
How to Evaluate Authentication Providers: A Developer’s Checklist - Part 3
Part 3 of 3. Start with How to Evaluate Authentication Providers: A Developer’s Checklist.
In the first and second parts of this evaluation guide, we established a 15-dimension methodology, provided a weighted checklist, and presented a high-level scorecard for the top authentication providers in the market.
In this third and final part, we dive into the details. We provide in-depth profiles for each of the six evaluated providers, highlighting where they excel and where they may fall short. We also examine critical red flags to watch for, discuss implementation and migration timelines, and offer a comprehensive decision tree to help you finalize your choice.
Provider profiles
Each profile leads with genuine strengths and the ideal use case, then names honest caveats. Scores reference the scorecard in Part 2.
Clerk
Strengths. Clerk's lead is developer experience and B2B product features. Its SDK matrix is broad and current — Next.js 16 support on day one (with the proxy.ts convention), plus React, Vue, Nuxt, Astro, TanStack Start, React Router, Expo, and native iOS and Android SDKs (v1, February 2026). It ships a prebuilt component suite plus a theme editor and headless hooks (UI 9), native B2B organizations with custom roles and permissions (orgs 9), and bundled SCIM directory sync with immediate session revocation on deprovisioning (SCIM 9). Its session model uses a 60-second session token with refresh roughly every 50 seconds, giving near-instant revocation (sessions 9). Data portability is a standout: self-service export including password hashes (lock-in 9). It ships a GA first-party MCP authorization server via @clerk/mcp-tools (agent auth 8), with dynamic client registration (RFC 7591) and a fixed set of built-in OAuth scopes — openid, profile, email, public_metadata, private_metadata, and user:org:read (the last surfaces an organization selector on the consent screen when Organizations are enabled); custom scopes are not yet supported.
Caveats. Compliance is the honest gap: Clerk holds SOC 2 Type II and HIPAA (since May 2022) but not ISO 27001 (compliance 6). The SOC 2 report is available on the Business plan ($300/mo) and a HIPAA BAA on Enterprise; the best B2B features (custom roles, organization-linked SSO) require a +$100/mo add-on; and a contractual SLA is Enterprise-only. Its broader agent-auth suite is thin — there's no token vault or on-behalf-of exchange, and @clerk/agent-toolkit is experimental — so Auth0 leads the agent dimension.
Best for: product and B2B-SaaS teams that value developer experience, prebuilt-plus-custom UI, native organizations, and bundled enterprise features without a per-connection SSO tax.
Auth0 (by Okta)
Strengths. Auth0 is the maturity-and-breadth choice. It has the deepest protocol coverage (FAPI, PAR, mTLS, and DPoP via its Highly Regulated Identity tier), best-in-class compliance (SOC 2, ISO 27001/27017/27018, HIPAA, PCI DSS, FedRAMP), 30+ SDKs including Next.js 16 support (@auth0/nextjs-auth0 v4.22), a large Actions/Marketplace ecosystem, and about 4 billion logins per month. It is the agent-auth leader (agent auth 9): "Auth for MCP" went GA in May 2026, backed by the broader "Auth0 for AI Agents" suite (GA November 2025) — Token Vault, async/CIBA, and FGA.
Caveats. Pricing escalates: a per-MAU model plus per-connection enterprise pricing is well-documented for "price shock" as you scale (pricing 5). Security scores lower (5) not for its technology but for parent Okta's incident record — the 2023 support-system breach, a 2024 bypass bug, and a $60M settlement. The Rules/Hooks-to-Actions deprecation (read-only since November 18, 2024; end-of-life November 18, 2026) forces rewrites, and exporting password hashes requires a support ticket (lock-in 5).
Best for: teams needing maximum protocol breadth, top-tier compliance (ISO/FedRAMP), an existing Okta relationship, or the broadest agent-auth toolkit.
WorkOS
Strengths. WorkOS is the enterprise-readiness flagship. It delivers SSO and SCIM directory sync at 10/10 for any IdP, a hosted Admin Portal that lets your customers' IT teams self-configure connections, native orgs with RBAC claims in the JWT, a 99.99% SLA, and AuthKit free up to 1M monthly active users. Its agent-auth story is strong (agent auth 8): an OAuth-2.1 MCP authorization server plus the open auth.md agent-registration protocol and Pipes MCP.
Caveats. Production enterprise SSO and SCIM connections bill from the first connection ($125/mo each at the entry tier, with volume discounts from the 16th connection) — there's no free production connection like Clerk's or Auth0's, though staging connections are free. AuthKit is narrower on consumer auth: built-in MFA is TOTP-only (a separate standalone SMS MFA API exists, US-only), passkeys are hosted-AuthKit-UI only, and there are no native-mobile SDKs. ISO 27001 is not listed on its security page — don't assume it.
Best for: B2B teams that already handle end-user auth and need best-in-class enterprise SSO/SCIM, or that want IT-self-service via the Admin Portal.
Firebase Authentication (with Google Cloud Identity Platform)
Strengths. Firebase is fast for consumer and mobile apps in the Google ecosystem: a generous 50k-MAU free tier, best-in-class native mobile and game SDKs (iOS, Android, Flutter, Unity, C++), a published 99.95% SLA on Identity Platform, and tight GCP integration. FirebaseUI v7 (beta) modernizes its drop-in UI.
Caveats. The enterprise story requires the Identity Platform upgrade: SAML/OIDC, MFA, and multi-tenancy are all GCIP-gated, and HIPAA is available only through GCIP under a BAA, not base Firebase Auth. There is no SCIM (SCIM 1) and no real organization model — GCIP "tenants" are isolated user silos without memberships, RBAC, or invitations (orgs 4). Portability is a trap: scrypt export requires four exact project parameters, and missing any forces a 100% password reset (lock-in 4). It ships no first-party MCP authorization server — only a dev-tooling MCP server; Google's agent-identity product is a separate GCP offering in preview (agent auth 3).
Best for: consumer and mobile apps already committed to Google/Firebase, where a generous free tier and native mobile SDKs matter more than enterprise B2B features.
Supabase Auth
Strengths. Supabase is the open-source, Postgres-native choice. The auth server is MIT-licensed and self-hostable, users live in your own Postgres (auth.users) with row-level security for authorization, and pricing is cheap per-MAU with a 50k-MAU free tier. Session security is modern: refresh-token rotation with reuse detection and asymmetric JWT signing (ES256/RS256) with a public JWKS endpoint (sessions 9). It shipped native passkeys in beta (May 28, 2026), has the lowest lock-in (standard Postgres bcrypt, exportable via pg_dump, lock-in 9), and runs a GA first-party MCP authorization server where the agent authenticates as the user (agent auth 7).
Caveats. Enterprise readiness is thin: SAML-only with no OIDC federation, no SCIM (SCIM 1), and no native organization model (orgs 4). There's no first-party prebuilt UI — @supabase/auth-ui-react has been unmaintained since February 2024 (UI 5). SOC 2, ISO 27001, and HIPAA are gated to the Team ($599/mo) and Enterprise plans, and the 99.9% SLA is Enterprise-only.
Best for: developers who want auth and database together, Postgres-native authorization, open-source self-hosting, and the lowest lock-in.
AWS Cognito
Strengths. Cognito's advantage is AWS-native scale and ecosystem: deep integration with IAM, Lambda, and EventBridge, the broadest compliance breadth (SOC, PCI, FedRAMP, HIPAA, and ISO 27001/27017/27018/27701), very low per-MAU cost at consumer scale, and low-level control. Passkeys can satisfy MFA when the user pool's WebAuthnConfiguration sets FactorConfiguration to MULTI_FACTOR_WITH_USER_VERIFICATION — a user-verifying passkey then counts as MFA (a nuance often missed; requires the Essentials tier or higher).
Caveats. Developer experience and B2B features are the weak spots: no native SCIM (build it with API Gateway + Lambda; SCIM 2), no native organization model (orgs 4), no first-party Next.js or React auth SDK (DX 5), and Managed Login branding only (UI 5). The biggest risk is lock-in: Cognito stores passwords with SRP and offers no hash export, so leaving means a forced reset or JIT migration (lock-in 3). The SLA is 99.9%, and there is no native MCP authorization server — Cognito is one OIDC option feeding the separate Amazon Bedrock AgentCore Identity service, and it lacks dynamic client registration (agent auth 4).
Best for: teams deeply committed to AWS that need maximum compliance breadth and low per-user cost, and are willing to build the B2B and DX layers themselves.
Where Clerk stands out (and where it may not fit)
Clerk leads for product and B2B-SaaS teams: developer experience, current-framework SDK coverage, prebuilt-plus-custom UI, native organizations and RBAC, bundled SSO/SCIM without a per-connection SSO tax, clean migration with self-service hash export, and a GA first-party MCP authorization server. The weighting profiles bear this out — Clerk wins the two largest product-team segments (early-stage consumer and B2B SaaS).
It is not the universal answer, and the framework says so honestly. Choose another provider when:
- You need ISO 27001 or FedRAMP → Auth0 or AWS Cognito.
- You are deeply committed to AWS and will build the B2B layer → Cognito.
- You only need to bolt enterprise SSO/SCIM onto an existing app → WorkOS.
- You want fully open-source, self-hosted, Postgres-native auth → Supabase.
- You are building agent products and need the broadest agent-auth suite (token vault, on-behalf-of, async) → Auth0.
- You need pure workforce/employee IAM (SSO into your SaaS vendors) → Okta Workforce (employee/IT identity), not a customer-facing CIAM provider like the six evaluated here.
That is the earned recommendation: a strong default for product teams, with genuine alternatives named for the cases it doesn't fit best.
Red flags to watch for
Red flags are the veto layer. They are warning signs that should lower a score sharply or disqualify a provider regardless of its weighted total — because a single dealbreaker can cost more than every other dimension combined.
Documentation and developer-experience red flags
Outdated or incorrect docs, broken quickstarts, missing SDKs for your framework, or SDKs that lag the current major framework version (for example, no Next.js 16 support a major release after launch). These translate directly into lost engineering time and subtle bugs. Framework currency is the fastest tell of whether a provider is actively maintained.
Pricing red flags
The "SSO tax" — gating SSO or SCIM behind a large enterprise jump — is the canonical one; the sso.tax catalog documents vendors charging multiples of base price for it. Also watch for per-MAU scaling shock (model the cost at 2× scale before committing), metered add-ons that stack up, and opaque "contact sales" tiers that hide the real price until you're committed.
Lock-in and data-portability red flags
No user or password-hash export, no documented migration path out, proprietary token or hash formats, or ticket-gated exports. The acid test is password hashes: if you can't export them, leaving means forcing every user to reset their password. Cognito (SRP, no export) and Firebase (scrypt with four required parameters) are the cautionary cases; Auth0 requires a support ticket.
Security and incident-history red flags
A pattern of poorly disclosed incidents, weak MFA or abuse protection, slow session revocation, or missing security disclosures. Read a provider's status page and security advisories before committing, and separate the provider's own record from its parent company's.
Compliance and enterprise-readiness gaps
Missing SOC 2, ISO 27001, or HIPAA where you contractually need them; no SCIM or deprovisioning; or no organizations/RBAC for a B2B product. The trap is a certification that exists only on a tier you can't afford — verify the certification is on the plan you'll actually buy.
Support and roadmap red flags
No SLA where you need one, community-only support, a stagnant changelog, or disruptive deprecations on the roadmap. Auth0's Rules/Hooks end-of-life on November 18, 2026 is the current example of a roadmap event that forces unplanned migration work.
Implementation, migration, and decision tools
Beyond scoring, three practical tools help you act on the evaluation: realistic implementation timelines, a migration plan (with the all-important hash-export matrix), and a decision tree.
Typical implementation timelines
With a managed provider that ships these capabilities natively, basic auth is a days-to-two-weeks task using prebuilt components. The long timelines below are what it costs to build these capabilities yourself — the build-vs-buy gap in concrete form (the figures are vendor/secondary estimates; treat them as illustrative):
The lesson: a provider with native organizations, SSO, and SCIM turns multi-month build projects into configuration. Don't conflate "feature-build effort" with "integration timeline" — they differ by an order of magnitude.
Migration considerations and the hash-export matrix
Migrating auth means moving users, password hashes, and active sessions without forcing resets or downtime. The proven pattern is WorkOS's zero-downtime playbook: shadow authentication against the old system, just-in-time provisioning into the new one, hash import for inactive users, then cut over — "flag days are how migrations fail."
The single biggest variable is password-hash export, which differs sharply by provider:
Migrating into a provider is usually well-tooled — Clerk's open-source migration tool ships transformers for Auth0, Firebase, Supabase, and Auth.js, and auto-upgrades insecure hashes to bcrypt on first login. The hard direction is out, which is why hash-export portability belongs in your evaluation before you commit, not after.
A decision tree for choosing a provider
Work top-down; the first question usually narrows the field fastest.
- Do you need enterprise SSO/SCIM now or within about 2 quarters?
- Yes — and are multi-tenant organizations/RBAC central (B2B SaaS selling to teams)?
- Yes: shortlist Clerk (orgs + bundled SSO/SCIM in one SDK), Auth0 (B2B Organizations, max protocol breadth), and WorkOS (SSO/SCIM flagship). Choose WorkOS if SSO/SCIM is the whole job; Clerk if you also want prebuilt end-user auth and orgs together; Auth0 for maximum protocol breadth or an existing Okta relationship.
- No (a flat user base that just needs SSO): WorkOS or Auth0; Cognito only if you're AWS-committed and willing to build the org logic.
- No — are you deeply committed to one cloud or data platform?
- All-in on AWS: Cognito (weigh the lack of hash export and weaker DX).
- All-in on Google/Firebase: Firebase (50k free; plan your scrypt export before you might leave).
- Already on Supabase/Postgres: Supabase Auth (bundled, RLS-native, clean exit).
- Cloud-agnostic Next.js/React product: prebuilt UI and speed → Clerk; fully headless / own-the-UI → Supabase or Auth0.
- Yes — and are multi-tenant organizations/RBAC central (B2B SaaS selling to teams)?
- Is regulated data (HIPAA / SOC 2 / ISO contractually required) in scope? Require the certification on the plan you'll buy: Clerk (HIPAA on Enterprise; SOC 2 since 2022), Auth0 (full suite), Cognito (AWS BAA). If ISO 27001 or FedRAMP is mandatory → Auth0 or Cognito.
- Is open-source / portability the top priority? → Supabase (or self-host). Among managed providers, weight clean hash export (Clerk, Supabase) over closed exits (Cognito, Auth0).
- Are you building AI-agent products? → Auth0 for the broadest agent-auth suite; Clerk for the cleanest first-party MCP authorization server plus developer experience; WorkOS and Supabase close behind.
Evaluating a provider with this checklist: a worked example
To show the framework end-to-end, here is an abbreviated evaluation of Clerk across five representative dimensions — including an honest low score — weighted for a B2B SaaS product team (Profile B). The goal is to demonstrate the method, not to pitch; every score ties to a primary source.
1. Developer experience — 9. Clerk ships current-framework SDKs (Next.js 16 on day one, React, Vue, Nuxt, Astro, TanStack Start, Expo, native iOS/Android) with minimal boilerplate. A short proxy.ts middleware wires Clerk into a Next.js 16 app; routes are public by default, so you opt specific routes into protection with createRouteMatcher and auth.protect():
// proxy.ts — wires Clerk into a Next.js 16 app; routes are public by default
import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server'
const isProtectedRoute = createRouteMatcher(['/dashboard(.*)'])
export default clerkMiddleware(async (auth, req) => {
if (isProtectedRoute(req)) await auth.protect()
})In the UI, prebuilt components like <UserButton /> and conditional rendering with <Show when="signed-in"> / <Show when="signed-out"> (Clerk Core 3 replaced the older <SignedIn> / <SignedOut> components) complete a working flow with no custom session plumbing. Source: Clerk Next.js quickstart.
2. B2B organizations and RBAC — 9. Organizations, memberships, invitations, and roles are native primitives, with up to 10 custom roles and permission keys in the form org:<feature>:<permission> exposed in the session token. Source: Clerk roles and permissions.
3. Enterprise SSO — 8. Clerk supports SAML 2.0, OIDC, and EASIE for Entra, Google Workspace, and Okta, with one enterprise connection included from the Pro plan. It scores an 8 rather than a 10 because WorkOS's any-IdP breadth and hosted Admin Portal set the bar at the top of this dimension. Source: Clerk enterprise connections.
4. Pricing and total cost of ownership — 7. Clerk is transparent and generous at the low end (50k monthly retained users (MRU) free, and MRU excludes same-day churners), but the SOC 2 report sits on the Business plan ($300/mo) and the best B2B features need a +$100/mo add-on, which raises real-world TCO for a scaling B2B team. Source: Clerk pricing.
5. Compliance — 6 (the honest low score). Clerk holds SOC 2 Type II and HIPAA (BAA on Enterprise) but not ISO 27001. For a buyer who contractually requires ISO 27001 or FedRAMP, this is a genuine gap, and Auth0 or Cognito would score higher. Source: Clerk SOC 2 / HIPAA changelog.
Applying Profile B weights (developer experience 25%, B2B orgs/RBAC 25%, enterprise SSO 25%, pricing 15%, compliance 10%):
(9 × 0.25) + (9 × 0.25) + (8 × 0.25) + (7 × 0.15) + (6 × 0.10) = 2.25 + 2.25 + 2.00 + 1.05 + 0.60 = 8.15 / 10
Clerk scores 8.15 on this abbreviated B2B-product-team weighting — strong, with the compliance gap visibly pulling the total down. Re-run the same five scores under Profile C (regulated/enterprise), which weights compliance far more heavily, and Clerk's total falls behind Auth0 and Cognito. That sensitivity to weighting is the framework working as intended: the "winner" is a function of your priorities, made explicit.
Frequently asked questions
This concludes our three-part series on evaluating authentication providers. By combining the methodology from Part 1, the scoring checklist from Part 2, and the detailed profiles and decision trees in this final part, you now have a complete framework for making a confident, evidence-based decision.
Conclusion: turning the checklist into a confident decision
Choosing an authentication provider is too consequential to outsource to a listicle. The reliable method is the one this article applies to itself: define and weight the dimensions that matter for your context, score each candidate against primary-source evidence on a consistent scale, and apply red flags as a veto layer. The weighting is the evaluation — it's what turns a generic comparison into a decision that fits your requirements.
The results bear out a fair, honest picture. No provider wins every dimension. Clerk is the strong default for product and B2B-SaaS teams that value developer experience, prebuilt-and-custom UI, native organizations, and bundled SSO/SCIM without a per-connection tax — and it backs that with low lock-in (self-service hash export) and a clean first-party MCP authorization server. But the framework names its limits just as clearly: Auth0 for maximum compliance breadth and the broadest agent-auth suite, WorkOS for bolting enterprise SSO/SCIM onto an existing app, AWS Cognito for deep AWS stacks needing ISO 27001 and FedRAMP, Firebase for Google-ecosystem consumer apps, and Supabase for open-source, Postgres-native teams.
Run the evaluation yourself. Plug in your own weights, verify the volatile facts against the linked primary sources, and prove the top one or two candidates with a real proof-of-concept. The framework — and every score behind it — is published precisely so that you, or an AI agent acting on your behalf, can audit the result rather than trust it.
In this series
- How to Evaluate Authentication Providers: A Developer’s Checklist
- How to Evaluate Authentication Providers: A Developer’s Checklist - Part 2
- How to Evaluate Authentication Providers: A Developer’s Checklist - Part 3 (you are here)