We took the Heroku approach. All apps get a free *.authkit.app domain for the hosted login page.
AuthKit never has any WorkOS branding. Clerk puts "Powered by Clerk" on your login page unless you pay. This feels gross. Imagine if Heroku/Vercel were injecting ads into your app?!
AuthKit has free MFA. I believe everyone should get secure auth. Clerk charges to enable MFA. They also charge for passkeys and features like impersonation. Why?
Custom domains cost us $ to run (we pay Cloudflare) so we charge for this. It's also designed for commercial apps. The authkit.app is great for any hobby app.
This isn't a criticism but feedback from someone that is looking for a 3rd party auth service.
I am starting up my own business, I have spent some time evaluating AuthKit and I can't justify investing time on it. Specifically, I want to target small to medium sized companies that want SSO built into my services.
The fact that the auth would be at an *.authkit.app domain is disconcerting, users would think they have been click-jacked because they have left the domain they were expecting. Your comment about custom domains costing because of Cloudflare is strange given how much CF charge verses the $99 per month cost you charge, there seems to be a big order of magnitude difference, since under the Pro plan they charge 10c per additional domain. Perhaps you have additional services behind that, but it seems strange:
https://www.cloudflare.com/en-gb/plans/
The "Powered By x" would actually be preferable, many people are used to seeing thing like that on payment screens.
Also, the SSO connectors being $125 per month per connection, rules out my target market. That is a lot in my market and it doesn't ease off as I grow, it's a fixed base cost. As I grow to 20-30 customers I'd be better off hiring a developer to implement the same features.
I get it that I am not the target market; that big businesses wouldn't bat an eyelid at that kind of costs. But for my purposes, I can't justify your costs. Good luck to you.
There are several open source options out there (several linked above) that could be a good fit for your business economics. I know lots of folks talk about Supabase and Auth.js on X.
If you have the time and patience, you can also certainly build it yourself. There's no miracles here, just complex engineering and solving a thousand edge cases.
If you decide to use open source, make sure you quickly update dependencies so you're always running latest. Ruby-SAML had a major vulnerability disclosed last month and thousands of apps were affected: https://workos.com/blog/ruby-saml-cve-2024-45409
The Clerk branding is a non issue really. I mean, you just use the components and remove it with CSS lol, easy peasy. Although, I left it on one of my apps because I actually thought it made it look more secure but that's just me. My users aren't in the "know" so ymmv.
Splitting hairs, but the authkit.app domain basically is an ad no?
Yeah, I agree on the MFA and Passkeys. Impersonation is a toss up for me, I understand where they're coming from but also would be nice if it was in the free tier.
Looking at the authkit docs, unless I'm using Next or Remix... I need to store the refresh token, manage refreshing the access token, verify the access token, manage revoking the session and deleting the cookies. Clerk does all that for me so that's a win in my book (I understand you folks are working on more SDKs, so that'll be cool).
I don't doubt that Authkit is good, and I like seeing the competition. Clerk has been good to me for quite some time now. I've had to go into their Discord a few times for help and they were awesome, so that's kept me around even through the problems I've had. I've never felt like I was getting inferior support for being a free customer. I guess I'm more ride or die for Clerk than I thought lol.
But hey, to your credit you've convinced me to try out authkit on my next project so that's a win for you there. I'm always open to seeing what's out there.
You wouldn't just blindly implement what the LLM generates. You would use it more as an efficient way to go through all the necessary docs. From there you'd sanity check the recommendations and _then_ implement a solution, applying your judgment along the way.
Hey thanks for the shout-out. I work at WorkOS / AuthKit.
tl;dr - we know this feature is missing and we are working on it
Changing email address is of those simple sounding features that has a ton of complex edge-cases that are critically important to get right. The crux of it is how organization membership/invites and resource sharing typically works with unconfirmed email addresses in apps. What happens with the old email address? Can a different user claim it? Are you allowed to change your email address if your account comes from SAML/SCIM? If you get this behavior wrong, it will lead to inconsistencies that can even cause security vulnerabilities.
Solving this for thousands of different types of apps of course makes the problem significantly more complex. It turns out different developers actually want slightly different behavior, so we need AuthKit to be customizable to accommodate this. More than anything, want to avoid changing these APIs after launching them (even in beta) so there isn't developer thrash. We are working to make sure the solution is as complete as possible and that's taking longer than I would hope.
In the meantime we have some workarounds. e.g. popular apps like Cursor are built on AuthKit and work great.
Anyone can send me an email if you want to chat about this. We're also hiring if you want to work on it. :) mg@workos.com
I work at WorkOS and we naturally think AuthKit is the best solution. It's also free up to 1,000,000 users and supports advanced features like SAML/SCIM/RBAC/etc. https://AuthKit.com
Have you checked out Stytch? I'm more than a little biased as the founder but would love to hear any feedback you have if you do. I thought your blog post covered a lot of really important points that are often forgotten when evaluating auth.
We support both a user changing their own email and with our embeddable admin portal, you get an out of the box flow where your customers' admins can update the email (and any auth setting) for other team members.
SSOReady only does SAML. The rest of these are full identity solutions with the login box, email lifecycle, sessions, impersonation, users/orgs, RBAC, etc. Essentially "identity as a service" for your app.
It also seems like SSOReady is a yc pivot (single dev) that's just trying to clone WorkOS. Unclear if it's used by anyone in production yet.
You made it sound like it's a hobby project not ready for production — where do you see that in the README? Calling it a "WorkOS clone" because they mention it is an alternative also isn't fair — even if it solves the same problem! The fact that they previously worked on something else also doesn't work as an argument, not sure why you would present it as such.
Just be nice to each other, even when they're your competitors! It's not so hard.
I work at Pangea, and while I believe many of the other AuthN options listed are also easy to integrate into your apps, not many provide MFA and passkeys out of the box. Pangea offers MFA + passkeys out of the box and threat intel IP datasets to block bots from signing up / logging in. All of this comes out of the box :)
Stack Auth maintainer/co-founder here. Kinda disappointed by the lack of open-source solutions in this thread — if anyone's looking for managed auth like WorkOS/Clerk/Auth0, but wants it to be 100% open-source, you should give us a go. https://github.com/stack-auth/stack
The “human cost” of SSO is definitely the hardest part.
At WorkOS we solved this by shipping the whole config workflow in the form of an admin portal. It checks things like SAML certificate, signatures/assertions, attribute mapping, etc. and a zillion other edge cases across dozens of identity systems.
We took the Heroku approach. All apps get a free *.authkit.app domain for the hosted login page.
AuthKit never has any WorkOS branding. Clerk puts "Powered by Clerk" on your login page unless you pay. This feels gross. Imagine if Heroku/Vercel were injecting ads into your app?!
AuthKit has free MFA. I believe everyone should get secure auth. Clerk charges to enable MFA. They also charge for passkeys and features like impersonation. Why?
Custom domains cost us $ to run (we pay Cloudflare) so we charge for this. It's also designed for commercial apps. The authkit.app is great for any hobby app.