The auth decision used to be easy. You picked Auth0, signed the contract, and moved on. Then Okta bought them, the bill started growing in ways your finance team didn’t sign up for, and around 2024 a lot of teams started looking elsewhere. Two years later we have four serious players, four very different pricing philosophies, and a lot of confused engineering leads trying to read pricing pages that were clearly written by lawyers.
I’ve helped three teams pick auth platforms in the last twelve months — one B2C consumer app, one B2B SaaS, one weird hybrid that needed both. Here’s what I’d actually tell you over coffee about Clerk, Auth0, WorkOS, and Stytch in 2026, with the pricing math that nobody else seems willing to put in a comparison post.
The four bets in one sentence each
Clerk is the developer-experience play — the prebuilt React components are genuinely the best in the category, and they finally took B2B seriously with organizations, SAML, and SCIM. Auth0 is the enterprise incumbent that’s still everywhere, still adds a checkbox to every RFP, and still surprises teams with the bill at 100K MAU. WorkOS is the B2B-first contrarian that gives you a 1 million MAU free tier on user management and charges you for the enterprise connections you’d be selling anyway. Stytch is the passwordless-and-passkeys-first option with a per-connection B2B model that’s clean to reason about but expensive to expand.
That’s the whole landscape. The rest of this post is figuring out which one matches your actual situation.
The pricing math nobody wants to write down
Pricing pages for auth vendors are an exercise in misdirection. Everybody headlines a free tier, hides the SSO surcharge, and quietly meters something that scales faster than your user count. So here’s the actual math at four MAU brackets, with B2C-style pricing, accurate as of May 2026.
At 1,000 MAU every vendor is essentially free. You won’t pay anybody anything meaningful at this scale. Don’t optimize for this — pick the one that fits where you’ll be in 18 months.
At 10,000 MAU Clerk’s Pro is $25/mo with no overage (10K is the included floor), Stytch is free, WorkOS is free (still under 1M), and Auth0 just exited its 25K free tier — wait, no, Auth0’s free tier actually goes to 25K MAU now since their 2026 upgrade. The Auth0 free tier got better. Yes, really.
At 100,000 MAU the math gets interesting. Clerk Pro is roughly $25 + $0.02 × 90,000 = $1,825/mo. Auth0 B2C Essentials at $35/mo only covers up to 1,000 paid users; for 100K MAU you’re on Professional B2C ($240+/mo as base) with usage charges, and the realistic number is in the $1,500-$3,000/mo range depending on add-ons. WorkOS is still $0 if you’re under 1M MAU on User Management. Stytch Pro is $249/mo + per-MAU overage on top.
At 1,000,000 MAU the gap becomes a chasm. WorkOS is still $0 for User Management until you cross 1M, then $2,500/mo per additional 1M block. Clerk at 1M MAU is around $19,825/mo before any B2B or SSO add-ons. Auth0 at this scale is a sales call — and the answer is a five-figure monthly invoice. Stytch is in the same range as Clerk, give or take.
WorkOS isn’t a typo. The 1M MAU free tier on User Management is real. They make their money on enterprise connections (SSO, SCIM, Audit Logs) at $125 per connection per month. If your business model is “B2B SaaS where customers pay for the enterprise plan,” that’s exactly aligned with how you’d want to pay.
The SSO and SCIM cliff
Here’s the part that breaks budgets. Every vendor handles enterprise SSO differently, and the pricing varies by an order of magnitude.
| Vendor | SAML/OIDC Connection | SCIM | Notes |
|---|---|---|---|
| Clerk | $50/mo per connection on Pro | Included with B2B suite | Metered as of Feb 2026 — used to be unlimited on the Enhanced Auth add-on |
| Auth0 | 1 included on B2B Essentials, more on higher tiers | Included on B2B plans | 2026 B2B plans dramatically improved this |
| WorkOS | $125/mo per connection (volume discounts to $65) | Included | This is the entire revenue model |
| Stytch | ~$100/mo per connection, 3 included on Pro | Included on B2B | 5 free SSO/SCIM connections on the free B2B tier |
Clerk’s Feb 2026 change is the one to flag. They quietly moved Enterprise Connections from “unlimited under add-on” to “metered within Pro.” If you’ve been on Clerk since 2024 selling to a few enterprise customers a quarter, your bill went up. Worth checking your invoice.
Stytch’s free tier giving you five SSO connections is unusually generous. If you’re a seed-stage B2B company landing your first enterprise design partners, that’s genuinely free. After that the math is reasonable but adds up — five connections from Pro plus another ten enterprise customers is roughly $1,249/mo before MAU.
WorkOS is the most expensive per-connection but the only one where that’s the only thing you pay for. At 50 enterprise connections you’re at $80/conn × 50 = $4,000/mo, plus zero on the user-management side. Compare that to Clerk where you’d be paying for MAU, MAO (monthly active orgs), and SAML connections on top, and the picture shifts.
The honest take: if your B2B contracts include “SAML SSO required,” you should be charging your customers $1,000+/mo for that tier anyway. WorkOS aligns the cost to revenue cleanly. The other vendors meter you on stuff you can’t easily pass through.
Developer experience, ranked honestly
Clerk wins this and it’s not close. The <UserButton />, <SignIn />, <OrganizationSwitcher /> components drop in and look right. The Next.js App Router integration is the best of the four. If you’re shipping a React-flavored SaaS and you’ve never picked an auth provider before, Clerk is the path of least resistance.
WorkOS AuthKit caught up faster than I expected. It’s not as polished as Clerk’s components — fewer pre-built views, less theming flexibility — but it works, the docs are decent, and it covers the 80% case. The headless SDK is what most teams end up using anyway once they want custom flows.
Stytch is fine but you’ll write more code. Their SDK is well-designed, the passwordless flows are best-in-class, but you’re building your own UI on top. That’s a feature if you have a designer; it’s a bug if you’re a two-person team trying to ship by Friday.
Auth0’s developer experience is a story of legacy. The Universal Login flow does the job. The React SDK is mature. Their Actions/Rules system is powerful. But the docs are sprawling, the dashboard is a maze of “is this on the legacy version or the new one?”, and for any non-trivial customization you’ll be reading through fifteen-year-old forum posts. It works, but it doesn’t feel good in 2026.
Passkeys, the one feature you should actually care about
Passkeys went mainstream in 2024-2025. By mid-2026, most consumer apps that don’t support them feel quaint. Here’s where the four land:
Stytch has the deepest passkey story — they leaned into WebAuthn early, the cross-device recovery flow is genuinely thoughtful, and the SDK handles platform/cross-platform authenticator distinctions cleanly. If passkeys are core to your UX, this is your default.
Clerk added solid passkey support in 2024 and it works fine for most flows. Account recovery is the rough edge — if a user loses all their devices, the recovery story is more “email magic link fallback” than anything elegant.
WorkOS ships passkeys through AuthKit. It works. Nothing surprising in either direction.
Auth0 supports passkeys. Setup is more steps than the others. Documentation skews toward enterprise SSO use cases more than consumer passkey UX.
If you’re picking primarily based on passkey maturity in 2026, the order is Stytch > Clerk ≈ WorkOS > Auth0.
B2B multi-tenancy, where the real differentiation is
Multi-tenancy is the thing that separates “I bolted on auth” from “I built a real B2B SaaS.” Organizations, invitations, per-org SSO config, domain auto-join, role-based access — it adds up to a meaningful product surface.
WorkOS was built for this. Organizations are first-class, every API surface respects them, and the customer-facing IT admin portal (where your customer’s IT team configures their SSO themselves) is the cleanest in the category. If you’re selling to enterprise IT, the self-serve SSO setup is a real sales lever.
Clerk’s B2B suite caught up impressively. Organizations, invitations, custom roles, domain auto-join all work. The $1/MAO charge after the first 100 active organizations stings a bit if you have a long tail of free or low-activity customers, but it’s predictable.
Stytch has multi-tenancy built into the data model from day one — every user lives inside an organization. This is great for pure B2B but awkward if you have a hybrid B2C+B2B product.
Auth0 has Organizations now and they work, but it feels grafted on rather than designed-in. Per-org configuration is doable but more clicks. The 2026 B2B Essentials plan made this much more accessible than it used to be.
Migration cost, in honest hours
People love to ask “is migrating from Auth0 hard?” Yes. Always. Here’s roughly what to budget.
Auth0 → WorkOS: Two to four engineering weeks for a non-trivial app, mostly because you’re rehashing the user-database migration, rewriting middleware, and adapting any custom Actions/Rules. WorkOS provides import tooling but you’ll write glue code. Plan for a parallel-run period.
Auth0 → Clerk: One to three weeks for a React app where you can replace big chunks with Clerk’s components. Longer if you have custom flows. Their Auth0 importer handles the password hashes and metadata reasonably well.
Firebase Auth → Stytch: One to two weeks. Stytch publishes a Firebase importer; the bigger lift is rewriting client-side flows since Firebase patterns don’t translate one-to-one.
Anywhere → Auth0: This is rare in 2026. If you’re doing it, it’s because you got pulled into an enterprise sales cycle and your customer requires Auth0 specifically. Plan for two weeks minimum.
The migration footgun nobody mentions: session token format changes mean every active user gets logged out on cutover unless you build a token-translation layer. For a 100K MAU consumer app this is a significant support hit. Plan a comms window.
Lock-in risk and the export story
All four expose user data export via API. None of them lock you in technically. The lock-in is in the integration surface — every SDK call, every webhook, every JWT custom claim is a thing you’ll have to rewrite if you leave.
WorkOS adheres most closely to OIDC standards, which means migrating to or from another OIDC-compliant provider is the easiest path. Clerk’s session model is more proprietary; their JWTs work but the client-side session management is custom. Auth0 is OIDC-standard but has so many product surfaces (Actions, Rules, Hooks, Organizations, RBAC) that the integration surface alone is what locks you in. Stytch is reasonably standards-aligned but the passwordless-first APIs don’t all have direct equivalents elsewhere.
If you want to minimize lock-in: use the SDKs as thinly as possible, normalize on OIDC, and avoid vendor-specific features (Auth0 Actions, Clerk’s middleware helpers, etc.) unless you actively need them.
Verdict: which one should you actually pick
For a pure B2B SaaS targeting mid-market and enterprise, WorkOS is the default. The 1M MAU User Management free tier is real, the per-connection SSO model aligns to your enterprise pricing, and AuthKit is good enough. The IT admin portal is a sales asset. Pick this and don’t overthink it.
For a B2C consumer app shipping fast, Clerk. The components save you a week of UI work, the Pro plan pricing is predictable, and passkeys work out of the box. The MAU pricing scales linearly and you’ll know what you’re paying.
For a passwordless-first or passkey-heavy product — fintech, healthcare patient portals, anything where security UX matters — Stytch. They’re the only ones who treat passwordless as the default architecture rather than an option.
For a B2C+B2B hybrid where you have one user base spanning both, this is genuinely hard. Clerk handles it best in 2026, but you’ll fight the data model occasionally. WorkOS works if you can model B2C users as members of a default org.
For an enterprise customer who explicitly demands Auth0, Auth0. Sometimes the answer is “the customer wrote it into the contract.” Don’t fight it.
The mistake most teams make is picking on developer experience alone and then hitting the SSO cost cliff a year later when their first enterprise customer signs. Run the math at your projected 18-month MAU and enterprise connection count before you decide. It’s a one-hour exercise that saves a five-figure annual surprise.
If you want one thing to do this week: open your current auth provider’s invoice, count your enterprise connections, and run the equivalent number through WorkOS’s pricing page. The answer might surprise you in either direction.
Sources: