9.3/10
2WorkOSBest B2B SaaS passwordless auth with free SAML SSO up to 1M MAUsFree9.3/10
3Firebase AuthenticationBest Google-ecosystem passwordless auth with Spark free 50K verificationsFree7.8/10
4ClerkBest modern dev-friendly passwordless auth with pre-built React components$25.00/mo6.9/10
5Supabase AuthBest backend-bundled passwordless auth with Postgres and Row Level Security$25.00/mo6.4/10
6Auth0 (Okta)Best established CIAM with Universal Login depth and SOC 2 history$35.00/mo5.8/10
7LogtoBest open-source passwordless auth with MPL-2.0 self-host and cloud upgrade path$16.00/mo5.6/10

Quick pick by use case

If you only have thirty seconds, find your situation below and skip to that pick.

If You are a SaaS startup on React or Next.js shipping customer-facing login under 100K MAUsClerkClerk ships pre-built React components and SignIn/UserButton that install in an afternoon; Free 10K MAUs; Pro $25/mo flat with custom session claims.If You are an enterprise CIAM team with security-team review on every vendor decisionAuth0 (Okta)Auth0 ships Okta-owned CIAM with Universal Login depth; Free 25K MAUs (2026 with SSO and SCIM); Essential B2C $35/mo; Professional B2C $240/mo.If You are a SaaS team treating passwords as legacy infrastructure with seasonal trafficStytch (Twilio)Stytch ships passwordless-first SDK without recurring base fee; Free 10K MAUs; PAYG $0.05 per MAU above with first-class passkeys.If You are a B2B SaaS engineering team shipping enterprise SSO from MVPWorkOSWorkOS AuthKit ships free up to 1M MAUs with SAML SSO and SCIM directory sync included; Enterprise contract above the cap.If You are a SaaS team already on Supabase Postgres who wants auth in the same SDKSupabase AuthSupabase Auth bundles with Postgres free 50K MAUs; Pro $25/mo with 100K MAUs included; Row Level Security via JWT claims.If You are an OSS-curious modern auth team who wants vendor independence with a cloud upgrade pathLogtoLogto ships MPL-2.0 OSS self-host with no MAU cap; Cloud Free 5K MAUs; Hobby $16/mo; Pro $96/mo with multi-tenant architecture.

Compare all 7 picks

Top spec
#1Stytch (Twilio)9.3/10FreeFree 10K MAUs
#2WorkOS9.3/10FreeAuthKit free 1M MAUs
#3Firebase Authentication7.8/10FreeSpark free 50K verifies
#4Clerk6.9/10$25.00/moFree 10K MAUs
#5Supabase Auth6.4/10$25.00/moFree 50K MAUs
#6Auth0 (Okta)5.8/10$240.00/mo$2,580/yr moreFree 25K MAUs (2026)
#7Logto5.6/10$96.00/mo$852/yr moreCloud Free 5K MAUs
#1

Stytch (Twilio)

9.3/10

Best passwordless-first dev API with PAYG MAU pricing

Try Stytch (Twilio)See Stytch (Twilio) alternatives

Passwordless-first dev API with PAYG MAU pricing, embedded magic links, and first-class passkeys.

PlanMonthlyWhat you get
FreeFreefree up to 10K MAUs with passkeys plus magic links
Pay-as-you-growFreePAYG MAU pricing with no recurring base fee
EnterpriseCustomenterprise SLA with negotiated volume pricing

Stytch is the passwordless-first dev API for SaaS teams who treat passwords as legacy infrastructure. Founded in 2020 by ex-Plaid engineers and acquired by Twilio in November 2025, Stytch built the platform around magic links, passkeys, and embedded biometric flows as primary credentials; the SDK was designed without password support before adding it for legacy migrations.

Three tiers cover the lifecycle. Free covers 10K MAUs with every authentication method, embedded magic links, and passkeys. Pay-as-you-grow charges a small per-MAU fee above 10K with the same auth methods and volume discounts at higher tiers; there is no recurring base fee, only usage. Enterprise opens dedicated support and SLA guarantees.

The load-bearing wedge is PAYG MAU pricing without a recurring base. Where Clerk charges a flat monthly base above the free tier and Auth0 cliffs from Essential to Professional at the same MAU count, Stytch's bill scales linearly with actual usage; for SaaS teams with seasonal traffic, the bill never overshoots usage. The catch is the missing pre-built UI; Stytch ships SDK primitives that teams wire into custom UI. For passwordless-first conviction, Stytch is the proven path; for design-poor teams wanting drop-in UI, alternatives cover better.

Pros

  • Passwordless-first SDK designed without password support
  • PAYG MAU pricing scales linearly with actual usage
  • Free 10K MAUs with every authentication method
  • Embedded magic-link primitives for custom UI
  • First-class passkey support since launch

Cons

  • No pre-built UI; engineering hours per launch are higher than Clerk component approach
  • Twilio acquisition (Nov 2025) integration roadmap still in progress; vendor independence reduced
Free 10K MAUsPAYG $0.05 per MAUEnterprise customFree 10K MAUs; cancel-anytime

Best for: SaaS teams treating passwords as legacy infrastructure with seasonal traffic. Free 10K MAUs; PAYG $0.05 per MAU; Enterprise custom.

Data residency
8
Auth latency
9
Integration effort
8
Value
9
Support
8
Try Stytch (Twilio)
#2

WorkOS

9.3/10

Best B2B SaaS passwordless auth with free SAML SSO up to 1M MAUs

Try WorkOSSee WorkOS alternatives

B2B SaaS auth with free SAML SSO up to 1M MAUs including SCIM directory sync and passkeys.

PlanMonthlyWhat you get
Free (AuthKit)Freefree up to 1M MAU including SAML SSO and SCIM
EnterpriseCustomenterprise contract above the 1M-MAU AuthKit cap

WorkOS is the B2B SaaS-focused passwordless platform for engineering teams whose authentication has to ship enterprise SSO and directory sync from day one. Founded in 2019, WorkOS built around the thesis that B2B SaaS startups should not pay enterprise prices to add SAML SSO; AuthKit ships free up to 1M MAUs with SAML SSO and SCIM included.

Two tiers cover the spectrum. Free AuthKit covers up to 1M MAUs with SAML SSO, SCIM directory sync, Magic Auth, passkeys, and multi-factor auth. Enterprise opens negotiated contracts above the 1M cap with hardened SAML at scale, deeper directory controls, audit logs, and custom roles.

The load-bearing wedge is the 1M-MAU free cap including enterprise SSO. Where Auth0 caps free at 7,500 active users and Clerk at 10K MAUs, WorkOS lets B2B SaaS teams ship customer-facing login plus enterprise SSO without paid commitment until revenue justifies it. The catch is the audience scoping; WorkOS optimizes for B2B SaaS motions and AuthKit pre-built flows assume customer-counts in tens not thousands. For B2B SaaS shipping enterprise SSO from MVP, WorkOS is the unrivalled path; for high-volume B2C consumer apps, alternatives match better.

Pros

  • AuthKit free up to 1M MAUs (largest cap in lineup)
  • SAML SSO and SCIM directory sync included on Free
  • Audit logs and custom roles on Enterprise
  • Designed for B2B SaaS sales motions and customer-counts
  • Magic Auth and passkeys on every tier

Cons

  • Audience scoping; AuthKit pre-built flows assume B2B customer-counts in tens not thousands
  • Enterprise-only beyond the 1M MAU cap with no published mid-tier pricing
AuthKit free 1M MAUsSAML SSO includedEnterprise contractAuthKit free up to 1M MAUs; cancel-anytime

Best for: B2B SaaS engineering teams shipping enterprise SSO from MVP without paid commitment. AuthKit free up to 1M MAUs; Enterprise custom contract.

Data residency
8
Auth latency
9
Integration effort
9
Value
10
Support
8
Try WorkOS
#3

Firebase Authentication

7.8/10

Best Google-ecosystem passwordless auth with Spark free 50K verifications

Try Firebase AuthenticationSee Firebase Authentication alternatives

Google ecosystem mobile auth with Spark free 50K verifications across major social IdPs.

PlanMonthlyWhat you get
Spark (free)Freefree up to 50K verifications across major social IdPs
Blaze (pay-as-you-go)FreePAYG above the Spark cap with Identity Platform option

Firebase Authentication is the Google-ecosystem passwordless pick for mobile-first apps where the stack lives on Firebase Realtime Database, Firestore, Cloud Functions, or Crashlytics. Acquired by Google in 2014, Firebase Auth ships SDKs for iOS, Android, web, and Unity with social login providers across Google, Apple, Facebook, and GitHub.

Two tiers cover the spectrum. Spark covers the first 50K verifications monthly free across email and the major social providers with anonymous auth. Blaze opens pay-as-you-go above the cap at the regional verification rate with the option to upgrade to Identity Platform for SAML, OIDC, and MFA.

The load-bearing wedge is the Google ecosystem integration. Where Clerk and Stytch built around web-first auth and Auth0 built around enterprise CIAM, Firebase Auth shares an SDK with the rest of Firebase; for teams already shipping Firestore or Cloud Functions, adding auth is one Firebase-CLI command rather than a separate vendor evaluation. The catch is the missing first-class passkey support and the Google ecosystem dependency. For Firebase-already mobile teams, Firebase Auth is the no-brainer; for non-Google stacks or passkey-required apps, alternatives match better.

Pros

  • Spark covers 50K verifications free per month
  • iOS, Android, web, and Unity SDKs from one vendor
  • Anonymous auth for low-friction onboarding
  • Identity Platform upgrade for SAML, OIDC, and MFA
  • Google ecosystem integration with Firestore plus Cloud Functions

Cons

  • Missing first-class passkey support; relies on social and SMS as primary credentials
  • Google ecosystem dependency; teams off Firebase pay separate vendors anyway
Spark free 50K verifiesBlaze PAYGIdentity Platform upgradeSpark free 50K verifications; cancel-anytime

Best for: Firebase-already mobile teams who want auth in the same SDK as Firestore. Spark free 50K verifications; Blaze PAYG above cap.

Data residency
7
Auth latency
9
Integration effort
9
Value
8
Support
8
Try Firebase Authentication
#4

Clerk

6.9/10

Best modern dev-friendly passwordless auth with pre-built React components

Try ClerkSee Clerk alternatives

Modern dev-friendly auth with passkeys and pre-built React UI on Free 10K MAUs.

PlanMonthlyWhat you get
FreeFreelaunch a SaaS with passkeys plus social plus organizations
Pro$25.00/moproduction app with custom branding and session claims
Enhanced add-ons$100.00/moadd B2B orgs or enhanced auth one module at a time
EnterpriseCustomenterprise SAML and SOC 2 with negotiated MAU pricing

Clerk is the modern dev-friendly default for SaaS startups shipping customer-facing authentication in 2026. Founded in 2020, Clerk built around the thesis that auth should ship as drop-in React components rather than as a backend SDK plus custom UI; for Next.js teams the SignIn and UserButton components install in an afternoon and look polished without designer hours.

Four tiers serve four buyers. Free covers 10K MAUs with passkeys, social, email, and SMS plus pre-built UI. Pro adds a $25 base plus a small per-MAU fee with custom session claims. Enhanced add-ons price B2B organizations and enhanced authentication at the entry add-on rate, so teams pay only for what they need. Enterprise opens SAML SSO and SOC 2 with a negotiated contract.

The load-bearing wedge is pre-built UI plus organizations baked into Free. Where Auth0 and Stytch ship developer SDKs that customers wire into custom UI, Clerk ships hosted components and a fully-styled UserButton that drops into a Next.js app with one import. The catch is the per-MAU pricing climbing past 100K MAUs. For SaaS startups through Series A, Clerk is the no-brainer; for enterprise CIAM at hundreds of thousands of MAUs, alternatives cover better.

Pros

  • Pre-built React components install in an afternoon
  • Free 10K MAUs with passkeys, social, email, and SMS
  • Organizations baked into Free for B2B-style apps
  • Modular add-ons let teams pay only for what they need
  • SOC 2 Type 2 audited on Enterprise tier

Cons

  • Per-MAU pricing climbs past 100K MAUs
  • Hosted UI components limit visual customization for design-heavy brands
Free 10K MAUsPro $25/mo flatAdd-ons $100/mo eachFree 10K MAUs; cancel-anytime

Best for: SaaS startups shipping React or Next.js apps with customer-facing login. Free 10K MAUs; Pro $25 base; Add-ons $100 each; Enterprise.

Data residency
8
Auth latency
9
Integration effort
10
Value
9
Support
8
Try Clerk
#5

Supabase Auth

6.4/10

Best backend-bundled passwordless auth with Postgres and Row Level Security

Try Supabase AuthSee Supabase Auth alternatives

Backend-bundled with Postgres free up to 50K MAUs with Row Level Security and bundled storage.

PlanMonthlyWhat you get
FreeFreeauth bundled with Postgres free up to 50K MAUs
Pro$25.00/moproduction Postgres with auth at 100K MAU included
Team$599.00/mocompliance plus read replicas for scale teams
EnterpriseCustomBYO cloud and HIPAA on negotiated enterprise terms

Supabase Auth is the backend-bundled passwordless option for SaaS teams already on Postgres who want auth shipped in the same SDK. Founded in 2020 as the open-source Firebase alternative, Supabase built auth on GoTrue with row-level security that reads user identity directly from JWT claims; auth and database share the same Postgres connection.

Four tiers serve four buyers. Free covers 50K MAUs bundled with the Supabase project including email, social, magic links, and Row Level Security. Pro adds a small monthly base with 100K MAUs included and daily backups. Team adds compliance, read replicas, and dashboard SSO. Enterprise opens BYO cloud and HIPAA on a negotiated contract.

The load-bearing wedge is the bundling with Postgres plus storage. Where Clerk and Auth0 ship as standalone services that engineering teams integrate alongside their database, Supabase Auth and Postgres ship in one SDK and share a connection pool; for teams already on Supabase, adding auth is a configuration change rather than vendor procurement. The catch is the missing passkey support and the lock-in to Supabase as the database vendor. For Postgres-already SaaS teams, Supabase Auth is the no-brainer; for non-Supabase stacks, alternatives integrate without the commitment.

Pros

  • Bundled with Supabase project including Postgres and storage
  • Row Level Security reads identity directly from JWT claims
  • Free 50K MAUs (largest free cap among standalone backends)
  • Self-host option for compliance-bound deployments
  • BYO cloud and HIPAA available on Enterprise

Cons

  • Missing first-class passkey support as of May 2026
  • Lock-in to Supabase as the database vendor; not standalone auth
Free 50K MAUsPro $25/mo baseTeam $599/moFree 50K MAUs; cancel-anytime

Best for: SaaS teams on Postgres who want auth shipping in the same SDK as the database. Free 50K MAUs; Pro $25 base; Team $599; Enterprise.

Data residency
7
Auth latency
9
Integration effort
9
Value
9
Support
7
Try Supabase Auth
#6

Auth0 (Okta)

5.8/10$2,580/yr more

Best established CIAM with Universal Login depth and SOC 2 history

Try Auth0 (Okta)See Auth0 (Okta) alternatives

Established CIAM brand leader with Universal Login plus custom Actions and SOC 2 history.

PlanMonthlyWhat you get
FreeFreeevaluate Auth0 with the 2026-expanded free tier including SSO and SCIM
Essential B2C$35.00/mosmall consumer app with Universal Login and basic MFA
Professional B2C$240.00/moconsumer app with adaptive MFA and custom database
EnterpriseCustomenterprise SLA with private deployment and SAML

Auth0 by Okta is the established CIAM brand-recognition leader for organizations whose evaluation starts with Okta-owned vendors. Founded in 2013 and acquired by Okta in 2021, Auth0 built the canonical CIAM platform with Universal Login, custom Actions, and the deepest enterprise reference base in the lineup.

Four tiers serve four buyers. Free covers 25K MAUs (expanded from 7,500 in early 2026) with unlimited social logins, Self-Service SSO, SCIM, and 1 external Enterprise connection. Essential B2C ships at the entry rate with Universal Login plus basic MFA for 1,000 included MAUs. Professional B2C is the upgrade tier with adaptive MFA plus custom database at roughly seven times the entry. Enterprise opens private cloud on a negotiated contract.

The load-bearing wedge is enterprise reference base plus Universal Login customization depth. Where Clerk and Stytch built around modern developer ergonomics, Auth0 built around enterprise security and compliance posture; for security-team-reviewed vendor decisions, Auth0's audit and SOC 2 history ships answers nobody else has. The catch is the price cliff between Essential B2C and Professional B2C at the same MAU count. For enterprise CIAM, Auth0 is the proven path; for SaaS startups under 25K MAUs, the 2026-expanded free tier is now genuinely competitive.

Pros

  • Established enterprise reference base since 2013
  • Universal Login customization depth nobody matches
  • Free tier expanded to 25K MAUs in 2026 with Self-Service SSO and SCIM
  • Adaptive MFA plus custom database on Professional B2C
  • Now Okta-owned with security and compliance heritage

Cons

  • Price cliff between Essential B2C and Professional B2C at the same MAU count, roughly seven times the entry rate
  • Okta acquisition consolidated CIAM independence and pricing leverage
Free 25K MAUs (2026)Essential B2C $35/moProfessional B2C $240/moFree 25K MAUs (2026 expansion); cancel-anytime

Best for: Enterprise CIAM with security-team review on every vendor decision. Free 25K MAUs (2026 expansion); Essential B2C $35/mo; Professional B2C $240/mo; Enterprise.

Data residency
9
Auth latency
9
Integration effort
8
Value
7
Support
9
Try Auth0 (Okta)
#7

Logto

5.6/10$852/yr more

Best open-source passwordless auth with MPL-2.0 self-host and cloud upgrade path

Try LogtoSee Logto alternatives

Open-source MPL-2.0 auth with cloud Free 5K MAUs and self-host with no MAU cap or licensing fee.

PlanMonthlyWhat you get
Free (cloud)Freecloud free tier with passkeys and all auth methods
Hobby$16.00/moside project with custom JWT and 10K MAUs
Pro$96.00/momulti-tenant with SAML SSO at 50K MAUs included
Self-host (OSS)Freeself-hosted OSS with no MAU cap or licensing fee

Logto is the open-source MPL-2.0 passwordless platform for organizations who want self-hostable identity with a cloud upgrade path. Founded in 2021 by Silverhand in Singapore, Logto built around the thesis that modern auth should ship as open source you can fork and self-host, with a cloud tier for teams who would rather not run the database themselves.

Four tiers cover the lifecycle. Cloud Free covers 5K MAUs with every major auth method including passkeys plus pre-built UI. Hobby adds a small monthly base with 10K MAUs and custom JWT claims. Pro opens 50K MAUs plus SAML SSO, custom domains, and multi-tenant architecture. Self-host opens MPL-2.0 OSS with no MAU cap or licensing fee.

The load-bearing wedge is OSS-with-cloud-upgrade-path. Where Clerk and Auth0 are SaaS-only and Stytch ships only as a cloud service, Logto runs entirely on customer infrastructure under MPL-2.0; for teams who want vendor-independence today and the option to migrate to managed cloud later, Logto is the only path supporting both. The catch is the operational lift for self-hosted production plus the smaller community than Keycloak's CNCF status. For OSS-curious teams, Logto is the proven path; for compliance-bound enterprises, Keycloak covers more reference deployments under Apache 2.0.

Pros

  • MPL-2.0 OSS with no MAU cap or licensing fee on self-host
  • Cloud upgrade path for teams without operations capacity
  • Passkeys and pre-built UI on Cloud Free 5K MAUs
  • Multi-tenant architecture on Pro
  • Custom JWT claims on Hobby for SaaS use cases

Cons

  • Operational lift for self-hosted production deployment plus HA configuration
  • Smaller community than Keycloak CNCF status; reference deployments are fewer
Cloud Free 5K MAUsHobby $16/moPro $96/moCloud Free 5K MAUs; OSS unlimited self-host

Best for: OSS-curious modern auth teams who want vendor independence with a cloud upgrade path. Cloud Free 5K MAUs; Hobby $16; Pro $96; OSS self-host.

Data residency
9
Auth latency
8
Integration effort
7
Value
9
Support
7
Try Logto

How we picked

Each pick gets a transparent composite score from price, features, free-tier availability, and editor fit. Pricing flows from our live database, so when a vendor changes prices the score updates here too.

We weight price 40 percent, features 30, free tier 15, and fit 15. Editorial pinning places Clerk #1 and Auth0 #2 over composite-leading Stytch, WorkOS, and Firebase Auth (tied at 9.250 via free-up-to-cap renormalization). Most picks use tiered MAU or PAYG; Logto ships MPL-2.0 OSS self-host. Auth0 typical $240 reflects Professional B2C; realistic entry is Essential B2C $35/mo.

We don't claim "30,000 hours of testing." Our methodology is the formula above plus the editor's published verdict for each pick. Verifiable, auditable, and updated when the underlying data changes.

Why trust Subrupt

We're a subscription tracker first, a buying guide second. Every claim on this page is something you can check.

By use case

Best modern dev-friendly passwordless auth

Clerk

Read the full review →

Try Clerk

Best passwordless-first dev API

Stytch (Twilio)

Read the full review →

Try Stytch (Twilio)

Best B2B SaaS passwordless auth

WorkOS

Read the full review →

Try WorkOS

Best established CIAM passwordless auth

Auth0 (Okta)

Read the full review →

Try Auth0 (Okta)

Best open-source passwordless auth

Logto

Read the full review →

Try Logto

Didn't make the list

Stytch (Twilio)

Already in picks (third) but worth flagging the passwordless-first heritage. Built without password support before adding it for legacy migrations; SDK ergonomics reflect that conviction.

WorkOS

Already in picks (fourth) but worth flagging the 1M MAU AuthKit cap. WorkOS lets B2B SaaS teams ship customer-facing login plus enterprise SAML SSO without paid commitment until product-market fit.

Supabase Auth

Already in picks (fifth) but worth flagging the Postgres bundling. Auth and database share one SDK and connection pool; adding auth is a config change not vendor procurement for teams on Supabase.

Logto

Already in picks (seventh) but worth flagging the MPL-2.0 OSS option. Self-host on customer infrastructure with no MAU cap or licensing fee, plus a cloud upgrade path for teams without ops capacity.

How to choose your Passwordless Authentication

Seven product shapes compete for one head term

The 'best passwordless authentication' search covers seven distinct shapes. Modern dev-friendly all-in-one (Clerk) targets SaaS startups shipping React or Next.js apps. Established CIAM (Auth0, now Okta-owned) targets enterprise procurement with security-team review. Passwordless-first dev API (Stytch) targets SaaS teams treating passwords as legacy infrastructure. B2B SaaS-focused (WorkOS) targets engineering teams shipping enterprise SSO from MVP. Backend-bundled (Supabase Auth) targets teams already on Postgres. Google ecosystem (Firebase Auth) targets Firebase-already mobile apps. Open source self-host (Logto) targets OSS-curious teams who want vendor independence with a cloud upgrade path. The honest framework: identify your stack, your audience, and your scale before subscribing. A SaaS startup on Next.js shipping a B2B product to fewer than 10K customers makes a different vendor decision than a Firebase mobile team scaling consumer auth across millions of monthly active users.

Free-tier MAU caps drive SaaS-startup economics

Free-tier MAU caps separate the SaaS-startup-friendly vendors from the enterprise-procurement-only platforms. The cap landscape across the seven picks: WorkOS AuthKit free up to 1M monthly active users, Supabase Auth free up to 50K MAUs, Firebase Spark free up to 50K verifications per month, Auth0 free up to 25K MAUs (expanded from 7,500 in early 2026 with Self-Service SSO and SCIM included), Stytch and Clerk free up to 10K MAUs, Logto Cloud Free up to 5K MAUs. The honest framework: WorkOS AuthKit's 1M cap is roughly 40 times Auth0's expanded 25K cap and 100 times Clerk's 10K cap. For a B2B SaaS at Series A with 50K customer accounts, WorkOS stays free while Auth0 cliffs into Essential B2C and Clerk cliffs into Pro plus per-MAU overage. Free-tier caps are the load-bearing economic decision for SaaS startups; pricing tier comparisons matter less than the cap because most readers are below the first paid tier when they first integrate.

PAYG vs tiered: forecast accuracy at scale

Pricing model matters as much as price for SaaS teams forecasting auth bills. Tiered MAU plans (Clerk, Auth0, Logto, Supabase) charge a flat monthly base plus per-MAU pricing above an included quota. PAYG plans (Stytch, Firebase Auth) charge per MAU or per verification with no recurring base. Free-up-to-cap plans (WorkOS) charge nothing until the cap is hit, then negotiate enterprise. The honest framework: tiered plans are easier to forecast for stable usage but cliff into the next tier when traffic spikes; PAYG plans scale linearly with actual usage but make budget meetings harder. For seasonal SaaS or apps with unpredictable launch curves, PAYG (Stytch) avoids the overshoot. For predictable enterprise auth with steady MAU growth, tiered plans (Clerk Pro flat base plus per-MAU above 10K) make CFOs happier. Avoid the trap of comparing only sticker prices; the model determines whether the bill matches your actual traffic.

Passkeys are now table stakes; integration ergonomics differ

Passkeys (WebAuthn-backed credentials stored in the device secure enclave) replaced password-plus-MFA as the default secure credential through 2024-2025. Apple, Google, and Microsoft shipped device-side passkey infrastructure as part of operating system updates. Five of the seven picks ship first-class passkey support: Clerk, Auth0, Stytch, WorkOS, Logto. Two do not as of May 2026: Supabase Auth and Firebase Auth. The honest framework: passkey support is now table stakes for new auth integrations; what differentiates vendors is integration ergonomics. Clerk ships passkeys behind a hosted SignIn component that displays the system passkey prompt automatically. Stytch ships passkey primitives that teams wire into custom UI. Auth0 ships passkey support through Universal Login plus the Authentication API. The Supabase Auth gap matters most for teams shipping consumer apps where passkey adoption is a competitive advantage; for internal-only Postgres-backed apps, the gap is less load-bearing.

When to graduate from free: model 50K and 500K MAU bills

Model your bill at 50K MAUs and 500K MAUs before signing any auth contract. The math separates SaaS-startup-friendly vendors from enterprise platforms whose pricing assumes seven-figure ARR. At 50K MAUs: WorkOS stays free (under the 1M cap); Supabase Pro is the entry monthly base plus minimal MAU overage; Clerk Pro is the entry base plus 40K MAU overage charges; Auth0 lands on Essential B2C or Professional B2C depending on feature requirements; Stytch is roughly 40K MAUs at the PAYG rate above the free cap. At 500K MAUs the gap widens substantially: WorkOS still free; Supabase Pro climbs significantly above the included 100K MAUs; Clerk overage at the per-MAU rate becomes load-bearing; Auth0 requires Enterprise contract negotiation; Stytch PAYG bill scales linearly. The honest framework: the vendor that is cheapest at 10K MAUs may be the most expensive at 500K MAUs. Build a spreadsheet before signing.

When Clerk wins versus Auth0 versus WorkOS by company stage

Clerk versus Auth0 versus WorkOS is the load-bearing decision for SaaS engineering teams shipping new customer-facing auth in 2026. Clerk wins when (1) the stack is React or Next.js where Clerk's hosted components install in an afternoon, (2) the team values pre-built UI over custom design, (3) MAU scale stays under 100K through Series A. Auth0 wins when (1) enterprise procurement requires established vendor reference base and Okta brand recognition, (2) Universal Login customization depth matters more than ergonomic SDK design, (3) the team has security-team review on every vendor decision and Auth0's compliance heritage shortens approvals. WorkOS wins when (1) B2B SaaS shipping enterprise SSO from MVP without paid commitment, (2) AuthKit's 1M MAU free cap covers product-market-fit scale, (3) audience is B2B with customer-counts in tens or hundreds rather than B2C consumer scale. The honest framework: stack-first, audience-second, scale-third.

Frequently asked questions

Are these prices guaranteed not to change?

Vendor pricing changes regularly. Rates here are what each vendor advertises as of May 2026. Recent shifts: Auth0 expanded the free tier from 7,500 to 25K MAUs in early 2026 with SSO and SCIM included; Stytch was acquired by Twilio in November 2025. Clerk Pro $25/mo flat stable. Auth0 paid tiers $35 and $240 stable. Stytch PAYG $0.05/MAU stable. WorkOS AuthKit free 1M MAUs stable. Supabase Pro $25/mo stable. Firebase Spark free 50K verifications stable. Logto Hobby $16/mo and Pro $96/mo stable.

Does Subrupt earn a commission from any of these picks?

We track which picks have approved affiliate programs in our database, and the FTC disclosure block at the top of every guide names which ones currently have a click-tracking partnership. Affiliate revenue does not change ranking. The composite math runs against the same weights for every pick regardless of partnership; if a higher-paying vendor scores worse, it ranks worse. The picks-array order reflects editorial pinning around brand recognition and audience fit, not commission optimization.

Why is Clerk ranked first instead of composite-leading Stytch or WorkOS?

Clerk leads brand recognition for SaaS-startup developers shipping customer-facing login in 2026 and uniquely matches the modern-dev-friendly tile. Stytch and WorkOS tie for top composite math because their PAYG and free-up-to-cap pricing scores well on the price weight, but the head-term reader is mostly evaluating modern dev-friendly options. Stytch sits at #3 for passwordless-first conviction; WorkOS at #4 for B2B SaaS shipping enterprise SSO.

Should I pick Clerk or Auth0?

Pick by company stage and procurement style. SaaS startups on React or Next.js default to Clerk for the hosted components and 10K MAU free tier; Clerk Pro covers Series A scale comfortably. Enterprise teams with security review or established Okta procurement default to Auth0 for the reference base and Universal Login depth. The decision tree: pre-Series A SaaS startup, default to Clerk; enterprise CIAM with security-team review, default to Auth0.

When does WorkOS beat Auth0 for B2B SaaS?

Almost always for B2B SaaS shipping enterprise SSO from MVP. Auth0 expanded its free tier to 25K MAUs in early 2026 with SSO and SCIM included, but WorkOS AuthKit covers up to 1M MAUs free with the same enterprise features; the cap gap is roughly 40 times. Auth0 wins for B2C consumer apps where Universal Login customization matters, or when enterprise procurement requires Okta brand recognition. For B2B SaaS pre-product-market-fit, WorkOS is the unrivalled path.

Why don't I see Magic or SuperTokens in the picks?

Magic (formerly Magic Labs) and SuperTokens both have legitimate passwordless-auth user bases but neither cracks our seven-pick lineup. Magic narrowed focus to crypto wallet authentication after 2023; the consumer SaaS use case is now secondary to web3 wallet integration. SuperTokens ships a strong open-source IAM with self-host options that Logto covers in our lineup with broader feature support and a more active commercial cloud tier.

Are passkeys the same as MFA?

No. Passkeys are a primary credential that replaces passwords; MFA is an additional factor on top of an existing primary credential. A passkey-secured account already incorporates device-bound cryptographic verification, so most use cases do not require additional MFA. Five of the seven picks ship first-class passkey support: Clerk, Auth0, Stytch, WorkOS, and Logto. Step-up MFA on top of passkeys is supported but typically reserved for high-value actions like payment authorization.

How hard is it to switch auth providers later?

Painful but not catastrophic. Migrating user identities requires either a bulk export from the source vendor or a bridge mode where users re-authenticate against the old vendor on first login then get migrated. Auth0 ships export tools; Clerk supports bulk import via Backend API; Stytch and WorkOS have migration documentation. Social login users migrate cleanest because the IdP token is portable. Password-based accounts migrate hardest because hash algorithms differ between vendors.

When does self-hosting beat SaaS for passwordless auth?

When OSS licensing or compliance constraints are load-bearing, or when MAU scale exceeds the SaaS pricing model. Logto ships MPL-2.0 with no MAU cap or licensing fee on self-host; Supabase Auth ships open source on the same terms. Self-host wins for FedRAMP, HIPAA without BAA, or air-gapped requirements where identity data cannot leave customer infrastructure. SaaS wins for teams without those constraints; the operational lift of running auth HA exceeds the SaaS fee.

When does this guide get updated?

We aim to refresh /best/ guides quarterly when there are no major shifts, and immediately when there are. Major triggers: vendor pricing changes (rates stable through May 2026), new entrants (passwordless platforms expanding), passkey support shipping for currently-missing vendors (Supabase Auth and Firebase Auth as of May 2026), Stytch B2B add-on pricing changes, WorkOS AuthKit MAU cap changes from the current 1M. The lastReviewed date at the top reflects the most recent editorial sweep.

Subrupt Editorial

The team behind subrupt.com. We track subscriptions, surface cheaper alternatives, and publish buying guides where the score formula is on the page so you can recompute it yourself. We do not claim 30,000 hours of testing. What we claim is live pricing from our database, a transparent composite score, and honest savings math against a category baseline.

Last reviewed

Citations

Affiliate disclosure: Subrupt earns a commission when you switch to a service through our recommendation links. This never changes the price you pay. We only recommend services where there's a real cost or feature advantage for you, and our picks are based on the data on this page, not on which programs pay the most.

Related buying guides

Buying guide

Best Threat Intelligence Platforms of 2026

Read guide

Buying guide

Best VPNs of 2026

Read guide

Buying guide

Best Free VPNs of 2026

Read guide

Track your subscriptions on Subrupt

Add the Passwordless Authentication you pay for and see how much you'd save by switching.

Open dashboard

More buying guides

Independent rankings for the subscriptions worth paying for.

See all guides