Auth Provider Shootout 2026 — Clerk vs WorkOS vs Auth0 vs Stytch vs Better Auth vs Kinde vs SuperTokens, plus the NextAuth and Lucia post-mortem

Prologue — The Era of Buying Authentication
Chapter 1 · The Eight Axes — What You're Actually Choosing
Chapter 2 · Ten Options — One-Line Identity, One-Line Risk
Chapter 3 · Feature Matrix — One Table
Chapter 4 · Pricing Matrix — Three Real Bills
Chapter 5 · Decision Tree — Which Should You Pick
Chapter 6 · Self-Hosting TCO — Is It Really Cheaper
Chapter 7 · Clerk vs WorkOS — The Most Common Comparison
Chapter 8 · Passwordless, Passkey, Magic Link — The 2026 Default
Chapter 9 · The Lucia Migration — Where To Go
Chapter 10 · NextAuth (Auth.js) vs Better Auth — Choosing a Library
Chapter 11 · Anti-Patterns — Ten Mistakes I See Constantly
Epilogue — Decision Checklist and What's Next
References

Prologue — The Era of Buying Authentication

The auth market in May 2026 looks nothing like it did five years ago. In 2021 the choice was "Auth0, Cognito, or roll your own." Today the same question has at least ten answers, each with a different price, operational burden, and feature set.

The market has split in two directions.

B2C / developer-experience camp. Clerk planted the flag. UI components, hosted auth, polished React/Next.js integration, and the promise of "working login in 10 minutes." Stytch sits beside it with passwordless, passkeys, and a Fraud SDK; Kinde tags along as the "simpler alternative."
B2B / enterprise-readiness camp. WorkOS invented this category. SAML, SCIM, directory sync, audit logs — every feature that enterprise buyers scream for, packaged as an API call. Auth0 used to live here but has been losing ground since the Okta acquisition due to price hikes and stagnation.

Meanwhile, two major events shook the self-hosted / OSS world during 2025. First, Lucia died. Maintainer pilcrowOnPaper officially announced the deprecation in March 2025; the library transitioned into a learning resource by late 2025. And the empty seat was taken by Better Auth: TypeScript-native, framework-agnostic, plugin architecture, self-hostable. Indie hackers migrated en masse during 2025.

This post compares every one of those options on the same axes. The theory pieces (OIDC, SAML protocols themselves) and the Keycloak self-hosting hands-on live in separate posts. This one is about what to buy.

Pricing changes fast. Every number here is May 2026 reference data; focus on structure, not exact figures. The framework needs to survive even if the prices move 6 months from now.

Flow: comparison axes → ten providers in one line each → feature matrix → pricing matrix → scenario-based decision tree → self-hosting TCO → Lucia migration → epilogue.

Chapter 1 · The Eight Axes — What You're Actually Choosing

Without a shared framework, this becomes "Clerk is better vs WorkOS is better" — a meaningless argument. Apply these eight axes to every provider.

Axis 1 · Target market (B2C vs B2B) Who is your user? An individual signing up directly (B2C), or a company buying seats (B2B SaaS)? Different answers mean different required features. B2C centers on social login, passwordless, and passkeys. B2B centers on SSO (SAML/OIDC), SCIM (auto-provisioning), organizations, roles, and audit logs. Many providers claim to do both well; in reality, each leans one way.

Axis 2 · Hosting model Pure SaaS, self-hostable, or both? SaaS removes the operational burden but trades away dependency, price, and data sovereignty. Self-hosting flips that trade. "Both" is often a marketing claim — few OSS companies seriously support self-hosting as a first-class path.

Axis 3 · Pricing model Per-MAU (Monthly Active User), per-seat, or feature-gated? MAU pricing is brutal for B2C apps — costs grow linearly with users. Per-seat (per organization member) makes sense for B2B. And the pattern of bundling "enterprise features" (SAML, SCIM, SSO) into a separate SKU that 5x's the bill is now standard across nearly every SaaS provider.

Axis 4 · Feature breadth (passkeys, MFA, organizations, SAML, SCIM, passwordless, magic links) Required: email/password, social, sessions. Bonus: passkey/WebAuthn, TOTP, SMS OTP, magic link, passwordless, SAML SSO, SCIM provisioning, B2B organizations, roles/permissions, audit logs, device management. At the same price tier, see what's included vs an upgrade.

Axis 5 · DX (developer experience) SDK quality, docs, examples, UI components, framework integrations. This is Clerk's home turf. Does a <SignIn /> component just work in 30 seconds, or do you hand-code the OIDC handshake?

Axis 6 · Integration depth (frameworks, BaaS, email, billing) Is it first-class in Next.js, Remix, SvelteKit? How does it tie into Stripe, Resend, Supabase, Vercel? Good integration cuts boilerplate; no integration means you ship adapter layers yourself.

Axis 7 · Data sovereignty and compliance Where does user data live? EU / Japan / Korea region options? SOC2, ISO 27001, HIPAA, GDPR DPAs, Japan APPI compliance. Self-hosting answers this trivially; for SaaS, the company headquarters and region availability determine it.

Axis 8 · Switching cost (lock-in) Can you export user data? Are password hashes portable (SCRAM, bcrypt, argon2 — is the format compatible)? When MAU-based pricing crosses your pain threshold, what does the migration actually cost? This is the most ignored axis. Providers that look cheap at low MAU sometimes bill 300k a year at 500k MAU — and "we'll just switch" may not be as easy as you think.

Chapter 2 · Ten Options — One-Line Identity, One-Line Risk

Quick rundown before the deep comparison.

Clerk — B2C auth with the best developer experience. UI components (<SignIn />, <UserButton />), B2B Organizations, Backend API. Pricing starts at Pro $25/month with 10,000 MAU free; SAML and SCIM live in an Enhanced Authentication add-on starting at$ 100/month. One-line risk: Clerk grew out of B2C and is adding B2B features; the B2B depth doesn't yet match WorkOS.

WorkOS — The company that invented the "Enterprise OAuth" category. SSO, SAML, SCIM, directory sync, audit logs delivered through a single API. Pricing has historically been per-connection ($125/month per SSO and per DSync connection), with a 1,000,000 unit monthly free allowance. In 2026, AuthKit (their hosted login UI) became free up to 1M MAU and bundled every auth building block. One-line risk: it also does B2C (social, password), but the real value lies in enterprise readiness, not plain auth.

Auth0 (Okta) — The SaaS-auth original and giant. Acquired by Okta for $6.5B in 2021. Has every feature, every integration, and charges for all of it. 2026 pricing: B2C Essentials starts at$ 35/month for 1,000 MAU; Pro at $240/month for 1,000 MAU; 5,000 MAU runs about$ 1,500/month already. B2B Enterprise Connections and Organizations are priced separately and expensive. One-line risk: post-acquisition stagnation. New feature velocity slowed, price hikes have become an annual event. The share of new projects starting on Auth0 has dropped steadily since 2023.

Stytch — Best-in-class passwordless, passkey, and magic link. Since 2024 they shipped a Fraud Prevention SDK using ML to detect bots, account takeover, and synthetic identity. B2C $0 up to 10,000 MAU and$ 249/month for Pro; B2B priced separately. One-line risk: narrower category. You can do all your auth with Stytch, but in the general SaaS-auth conversation Clerk and WorkOS get more airtime.

Better Auth — The OSS TypeScript auth library that ate the indie market in 2025. Framework-agnostic (Next.js, Nuxt, SvelteKit, Solid, Astro, Hono, Express...), DB adapters (Drizzle, Prisma, Kysely, MongoDB), plugin architecture (passkey, magic link, organization, admin, OIDC provider). MIT-licensed and self-hostable. One-line risk: it's a library, not a service. You own the DB, the email sending, the session store, and the operations. The 30-second Clerk onboarding doesn't exist here.

Kinde — Positions itself as "simpler and cheaper than Auth0." Australian-origin, grew quickly through 2024-25. Ships UI, B2B organizations, MFA, and social — at less than half the Auth0 price. Pro $25/month for 10,500 MAU; Plus$ 89/month for the same MAU plus more features. One-line risk: ecosystem, integrations, and doc depth still trail Auth0, Clerk, and WorkOS.

SuperTokens — Takes OSS self-hosting seriously. Apache 2.0 license, Docker-deployable, well-built React and Node SDKs. There's a managed SaaS tier, but the core identity is self-hosted. One-line risk: smaller ecosystem. Japanese and Korean communities are nearly nonexistent, and B2B Organizations, SAML, and SCIM are paywalled into the managed SaaS tier.

Supabase Auth — Bundled with the Supabase BaaS. User records live in Postgres and tie directly into Row Level Security. For teams already using Supabase, it's nearly free. Pricing rolls up into Supabase's plan (Pro $25/month and up). One-line risk: only valuable inside the Supabase stack. With a separate backend on a different DB, it feels off.

Firebase Auth (Google Identity Platform) — The default for mobile apps. Every Firebase team uses it. Free up to 50,000 MAU; above that, $0.0055-0.0025 per MAU. One-line risk: heavy vendor lock-in. Smooth only inside Google Cloud; integration from non-Firebase backends through Admin SDK feels thin.

Auth.js (NextAuth) — The de facto Next.js auth library. v5 renamed and went framework-neutral. OSS, self-hosted, BYO database. One-line risk: it's a library, not a service (same category as Better Auth). Has depth but a steep learning curve — sessions, DB adapters, and callbacks all need to be understood. 2025-26 has shown a noticeable migration toward Better Auth.

Logto — OSS self-hosted identity platform. MIT-licensed, supports OIDC, OAuth2, and SAML, ships a Console UI. Also has a Cloud option. One-line risk: as a newer entrant, ecosystem and integration depth trail Keycloak and SuperTokens.

Lucia (deprecated) — Beloved TypeScript-native session library, but the maintainer announced deprecation in March 2025. Do not use for new projects. Existing projects need to migrate — see Better Auth, Auth.js, or Arctic (the maintainer's successor for OAuth clients).

Chapter 3 · Feature Matrix — One Table

What each provider includes at the free or default tier. "Yes", "No", or "paid add-on" only.

Feature	Clerk	WorkOS	Auth0	Stytch	Better Auth	Kinde	SuperTokens	Supabase	Firebase	Auth.js
Email/Password	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Social Login	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Magic Link	Yes	Yes	Yes	Core	Plugin	Yes	Yes	Yes	Partial	Yes
Passkey/WebAuthn	Yes	Yes	Yes	Core	Plugin	Yes	Yes	Beta	Beta	Beta
TOTP MFA	Yes	Yes	Yes	Yes	Plugin	Yes	Yes	Yes	Yes	Partial
SMS OTP	Yes	Yes	Yes	Yes	Plugin	Yes	Yes	Yes	Yes	Partial
UI Components	Strong	Strong (AuthKit)	Yes	Yes	Weak	Yes	Yes	Yes	Weak	None
B2B Organizations	Yes	Strong	Paid	Yes	Plugin	Yes	Paid	Partial	Partial	Partial
SAML SSO	Paid	Core	Paid	Yes	Plugin	Paid	Paid	Paid	None	DIY
SCIM Provisioning	Paid	Core	Paid	Yes	None	Paid	Paid	None	None	None
Audit Logs	Partial	Core	Paid	Yes	Plugin	Partial	Partial	Yes	Partial	DIY
Self-hosting	No	No	Effectively No	No	Core	No	Yes	Yes	No	Yes
Open Source	Closed	Closed	Closed	Closed	MIT	Closed	Apache 2.0	Apache 2.0	Closed	MIT
Fraud/Bot detection	Partial	Partial	Paid	Core	None	Partial	None	None	Partial	None
JP / KR region	US/EU	US/EU	US/EU/JP	US/EU	Your host	US/EU/AU	Your host	Multi	Multi	Your host

How to read this: do not decide from the matrix alone. "Has feature" does not equal "production quality." Clerk's SAML and WorkOS's SAML use the same word but differ in depth. WorkOS defined this category; Clerk added it as a side feature.

Chapter 4 · Pricing Matrix — Three Real Bills

Abstract price tables are useless. Three real scenarios, with monthly bills.

Provider	Estimated monthly bill	Note
Clerk	~$250	Pro $25 + MAU overage (10K free, then ~$ 0.02 per MAU)
WorkOS AuthKit	$0	1M MAU free (2026 policy)
Auth0 B2C Pro	~$1,500-2,500	Already ~$1,500/month at the 5K MAU price level
Stytch	~$400-800	Pro $249 + MAU overage
Better Auth	$0 + hosting	Library is free, you pay for DB + servers
Kinde	~$89-200	Plus $89 + MAU
SuperTokens self-hosted	$0 + hosting	OSS, ops time billed separately
Supabase Auth	$25-100	Inside Supabase Pro
Firebase Auth	$0	50,000 MAU under free tier
Auth.js self-hosted	$0 + hosting	OSS, BYO DB and email

Reading: at 50K MAU B2C, WorkOS AuthKit, Firebase, and Supabase dominate on price. Libraries (Better Auth, Auth.js) are zero in licensing, but do not forget operational cost (next chapter).

Scenario B · B2B SaaS (200 customer companies, ~50 seats each, 30 percent SAML, 10 percent SCIM)

Provider	Estimated monthly bill	Note
Clerk + Enhanced Auth	~$200-400	Pro + Enhanced Authentication add-on ($100/month + SAML usage)
WorkOS	~$7,500-8,000	60 SSO connections at $125 =$ 7,500
Auth0 B2B	$5,000-15,000	Enterprise Connections + Organizations are quote-based
Stytch B2B	$499/month + add-on	SAML/SCIM bundled in B2B tier
Better Auth	$0 + hosting	DIY SSO, SAML, SCIM via plugins
Kinde Plus	$89/month + usage	SAML add-on extra
SuperTokens Pro	~$300-500	Self-hosted + some paid features
Supabase	Unsuitable	B2B SSO/SCIM are weak
Firebase	Unsuitable	No B2B SAML
Auth.js	$0 + hosting	SAML/SCIM are effectively DIY

Reading: at scale, WorkOS connection prices add up fast. Still cheaper than the ops cost of implementing a single SAML connection from scratch (debugging IdP quirks usually eats 1-2 weeks). Clerk's Enhanced Authentication looks cheapest on paper, but it does not match WorkOS on depth and directory-sync quality.

Scenario C · Global consumer app (500,000 MAU)

Provider	Estimated monthly bill
Clerk	$5,000-10,000+
WorkOS AuthKit	~$0 - low hundreds (within current 1M MAU free band)
Auth0 B2C	$20,000-40,000+
Stytch	$5,000-10,000
Better Auth	~$200-2,000 (DB + servers)
Firebase Auth	~$1,500-2,500 (MAU unit pricing)
Supabase	~$1,000+ (DB + traffic)

Reading: 500K MAU is the inflection point for nearly every MAU-priced SaaS. Clerk, Auth0, and Stytch bills get scary in this band. Reasonable choices: self-hosting (Better Auth on Postgres), WorkOS AuthKit (while their current policy holds), or Firebase.

All prices are estimates based on the May 2026 public pricing pages and release info. Real bills can swing ±50% with add-ons, support tiers, and overage. Always run your own workload through a real quote.

Chapter 5 · Decision Tree — Which Should You Pick

If eight axes, ten options, and three pricing scenarios still leave you stuck, the honest decision tree:

[Q1] Are you B2C, B2B, or both?
   |-- Pure B2C -> Q2
   |-- Pure B2B -> Q4
   '-- Both -> Q3

[Q2] B2C: expected MAU in 1 year?
   |-- under 10K -> Clerk Pro, or Better Auth / Auth.js (preference)
   |-- 10K to 100K -> Clerk / Stytch / Kinde by DX taste, or Better Auth self-hosted
   '-- 100K+ -> WorkOS AuthKit, Firebase, or Better Auth self-hosted (Clerk and Auth0 get expensive)

[Q3] Hybrid: do you actually care about B2B?
   |-- B2B is "nice to have" -> Clerk + Enhanced Auth, or Kinde
   '-- B2B is 50%+ of revenue -> WorkOS (B2C via AuthKit covers the rest)

[Q4] B2B: how much of your revenue is enterprise?
   |-- SMB / mid-market -> Clerk, Kinde, or Auth0 Pro
   '-- Enterprise / SAML / SCIM required -> WorkOS (dominant) or Auth0 B2B (if budget allows)

[Q5] Self-hosting requirements?
   |-- Data sovereignty / on-prem -> Keycloak (separate post) or SuperTokens / Logto
   |-- Full-stack TS team starting small -> Better Auth
   '-- Next.js + free DB / infra control -> Better Auth (favored over Auth.js v5)

Six core decision heuristics:

If B2B enterprise is 50%+ of revenue -> WorkOS is first pick. Few other answers. SAML, SCIM, and directory sync depth are simply a different category.
Indie / small team + Next.js -> Clerk or Better Auth. Choose by whether you want to manage anything (Clerk: no; Better Auth: yes, with full OSS and DB control).
Already on Supabase or Firebase -> use their Auth. Slapping in a separate auth provider makes RLS and sessions awkward.
Almost no reason to start a new project on Auth0. Same price band buys you a better-feeling product through Clerk, Stytch, or WorkOS.
If MAU might cross 500K, simulate the bill now. Migrating away once the bill scares you is even scarier.
If you are on Lucia, plan the migration today. See Chapter 9.

Chapter 6 · Self-Hosting TCO — Is It Really Cheaper

"Let's build our own auth" or "Let's self-host Keycloak / SuperTokens / Better Auth" almost always comes from a first invoice. SaaS Auth0 sent a $5,000 monthly bill; Keycloak runs on a$ 100 EC2 instance. Right?

Decompose the 5-year TCO.

SaaS side cost (Clerk, Auth0 B2C, etc.):

License: per-MAU bill. At 100K MAU, roughly $20K-100K per year.
Engineering: nearly zero. One person, one week for integration.
Operational burden: zero. Their SLA covers downtime.
Migration cost: lock-in. To leave, verify how password hashes, social connections, and sessions can be exported.

Self-hosted side cost (Keycloak, SuperTokens, Better Auth):

License: zero.
Infra: instances, DB, load balancer, backups. For serious HA and multi-region, $500-2,000/month.
Engineering: setup plus operations. This is the giant. Roughly 0.1-0.3 FTE of SRE time. Patches, upgrades, incident triage, SAML debugging. $20K-60K per year in labor.
Security burden: yours. CVE response, patching, penetration testing. A zero-day eats your night.
Compliance: SOC2 / ISO 27001 audits cover the auth system too — extra effort.

Very simplified 5-year cumulative simulation for a B2C app at 100K MAU:

Clerk Pro + MAU overage:
  ~$40K per year on average x 5 years = $200K
  Engineering: $5K (integration) + ~$0 (ops) = $5K
  Total: ~$205K

Better Auth self-hosted:
  License: $0
  Infra: $800/month x 60 months = $48K
  Engineering: 0.2 FTE x 5 years x $150K/year = $150K
  Total: ~$200K

Surprise: the 5-year TCO comes out roughly equal. Self-hosting is not "free." If you account for engineering honestly, SaaS and self-hosting end up at similar cost. SaaS wins when: auth is not your core business, the team is small, and you'd rather spend ops time elsewhere. Self-hosting wins when: data sovereignty demands it, MAU is in the millions, you need deep auth customization, or you already have an SRE who runs auth well.

Chapter 7 · Clerk vs WorkOS — The Most Common Comparison

The single most common question. Both are well-built; they live in different categories.

Clerk wins when:

Full-stack, B2C-first, Next.js-first.
You want <SignIn /> and <UserButton /> to deliver a usable screen in 30 seconds.
Organizations are a "nice-to-have" rather than the core business.
Indie / small team / early-stage startup.

WorkOS wins when:

B2B SaaS where enterprise customers are a large share of revenue.
SAML / SCIM is effectively required (Okta, Azure AD, OneLogin, Google Workspace connections).
You already have your own signup UI and just want to add enterprise readiness.
Or it is a brand-new project and AuthKit's 1M-MAU-free policy makes hosted login attractive.

Some teams use both. B2C side on Clerk; enterprise connections on WorkOS. Not the cleanest, but doable.

2026 shift: AuthKit grew beyond SAML / SCIM to include social, passwordless, and passkey in a hosted UI, overlapping Clerk's home turf. The 1M MAU free policy is pulling indies and startups in. Clerk has pushed the other way with B2B Organizations and Enhanced Authentication. The category boundary is blurring.

Chapter 8 · Passwordless, Passkey, Magic Link — The 2026 Default

In 2026, "password login" is not the default for new projects anymore. The default is one of:

Passkey (WebAuthn). Public key stored on the device or in a password manager (1Password, Bitwarden). iCloud Keychain and Google Password Manager sync them across devices. Users never "remember a password." Best UX, best security.
Magic link. A one-time link via email. Very simple UX but suffers from email delivery latency and skepticism about email itself as an auth factor.
OTP (email or SMS). Six-digit codes. SMS is declining due to SIM-swap risk and telecom cost.

The 2026 trend: passkey first, magic link fallback, SMS deprecated. Apple, Google, and Microsoft now back passkey at the OS level; device adoption exceeds 80%. The learning curve has effectively flattened.

Passkey depth by provider:

Provider	Passkey support
Stytch	Core category, deepest support
Clerk	Stable first-class support
WorkOS AuthKit	Stable first-class support
Auth0	First-class support
Kinde	First-class support
Better Auth	Passkey plugin (stable)
SuperTokens	First-class support
Supabase	Beta
Firebase	Beta, platform variation
Auth.js	Beta, adapter-dependent

Magic link exists in nearly every provider. Differences emerge in deliverability, template customization, resend logic, and rate limiting — the boring details.

Chapter 9 · The Lucia Migration — Where To Go

In March 2025, Lucia's maintainer pilcrowOnPaper posted this official notice:

Lucia, as a library, will not receive further maintenance.
His authentication learning guide remains free on GitHub as a learning resource.
His OAuth client library Arctic continues to be maintained and developed.
New projects should pick another library (or build their own).

Migration options:

Option 1 - Move to Better Auth. The spiritual successor. TypeScript-native, session-based, DB adapters, plugins. The user / session table schemas are similar (id, user_id, expires_at), and the email + password flow translates cleanly. The most popular 2025-26 migration path.

Option 2 - Move to Auth.js v5. For Next.js-heavy stacks. The adapter API is different, and the callback / session model takes more work to reconcile.

Option 3 - Arctic + your own session management. Split out only the OAuth piece. Manage sessions yourself in your DB / cookies. Closest to the "Lucia guide" philosophy. Smallest learning cost but you accept session code scattered across your codebase.

Option 4 - Move to a SaaS like Clerk or WorkOS. When direct management of Lucia became too costly. Mandatory check: password hash format compatibility. argon2 / bcrypt imports are usually supported, but SCRAM or older Lucia SHA-256 variants may need a custom migration script.

Migration checklist:

Export user table; import into new schema.
Verify password hash format compatibility.
Plan for session-token / cookie-name change and existing-session invalidation policy.
Handle email-verification and password-reset tokens.
Preserve social connections (provider user_id mappings).
Choose between dual-write gradual migration and big-bang cutover.

Chapter 10 · NextAuth (Auth.js) vs Better Auth — Choosing a Library

If you go the self-hosted-library route, the choice narrows to these two.

Auth.js (formerly NextAuth) — Long history of stability, huge user base, many integrations. v5 introduced the auth() helper, App Router friendliness, and @auth/core for framework neutrality. Downsides: complex callback API (signIn, session, jwt), DB adapter behavior varies subtly. Goes deep, but the learning curve is steep.

Better Auth — Showed up in 2024, exploded in 2025-26. More intuitive API, cleaner plugin system, auto-generated DB schemas, CLI tooling. Stronger TypeScript type inference. Drizzle, Prisma, Kysely, MongoDB adapters. Next.js, Nuxt, SvelteKit, Solid, Astro, Hono, Express, Tanstack Start — all first-class.

How to pick:

Already using Auth.js and happy with behavior - no reason to switch.
Greenfield project - Better Auth is favored. DX, plugin system, docs all feel better.
Multi-framework (same auth across Next.js + SvelteKit + Hono, etc.) - Better Auth.

2026 npm trends: Auth.js maintains a stable user base; Better Auth is in explosive growth. Auth.js maintainers themselves have begun adopting design ideas from Better Auth.

Chapter 11 · Anti-Patterns — Ten Mistakes I See Constantly

From a year of code reviews and consulting.

JWT used as a session with no revoke. Access token TTL of 24h + no revoke = a fired employee makes API calls all day. Short TTL + refresh + revoke list, or session-based.
Buying Auth0 then reimplementing every feature manually. If you write your own signup form, email delivery, and MFA, you forfeit the reason to pay Auth0. Use Universal Login or the SDK widgets.
Assuming Clerk / Stytch migration cost is zero. "If MAU grows, we'll switch" — but verify you actually can export password hashes, social connections, and sessions.
Buying WorkOS without SAML. WorkOS's value-1 is enterprise SSO. Without SAML or SCIM, you are leaving half the value on the table.
Supabase Auth + a separate Postgres. Supabase Auth wants its user table in Supabase Postgres for RLS / triggers to feel natural. Splitting it out gets awkward.
Passkey added with no backup fallback. A user who loses their device gets locked out. Magic link or recovery codes are mandatory.
Hand-rolling SAML debugging. Okta, Azure AD, OneLogin, Google Workspace each have quirks; IdP-initiated vs SP-initiated flows differ. You will spend two weeks in a swamp. This is the WorkOS premium.
MAU pricing not matched to your own MAU definition. The provider's MAU definition (e.g., any user who logged in once that month, or any session that has not expired) may differ from yours. 1M signups with 50K actives is a different bill.
Adding passkey but not measuring uptake. Actual usage depends heavily on signup flow, UI copy, and iOS / Android mix. Checking the "passkey supported" box without measurement is suspect ROI.
Running on Lucia without a migration plan. Within a year this becomes mandatory. Do not procrastinate.

Epilogue — Decision Checklist and What's Next

Decision checklist

Target market: B2C, B2B, or hybrid?
1-year and 3-year MAU projections.
Enterprise customer share and SAML / SCIM mandatoryness.
Self-hosting vs SaaS decision (5-year TCO comparison).
Passkey, magic link, and MFA policy.
Migration-cost evaluation up front (the lock-in axis).
Data sovereignty and region needs (especially EU, Korea, Japan).
Compliance demands (SOC2, ISO 27001, HIPAA, GDPR, APPI).
Operations burden vs engineering cost honest assessment.
Most importantly: "The worst option is building your own" — you will regret it within 24 months.

Anti-pattern recap

Building auth from scratch.
Doing only the initial MAU math, never the 12-month look-ahead.
Choosing Auth0 by default (in 2026, it is no longer the default).
Assuming self-hosting is "free."
Adding passkey with no measurement and no fallback.

What's next

"WorkOS AuthKit hands-on — 1M MAU free auth on Next.js in 30 minutes."
"Better Auth full-stack setup — Drizzle, Postgres, Resend, passkey plugin guide."
"Enterprise SAML debugging — Okta, Azure AD, OneLogin, Google Workspace compatibility matrix."
"Auth migration — password-hash compatibility and gradual cutover patterns."

If you have to decide auth for the next project, use the eight axes, ten options, and decision tree above to narrow to two or three finalists in 30 minutes. Then open the pricing pages of those finalists and run your own workload through a real quote. Do not decide auth by guesswork.