Hi Mattèo! Founder of Logto here. Thank you for your kind words, and the article is also very well-written.
Logto embraces the open-source community. In addition to the "auth foundation" (SSO, MFA, RBAC, OpenID, etc.), we are also working hard on cool features like Web Components to enable developers across all platforms.
As for pricing, Logto Cloud offers true pay-as-you-go pricing. We don't charge based on MAUs; instead, we only charge for tokens and features, reflecting your actual usage. Because we could not answer a simple question for MAU-based pricing: Why should a user who signs in once a month cost the same as a user who signs in every day?
WorkOS founder here 👋 We now supports all forms of auth via AuthKit 🔥 https://authkit.com
it has everything you need including registration, password auth, social, MFA, and of course SSO+SCIM. The user management system supports flexible org modeling capabilities and upcoming features like RBAC, session management, and advanced security controls.
Thanks for the write-up. I work for FusionAuth and we're taking steps to make our config less 'maze-y' and to be more friendly for JavaScript devs. For example, a react SDK: https://github.com/FusionAuth/fusionauth-react-sdk/
But I really appreciated the unvarnished feedback. Looking forward to reading the Ory post.
this is a great write up. Some responses to your red flags:
*No setting for session lifetime* - as you point out, there is a setting called "JWT expiry limit". I'll mention this to the Auth team and see if they want to consider changing the name of the setting
*Client-side unencrypted tokens* - we give developers options. Serverside auth is definitely more secure, but that's not always an option (eg, on React). If you have a serverside requirement, you can check out our Auth Helpers [0] which give you several patterns for serverside auth.
*No 2FA on their own platform* - we just released this to the Auth server in December[1]. It's on it's way for the platform.
This comment caught my eye: "It also creates the ultimate vendor lock-in".
That's surprising! You can pg_dump all your entire database, including your users. I can assure you that's easier than other Auth platforms.
With that said, I want to let you know that this is all fair feedback. We definitely care about Auth - it's one of our most important products. We have a dedicated Auth team who are fixing issues based on user feedback, as fast as possible. We receive a flood of feedback across a lot of channels, and we do our best to keep up. From an product perspective, we aim to deliver products that makes sense in a Postgres context - you can see that we think deeply about how this service fits with Row Level Security in our MFA post below.
Your article has a lot of actionable insights, which I'll go through with the team to continue this improvement.
Easily the best writeup comparing the popular offerings out there, prompting a considered response from a few of the package devs. Not too shabby for a first writing effort. More please…
I’d like to address the points you mention about SuperTokens:
We've reduced bundle sizes by 70% and reduced the number of cookies. Access token size will also be reduced with another update
In terms of the implementation details in the app code - this is for things like SSR, session verification etc and these are the functions for those
We are not specific to React but yes we provide a prebuilt UI only for React at the moment. We plan to add Angular / Vue UI components but otherwise many Angular and Vue users use SuperTokens with their own sign up page designs.
https://www.osohq.com/ - in app authorization. Next to the SaaS offering, there is also an OSS lib. I wouldn't use the SaaS, but the lib might be interesting to investigate
So far, I found Auth0 to be the best commercial offering out there. Their MAU is calculated on monthly active users. So you only get charged from those who are using your App.
On the other note, if your offering is price sensitive take a look at the offerings from the Hyperscalers, like AWS Kognito, Azure Active Directory B2C etc. Not as good as Auth0, but cheaper.
Great comparison! Another option worth considering, especially for low-code integrations, is https://unidy.io . It offers a flexible and user-friendly approach for integrating authentication with minimal coding effort, making it a strong contender for projects seeking quick and efficient solutions."
Thank you for this. Really curious why you didn't include something like AWS Cognito in this comparison for auth. Do you have any initial ideas about where that would fit into your conclusion?
FWIW, Clerk is currently (Dec 2023) free for the first 10k users, and then is $0.02 after (+ $25 for business plan required for the customizable session duration). A pretty substantial price difference.
There's also some alternatives to supabase that have auth. Such as appwrite which is another big startup, or pocketbase which is mostly maintained by 1 guy
Hey ! I recently choose LogTo for authentication, great team and they are shipping fast 👍
https://logto.io/
Hi Mattèo! Founder of Logto here. Thank you for your kind words, and the article is also very well-written.
Logto embraces the open-source community. In addition to the "auth foundation" (SSO, MFA, RBAC, OpenID, etc.), we are also working hard on cool features like Web Components to enable developers across all platforms.
As for pricing, Logto Cloud offers true pay-as-you-go pricing. We don't charge based on MAUs; instead, we only charge for tokens and features, reflecting your actual usage. Because we could not answer a simple question for MAU-based pricing: Why should a user who signs in once a month cost the same as a user who signs in every day?
WorkOS founder here 👋 We now supports all forms of auth via AuthKit 🔥 https://authkit.com
it has everything you need including registration, password auth, social, MFA, and of course SSO+SCIM. The user management system supports flexible org modeling capabilities and upcoming features like RBAC, session management, and advanced security controls.
Latest updates on our changelog: https://workos.com/changelog
Oh and it's free up to 1,000,000 MAUs. (yes really! 🤑)
Thanks for the write-up. I work for FusionAuth and we're taking steps to make our config less 'maze-y' and to be more friendly for JavaScript devs. For example, a react SDK: https://github.com/FusionAuth/fusionauth-react-sdk/
But I really appreciated the unvarnished feedback. Looking forward to reading the Ory post.
(supabase ceo)
this is a great write up. Some responses to your red flags:
*No setting for session lifetime* - as you point out, there is a setting called "JWT expiry limit". I'll mention this to the Auth team and see if they want to consider changing the name of the setting
*Client-side unencrypted tokens* - we give developers options. Serverside auth is definitely more secure, but that's not always an option (eg, on React). If you have a serverside requirement, you can check out our Auth Helpers [0] which give you several patterns for serverside auth.
*No 2FA on their own platform* - we just released this to the Auth server in December[1]. It's on it's way for the platform.
This comment caught my eye: "It also creates the ultimate vendor lock-in".
That's surprising! You can pg_dump all your entire database, including your users. I can assure you that's easier than other Auth platforms.
With that said, I want to let you know that this is all fair feedback. We definitely care about Auth - it's one of our most important products. We have a dedicated Auth team who are fixing issues based on user feedback, as fast as possible. We receive a flood of feedback across a lot of channels, and we do our best to keep up. From an product perspective, we aim to deliver products that makes sense in a Postgres context - you can see that we think deeply about how this service fits with Row Level Security in our MFA post below.
Your article has a lot of actionable insights, which I'll go through with the team to continue this improvement.
[0] Auth Helpers: https://supabase.com/docs/guides/auth/auth-helpers
[1] MFA: https://supabase.com/blog/mfa-auth-via-rls
Easily the best writeup comparing the popular offerings out there, prompting a considered response from a few of the package devs. Not too shabby for a first writing effort. More please…
Thank you for the detailed writeup!
I am one of the cofounders of SuperTokens.
I’d like to address the points you mention about SuperTokens:
We've reduced bundle sizes by 70% and reduced the number of cookies. Access token size will also be reduced with another update
In terms of the implementation details in the app code - this is for things like SSR, session verification etc and these are the functions for those
We are not specific to React but yes we provide a prebuilt UI only for React at the moment. We plan to add Angular / Vue UI components but otherwise many Angular and Vue users use SuperTokens with their own sign up page designs.
Take a look at https://goauthentik.io/
https://www.osohq.com/ - in app authorization. Next to the SaaS offering, there is also an OSS lib. I wouldn't use the SaaS, but the lib might be interesting to investigate
So far, I found Auth0 to be the best commercial offering out there. Their MAU is calculated on monthly active users. So you only get charged from those who are using your App.
On the other note, if your offering is price sensitive take a look at the offerings from the Hyperscalers, like AWS Kognito, Azure Active Directory B2C etc. Not as good as Auth0, but cheaper.
Great comparison! Another option worth considering, especially for low-code integrations, is https://unidy.io . It offers a flexible and user-friendly approach for integrating authentication with minimal coding effort, making it a strong contender for projects seeking quick and efficient solutions."
Really great post. At this point, I would also recommend https://stytch.com/. Heard good things about them, have yet to try them.
Thank you for this. Really curious why you didn't include something like AWS Cognito in this comparison for auth. Do you have any initial ideas about where that would fit into your conclusion?
After a year, do you still think the same about Supabase Auth? I see they have changed some things
FWIW, Clerk is currently (Dec 2023) free for the first 10k users, and then is $0.02 after (+ $25 for business plan required for the customizable session duration). A pretty substantial price difference.
You have to pay 100/mo extra just to get MFA.
great post! very detailed!
There's also some alternatives to supabase that have auth. Such as appwrite which is another big startup, or pocketbase which is mostly maintained by 1 guy
So helpful! I went through this same journey myself and was surprised there wasn’t a clear winner. Thanks for writing this.
Found your analysis super helpful whilst trying to navigate the Auth space!!