cheapstack
RSSBrowse stacks
tools / 04 — updated may 2026

Best authentication services for indie SaaS

Five auth tools that hit the spectrum from 'free library' to 'managed platform.' Picked for honest pricing curves, B2B feature support, and exit ramps that don't require user-password resets.

5 services · free → $1k+/mo · updated may 2026
Skip to TL;DRSee matrix →
tldr.txt — tools/auth-services.mdour pick
$cat tldr.txt

Auth.js if you want to own the database and the UI and your needs are conventional. Clerk if your time is worth more than the per-MAU bill and B2B features (orgs, SSO) are on the roadmap.

Updated May 2026see how we picked →
the list / 5 tools

The list

Fiveplatforms, ordered editorially — top of list isn’t “best,” it’s the shape that fits the most indie creators. Each card has the verdict tag, the pricing receipt, and the honest fit / skip lists. Affiliate links are disclosed.

01

Auth.js

Authjs (open source)
our pick · free

Open-source auth library for Next.js (formerly NextAuth.js), now framework-agnostic. OAuth providers, sessions, JWT — you own the database and the UI.

pricing.txt — auth-jsmonthly
Libraryopen source · self-hostedfree
Databaseyour existing Postgres$0+
use for
  • Auth is a load-bearing part of your app and you want to own the database, schema, and UI.
  • Per-MAU pricing doesn't fit your business model — high-volume free users, for instance.
  • Your auth needs are conventional (social + email) and you don't need B2B / SSO features.
  • You're philosophically uncomfortable with users-as-a-service for your core product.
  • Engineering time is cheaper for you than $1k+/mo at scale — typical for early-stage and indie.
skip for
  • B2B features (organizations, SSO, RBAC, invitations) are core to the product — you'd build it all from scratch.
  • Hosted UI components matter — Auth.js gives you the logic, you write the JSX.
  • You'd rather not own the auth surface area at all (security audits, password storage, session revocation).
02

Clerk

Clerk Inc.
B2B pick

Managed auth platform with prebuilt UIs, B2B features (orgs, SSO, RBAC), and Next.js-first integration. You ship a SignIn component, not a system.

pricing.txt — clerkmonthly
Free10k MAU · social + emailfree
Pro+$0.02/MAU over 10k · SSO included$25/mo
Enterprisecustom · SAML · SOC 2$$$
use for
  • You're shipping a B2B SaaS and orgs / SSO / multi-tenancy are on the roadmap.
  • Your team's time is worth more than the per-MAU pricing — you'd rather pay than build.
  • MFA, passkeys, and active-session management are required (security or compliance).
  • You want a polished UI on day one without designing or building it.
  • Compliance posture (SOC 2, GDPR, HIPAA) matters and you'd rather inherit Clerk's.
skip for
  • Per-MAU pricing breaks your model — consumer apps with 100k+ free users are punished.
  • You need to own the database (compliance, philosophical, custom schema needs).
  • Your auth flow is highly custom — Clerk's component customization is bounded by their primitives.
03

Supabase Auth

Supabase Inc.
bundled pick

GoTrue-based auth bundled with the Supabase Postgres + storage + realtime platform. Free up to 50k MAU on the same tier as the database.

pricing.txt — supabase-authmonthly
Freewith Supabase free · 50k MAUfree
Prowith Supabase Pro · 100k MAUincluded
Team+production-grade · SOC 2with Pro+
use for
  • You're already using Supabase for the database — auth comes free with it.
  • Your app is Postgres-shaped and you want users in `auth.users` you can JOIN against.
  • Magic links, OAuth providers, email/password are the auth shape you need.
  • You're cost-sensitive and the bundled-pricing model fits.
  • Self-host option (GoTrue is open source) matters as an exit ramp.
skip for
  • You're not using Supabase for the database (auth-only Supabase doesn't make sense).
  • B2B features (orgs, SSO, RBAC) are needed at scale — you'd graduate to WorkOS.
  • Polished hosted UI components are a hard requirement — Supabase Auth is auth-only, you build UI.
04

WorkOS

WorkOS Inc.
enterprise pick

B2B-first auth + identity infrastructure. SSO, SCIM, directory sync, audit logs — the things enterprise customers ask for. AuthKit is the new managed auth UI layer.

pricing.txt — workosmonthly
Free1M MAU · core auth + AuthKitfree
Enterprise SSO$125/connection/mo (often free first 1M MAU)$125+/conn
Directory Sync$125/connection/mo$125+/conn
use for
  • You sell to enterprise customers and SSO/SCIM are RFP-line-items.
  • You want a managed auth UI (AuthKit) without giving up the enterprise feature set.
  • Your business model can absorb $125/mo per enterprise customer connection (most B2B can).
  • Audit logs and directory sync are core compliance features for your buyers.
  • You want to graduate from a simpler auth without ripping it out — WorkOS sits next to existing solutions cleanly.
skip for
  • You're consumer-facing — enterprise SSO infra is overkill at indie/SMB scale.
  • Per-connection pricing doesn't fit your model — direct SaaS without enterprise tiers.
  • You want one tool to do everything; WorkOS layers on top of other auth, doesn't replace it for consumer flows.
05

Lucia

pilcrowOnPaper (open source)
indie pick

Tiny TypeScript auth library focused on session management. Not a framework — primitives you wire up. The 'I want to understand my auth' choice for indie devs.

pricing.txt — luciamonthly
Libraryopen source · MITfree
Databaseyour existing DB$0+
use for
  • You want to understand every line of your auth implementation.
  • TypeScript-first, framework-agnostic library that doesn't lock you into Next.js.
  • Session-based auth is the right shape (long-lived sessions, server-side validation).
  • You're comfortable wiring up OAuth providers manually — Lucia gives you primitives, not recipes.
  • Smaller bundle than Auth.js and a tighter API surface matters.
skip for
  • You want hosted components or a managed dashboard — Lucia is a library, not a service.
  • JWT-based stateless auth is your model — Lucia is opinionated about server-side sessions.
  • You're shipping fast and want recipes — Lucia is more 'primitives' than 'framework.'
scoreboard / category matrix

Category scoreboard

Six dimensions, 5tools. The olive dot marks the clear winner per row when there is one — most rows have multiple credible answers. Use this for shape-spotting, not for ranking.

dimension
Auth.js
Clerk
Supabase Auth
WorkOS
Lucia
Free tier
library · forever
10k MAU
50k MAU · w/ DB free
1M MAU · core auth
library · forever
Cheapest paid tier
free · self-host DB
$25/mo · Pro
included w/ DB
$125/mo · per SSO conn
free · self-host DB
Hosted UI
no · build your own
yes · prebuilt
minimal · built-in
yes · AuthKit
no · build your own
B2B / SSO
DIY
yes · on Pro
DIY · pair w/ WorkOS
first-class
DIY
Database ownership
yours
Clerk + webhook to yours
yours · Supabase Postgres
WorkOS + your DB
yours
Lock-in
low · library
high · users at Clerk
low · GoTrue OSS
medium · WorkOS-shaped
low · library
decision / when to pick which

When to pick which

Five user shapes, fivepicks. The right answer depends on what you’re optimizing for — revenue model, content shape, growth lever, ownership appetite.

  1. Indie SaaS, conventional auth (social + email), database ownership matters
    Auth.js

    If your auth needs are 'sign in with Google or email/password, store users in our Postgres,' Auth.js is free, type-safe, and gives you the database. You write the sign-in page; the library handles OAuth callbacks and session cookies. Best default for indie projects under 50k MAU.

  2. B2B SaaS with orgs / SSO / multi-tenancy on the roadmap
    Clerk

    If you're shipping B2B and need organizations, role-based access, SAML SSO, and a polished hosted UI, Clerk saves weeks of work and gets you the right answer by default. The per-MAU bill is real but accept it — you're trading dollars for time on infrastructure that's not your product.

  3. Already using Supabase for the database
    Supabase Auth

    Free with the Supabase Postgres free tier (50k MAU). If you're already paying $25/mo for Supabase Pro, auth comes with it. Users live in `auth.users` and JOIN with your business tables. The right answer if Supabase is your DB; doesn't make sense as standalone.

  4. Selling to enterprise — SSO and SCIM are RFP requirements
    WorkOS

    If your product has enterprise tiers and 'add SSO for our IdP' is a frequent ask, WorkOS is the answer. AuthKit handles the consumer-facing auth UI; SSO connections layer on top per enterprise customer. Common pattern: Auth.js or Clerk for self-serve, WorkOS for enterprise.

  5. Want to understand every line of auth, library-shaped tooling
    Lucia

    If you're a TypeScript-first engineer who wants primitives over recipes, Lucia gives you exactly what you need: session management, password helpers, OAuth provider primitives. Smaller surface area than Auth.js, more 'understand it yourself' than 'configure it'.

honest mentions / runners-up

Honest mentions

Tools that show up in adjacent searches but didn’t make the editorial five. Listed for context — not a recommendation, not a takedown.

  • Firebase Auth

    Mature, Google-owned, integrates with Firestore and the rest of Firebase. Pick when Firebase is your stack; don't pick standalone.

  • Auth0

    Enterprise-tier auth, Okta-owned. Powerful and expensive. Indie projects rarely justify the cost; enterprise customers know it well.

  • Better Auth

    Newer TypeScript-first auth library, framework-agnostic. Promising; less mature than Auth.js but cleaner API. Worth watching.

  • Stack Auth

    Open-source Clerk alternative. Very young; production stories are sparse but development is active. Worth tracking for self-host enthusiasts.