Answer five questions about your business model, enterprise needs, framework, and scale. Get back one recommended auth provider from Clerk, Supabase Auth, Auth.js, Better Auth, WorkOS, Stytch, or Auth0 — with two runner-ups and an estimated monthly cost at your stated MAU.
Methodology. Pricing verified against vendor pricing pages (Clerk, Supabase, Auth0, WorkOS, Stytch, Outseta, Polar, Paddle) as of June 2026. The picker uses deterministic decision rules — no AI black box. Recommendations are a research synthesis of public docs and community reports, not first-person hands-on tests. Override the default if your situation doesn’t fit, and read the “when to override” section below.
Your winner is highlighted. Yes/partial/no marks each provider against the requirements implied by your answers.
The picker is a six-rule deterministic decision tree. The rule order matters: enterprise SSO and SCIM constraints fire first, then B2C versus B2B model, then framework-specific defaults, then scale. The hierarchy reflects what we see in real auth migrations — founders almost never move providers because of price, but they routinely move because their auth library couldn’t ship SAML the day a single enterprise customer asked for it. The picker optimizes for not painting yourself into that corner.
The seven providers we consider are the ones that actually win in solo and small-team SaaS in 2026: Clerk for the hosted B2C default, Supabase Auth when you’re already paying for Supabase, Auth.js (formerly NextAuth) for self-hosted Next.js, Better Auth for the new self-hosted TypeScript-first contender, WorkOS for enterprise-from-day-one B2B, Stytch for embedded B2C and B2B with passwordless, and Auth0 for legacy enterprise workflows where you’re already paying anyway. We deliberately exclude Firebase Auth (mobile-first only), AWS Cognito (developer-hostile DX), and Descope (too new to recommend without long production track records). The pricing logic is rebuilt from vendor pages every quarter; the rule logic is open and lives in this page’s source.
Clerk remains the easiest auth in 2026 for React, Next.js, and Expo. Hobby is free up to 50,000 monthly retained users; Pro is $25 per month with overages at $0.02 per additional MRU. SAML moved into Pro as a single included enterprise connection in late 2025, with additional connections at $75 per month. Clerk wins the default B2C and small-team B2B race because its drop-in components ship in 15 minutes including social logins, MFA, organizations, and passkeys — covered in detail in Clerk pricing explained. The downsides are vendor lock and per-MAU economics that can sting if your product has many low-activity accounts.
Supabase Auth is the right call when you’re already paying Supabase Pro at $25 per month for the database; auth is bundled and covers 100,000 MAU at that price. The DX is meaningfully behind Clerk — you wire up email, OAuth, and MFA yourself rather than dropping a component — but the marginal cost is zero. SAML support arrived for the Team tier ($599/mo) and remains an enterprise upsell, which is why we don’t recommend it for SSO-from-day-one B2B founders. Read the head-to-head in Clerk vs Supabase Auth.
Auth.js (the rebranded NextAuth.js) is free and open source. You self-host the logic against your own Postgres or MySQL, and the library handles OAuth providers, email magic links, sessions, and JWTs. The ecosystem is huge for Next.js, smaller for SvelteKit, Remix, and Astro. The picker recommends Auth.js when you want zero vendor lock, you’re a confident developer who likes owning auth logic, and you’re framework-aligned. The tradeoff is real: you wire SAML and SCIM yourself if you ever need them, and password reset flows, MFA, and account linking are all your problem.
Better Auth is the TypeScript-first self-hosted library that gained real adoption in 2025 and 2026. The pitch is “Auth.js but typed end-to-end, framework-agnostic, and with a plugin system that adds SSO, SCIM, and organizations as composable extensions.” It’s free and open source like Auth.js, but the architecture is cleaner and the API surface is friendlier to greenfield TypeScript apps. The picker recommends Better Auth for senior TypeScript developers building anything outside the Next.js ecosystem — SvelteKit, Remix, Astro, Solid, plain Node. Full review in Better Auth review.
WorkOS is the standard-bearer for enterprise-from-day-one B2B SaaS. The pricing model is the giveaway: the first one million monthly active users for User Management are free; SSO is billed per connection at $125 per month (sliding to lower rates above 15 connections); Directory Sync (SCIM) follows the same $125 per connection structure. If you have one specific enterprise deal contingent on SAML, you can ship a working WorkOS integration in an afternoon and bill the customer enough to cover the $125 connection fee. Read the full picture in WorkOS review.
Stytch is the embedded-auth competitor that does both B2C and B2B from a single API. The free tier covers 10,000 MAU, unlimited organizations, and five included SSO or SCIM connections. Additional connections beyond five cost $125 each. Stytch wins when you want enterprise-grade B2B features without the WorkOS enterprise sticker shock for the first five customers, or when you want passwordless and biometric flows on the consumer side. Full review in Stytch review.
Auth0 stays in the picker because it’s the default for one specific situation: you’re joining a team that already runs Auth0 and the migration cost is measured in engineer-quarters. As a greenfield pick in 2026, Auth0 is hard to justify: B2C Essentials starts at $35 per month at 500 MAU and Professional B2C starts at $240 per month at 500 MAU. The DX is corporate-Okta-grade rather than developer-friendly, and the per-MAU economics get painful fast. Detail in Clerk vs Auth0.
You’re building a mobile-first consumer app where biometric login matters more than dashboards. The picker leans toward Clerk because its Expo SDK is the best in class. But if you’re a Swift-native iOS developer, Apple’s Sign in with Apple plus a thin server is genuinely faster than any third-party SDK for first launch. The tradeoff is Android, which forces you back toward Clerk, Stytch, or Firebase the moment you ship cross-platform.
You’re building in regulated industries (HIPAA, financial services) where data residency matters. The picker stays in hosted territory by default. If you need US-only data residency, EU-only data residency, or self-hosted compliance posture, the right answers are Auth.js or Better Auth running on your own infrastructure with the auth state living in your own database. WorkOS and Stytch offer enterprise compliance plans, but the cost climbs past $1,000 per month before you’ve sold a single customer. Read what is SaaS GDPR compliance for the framework.
You’re going to outgrow Clerk’s economics before product-market fit. If your product encourages account creation but produces low-activity users (e.g., a free tool with 100,000 sign-ups that never log in again), Clerk’s per-MRU model can chew through $200 to $500 per month before you’ve made a dollar. The override is Supabase Auth, which charges per MAU not MRU and bundles with the database you’re probably running anyway. Run the numbers in Clerk pricing explained first.
You sell to a single enterprise customer who needs SCIM provisioning tomorrow. The picker recommends WorkOS or Stytch for SCIM, both at $125 per connection per month. If you have exactly one customer, WorkOS’s pure pay-per-connection model is the cleanest path. Don’t bolt on Clerk Business at $300 per month or jump to Auth0 Enterprise pricing for a single SCIM relationship — the math is wrong. Detail in what is SSO and WorkOS review.
The hardest part of an auth integration is not the SDK, it’s the second-mile features: account linking when a user signs in with both Google and email, OAuth refresh tokens that expire silently, MFA enrollment flows that don’t alienate non-technical users, and password reset emails that don’t end up in spam. Budget an extra two days for these issues beyond the “15-minute setup” promise. Hosted providers cover roughly 80% of this surface out of the box; self-hosted libraries cover roughly 50% with community patterns filling the rest. Specific guides on the site: how to add OAuth, how to add team accounts, how to add magic link auth with Supabase, and how to add 2FA.
The cost band shown on the result card is the estimated monthly bill at your stated MAU on the relevant plan, not a quote. Auth pricing taxes a metric (monthly active or retained users) that doesn’t correlate cleanly with revenue. A free B2C app with 30,000 sign-ups but 8,000 active users costs the same on Clerk as a paid B2C app with 8,000 paying customers. WorkOS’s per-connection model is the cleanest in this regard because the cost is a function of enterprise customers, which is exactly what generates revenue. The meta-point: the right auth provider is the one that doesn’t block your next ten releases. Whichever you pick, migration is survivable — if you keep your user table portable from day one (store an external ID, not a vendor-internal primary key).
The stack, prompts, pricing, and mistakes to avoid — for solo founders building with AI.