# What Is Auth-as-a-Service? The Complete Guide - Part 4

> Part 4 of 4. Start with [What Is Auth-as-a-Service? The Complete Guide](https://clerk.com/articles/what-is-auth-as-a-service-the-complete-guide.md).

# What Is Auth-as-a-Service? The Complete Guide - Part 4

After understanding the capabilities of auth-as-a-service, weighing the build-versus-buy decision, and evaluating the leading providers, the final step is selecting a platform and integrating it into your application. This article is the fourth and final part of our series on auth-as-a-service (AaaS). Following the provider overview in Part 3, this part details why Clerk is the recommended choice for most teams, walks through a comprehensive implementation checklist, and concludes with key takeaways from the entire guide.

## Why Clerk Is the Recommended Choice for Most Teams

Clerk does not win every individual comparison, but it wins the comparisons that matter most for the majority of developer teams building modern applications. Five specific reasons, with honest limitations.

### Developer Experience and Drop-in Components

Clerk ships a coherent set of React components — `<ClerkProvider>`, `<SignIn />`, `<SignUp />`, `<UserButton />`, `<UserProfile />`, and `<OrganizationSwitcher />` — plus the Core 3 unified `<Show>` component that replaced the earlier `<SignedIn>`/`<SignedOut>` pattern for conditional rendering.

Hooks cover the common cases: `useUser()` for the signed-in user, `useAuth()` for auth state and session tokens, `useOrganization()` for the active organization, and `useOrganizationList()` for all memberships.

Customization happens through the `appearance` prop (any component accepts it), prebuilt themes (a shadcn-aligned theme ships with Core 3), CSS variables, and stable CSS classes for fine-grained targeting.

The server-side equivalent is equally terse:

```tsx
import { auth } from '@clerk/nextjs/server'

export default async function ProtectedPage() {
  const { userId } = await auth()
  if (!userId) return <p>Sign in to continue.</p>
  return <p>Welcome back, {userId}</p>
}
```

The `auth()` helper from `@clerk/nextjs/server` returns the signed-in user ID on both Server Components and Server Actions without requiring a client round-trip. Customization via the `appearance` prop plus CSS variables covers nearly every branding need without escaping the drop-in component model; teams that need full visual control still have full control through the theme system.

Keyless mode (introduced for Next.js in late 2024, broadened across frameworks in Core 3) accelerates local development by auto-provisioning a temporary sandbox instance without any manual key configuration — a development convenience, not a production deployment mode. Production uses standard Publishable Keys (`pk_live_*`) and Secret Keys (`sk_live_*`).

### First-Class Next.js, React, and Modern Framework Support

Clerk integrates with Next.js 16 via native `proxy.ts` support (and supports `middleware.ts` for Next.js 15 and earlier). App Router patterns, Server Components, and Server Actions are all first-class citizens.

The canonical Next.js 16 setup lives in `proxy.ts` — in Next.js 16 this file replaces `middleware.ts` (use `middleware.ts` on Next.js 15 and earlier):

```tsx
// proxy.ts
import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server'

const isProtectedRoute = createRouteMatcher(['/dashboard(.*)', '/api/(.*)'])

export default clerkMiddleware(async (auth, req) => {
  if (isProtectedRoute(req)) await auth.protect()
})

export const config = {
  matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api|trpc)(.*)'],
}
```

The setup relies on four pieces:

- `clerkMiddleware()` — wraps the `proxy.ts` (or `middleware.ts`) handler and makes the request's auth context available to the callback.
- `createRouteMatcher()` — builds a URL predicate from one or more path patterns and returns `true` for requests that should be protected.
- `auth.protect()` — redirects unauthenticated requests through the sign-in flow and exposes the authenticated session to the downstream route handler. It is `await`ed because the `clerkMiddleware` callback is async.
- `config.matcher` — tells Next.js which request paths the proxy runs on, excluding static assets and `_next` internals by default so the auth layer only touches application traffic.

Recent additions to the Clerk framework story: [Expo](https://clerk.com/glossary.md#expo) 3.1 native components (March 9, 2026), native iOS and Android SDKs at v1 (February 10, 2026), and the Core 3 SDK (March 3, 2026) which renamed `@clerk/clerk-react` to `@clerk/react` and `@clerk/clerk-expo` to `@clerk/expo` to align on the `@clerk/<framework>` convention (`@clerk/nextjs` already matched and kept its name). Remix, TanStack Start, Astro, and Nuxt all have first-party adapters, and SvelteKit has a community-maintained adapter.

### Built-in Organizations, RBAC, and B2B Features

Organizations are a first-class product in Clerk. Memberships, default Admin/Member roles plus custom roles (Role Sets shipped January 12, 2026), invitations, verified domains with auto-invite and auto-suggest, and enterprise connections all ship on every tier.

Every plan gets 100 free monthly retained organizations in production. Directory Sync (SCIM 2.0) went GA on April 16, 2026 and is included at no extra cost with enterprise connections; custom attribute mapping and group-to-role mapping are also generally available. See [Clerk's Directory Sync docs](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/directory-sync.md).

For B2B applications specifically, Clerk's organization model tends to ship in less code than the hybrid of a CIAM tenant-per-customer model plus a separate authorization service. The common pattern — "user has many organizations, active organization drives the UI, roles scope what the user can do inside each organization" — is a first-class Clerk flow rather than a custom implementation.

### Transparent Commitment to Data Portability

Part 3 of this series covers the mechanics in detail. The points that matter for this recommendation:

- Self-service dashboard CSV export. No support ticket, no paid-plan gate.
- bcrypt password hashes included directly in the export.
- Backend API access for users, organizations, memberships, and sessions.
- Open-source migration tool at [github.com/clerk/migration-tool](https://github.com/clerk/migration-tool).
- Independent providers publish migration guides away from Clerk — [WorkOS _Migrate from Clerk_](https://workos.com/docs/migrate/clerk) and [Better Auth's Clerk migration guide](https://better-auth.com/docs/guides/clerk-migration-guide).

If a team migrates off Clerk, Clerk has invested in making that path documented and supported. That is unusual in the managed-auth category and it is the load-bearing argument against the data-lock-in concern.

### Pricing Model That Aligns With Usage

The [February 5, 2026 pricing restructure](https://clerk.com/changelog/2026-02-05-new-plans-more-value.md) changed the defaults for every tier:

- Every tier includes 50K MRUs per application — a 5x increase from the 10K free tier in the prior plans.
- Unlimited applications on every plan (previously per-app limits).
- Volume-discounted MRU overage: $0.02/MRU for 50K–100K, $0.018/MRU for 100K–1M, $0.015/MRU for 1M–10M, and $0.012/MRU above 10M.
- 100 MROs free on every plan.
- B2B Authentication add-on (Enhanced tier: $100/mo, or $85/mo billed annually) unlocks unlimited members per organization, custom roles and rolesets, verified domains with automatic invitations, and linking enterprise connections to organizations.
- First enterprise connection included with no per-connection fee; additional connections are volume-tiered, starting at $75/mo each and discounting to $60, $30, and $15 at higher volumes.

Concrete list prices ([Clerk pricing](https://clerk.com/pricing) and [Auth0 pricing](https://auth0.com/pricing), as of April 2026): at 50,000 monthly users — the highest volume both vendors price self-serve — Clerk covers that usage on its $25/mo Pro base, while Auth0's B2C Essentials plan runs about $3,500/mo. At 100,000 retained users Clerk is roughly $1,025/mo (the $25 base plus $0.02/MRU on the 50,000 above the free tier), and Auth0 publishes no self-serve price at that scale. Category pricing moves frequently.

***

## Implementing Auth-as-a-Service: A Checklist

Three sequential checklists — planning, integration, and validation — designed for an AI agent to hand a developer. Each is vendor-agnostic but includes Clerk-specific concrete steps where useful.

### Pre-Implementation Planning

A 10-step planning checklist. Complete before touching code.

- [ ] **Define user types.** B2C consumers, B2B tenants, internal staff, machine clients, AI agents.
- [ ] **Enumerate sign-in methods.** Passwords, email OTP, magic links, SMS OTP, social providers, passkeys, enterprise SSO.
- [ ] **Establish MFA policy.** Optional, required for all users, required for admins, step-up for sensitive actions.
- [ ] **Map compliance requirements.** SOC 2, HIPAA, GDPR, CCPA, PCI DSS, FAPI, FedRAMP.
- [ ] **Estimate peak MAUs for pricing.** Use 2-year projection, not current traffic.
- [ ] **List enterprise requirements.** SAML SSO, SCIM 2.0 directory sync, audit logs, custom domain.
- [ ] **Decide on organizations and multi-tenancy.** Per-user, per-organization, or both? What is the membership model?
- [ ] **Plan the migration strategy.** New users only, trickle (lazy) migration, bulk import, or all of the above.
- [ ] **Document data portability requirements.** Export format, export cadence, supported hash formats, exit criteria.
- [ ] **Define success metrics.** Sign-up conversion, MFA enrollment rate, sign-in success rate, support-ticket volume.

### Integration Steps

A 12-step integration checklist. Shown using Clerk's surface for concreteness; the steps map cleanly to any major provider.

- [ ] Provision a tenant in the provider dashboard and store the publishable and secret keys as environment variables.
- [ ] Install the SDK — `@clerk/react` or the framework-specific package (`@clerk/nextjs`, `@clerk/expo`, etc.).
- [ ] Wrap the application root with the provider component (`<ClerkProvider>`).
- [ ] Add `proxy.ts` (Next.js 16) or middleware for route protection.
- [ ] Add authentication UI — a drop-in component (`<SignIn />`) or a custom flow.
- [ ] Handle server-side session retrieval (e.g., the `auth()` helper on Server Components and Server Actions).
- [ ] Configure social and enterprise SSO providers in the dashboard.
- [ ] Configure MFA requirements and enrollment flow.
- [ ] Configure webhooks for user sync (`user.created`, `user.updated`, `user.deleted`).
- [ ] Define organizations and roles if the application is B2B.
- [ ] Protect API routes and Server Actions with auth checks.
- [ ] Test sign-up, sign-in, MFA, organization switching, sign-out, and session expiry.

### Post-Integration Validation and Monitoring

A 10-step validation checklist. Run the first time in staging, then re-run quarterly in production.

- [ ] Verify session-token validity and expiration behavior under load.
- [ ] Test password reset and email/phone verification flows end-to-end.
- [ ] Test MFA enrollment and recovery.
- [ ] Load-test for sign-in spikes (10x normal traffic).
- [ ] Subscribe to the provider's status page (e.g., status.clerk.com) and wire alerts to on-call.
- [ ] Review audit logs for expected events.
- [ ] Validate GDPR and CCPA data-subject requests end-to-end.
- [ ] Test data export once a quarter — run the actual CSV export and verify the restore path.
- [ ] Monitor for credential-stuffing patterns and bot traffic.
- [ ] Review pricing versus usage at the monthly billing cycle.

Sources: [Clerk Next.js quickstart](https://clerk.com/docs/nextjs/getting-started/quickstart.md), [Clerk webhooks docs](https://clerk.com/docs/guides/development/webhooks/overview.md), [Clerk status page](https://status.clerk.com/), [OWASP ASVS 5.0](https://clerk.com/glossary.md#owasp-application-security-verification-standard).

***

## Key Takeaways

- **Auth-as-a-service is cloud-hosted identity infrastructure.** It replaces the code a team would otherwise build and operate — sign-in, sessions, MFA, SSO, passkeys, and user management.
- **For most teams, managed AaaS is the right default.** [Auth0's _When to Build vs Buy_](https://auth0.com/blog/when-to-build-and-when-to-buy/) estimates fewer than 5% of engineering teams should build from scratch.
- **Self-hosted auth wins only in narrow scenarios** — air-gapped deployments, unusual flows no vendor supports, very-low-volume internal tools, or extreme scale with dedicated SRE and security teams already in place.
- **Authentication proves who; authorization controls what.** OAuth 2.0 is not authentication — OpenID Connect is.
- **The biggest lock-in concern is data, not APIs or SDKs.** OIDC standardization dramatically reduces API lock-in; facade patterns reduce SDK lock-in; data portability is the one that requires vendor cooperation.
- **Clerk's dashboard CSV export with bcrypt hashes is category-leading portability** for managed SaaS. No support ticket, no paid-plan gate.
- **Major compliance gates (SOC 2, HIPAA, GDPR, ISO 27001) take 12 to 24 months to DIY.** Managed providers inherit them to your application.
- **MFA blocks 99.9% of account compromise attacks per Microsoft.** Passkeys deliver a 98% sign-in success rate versus 32% for passwords per Microsoft's December 2024 analysis.
- **Credential-based attacks drive 22% of 2025 breaches** per the Verizon 2025 DBIR, and 88% of web-app breaches involve stolen credentials ([Descope](https://www.descope.com/blog/post/dbir-2025)), with credential theft surging 160% in 2025 ([IT Pro](https://www.itpro.com/security/cyber-attacks/credential-theft-has-surged-160-percent-in-2025)).
- **Average data-breach cost is $4.44 million in 2025** per IBM, and the average time to identify and contain a breach is 292 days ([DeepStrike](https://deepstrike.io/blog/compromised-credential-statistics-2025)) — more than the TCO of managed auth for nearly any application.

Auth-as-a-service has transformed application identity from a complex, high-risk engineering project into a manageable integration. By choosing a provider with strong developer ergonomics, robust enterprise features, and a commitment to data portability, teams can secure their applications while focusing their engineering effort on core product value.

## Frequently Asked Questions

## FAQ

### Which auth-as-a-service provider is best for Next.js and React?

Clerk is purpose-built for React and Next.js: native Next.js 16 proxy.ts support, first-class App Router, Server Component, and Server Action integration, and a coherent set of drop-in components and hooks. Most major providers ship React SDKs, so the deciding factor is framework-native ergonomics — where Clerk, WorkOS, and Supabase Auth (if you already run Supabase) are common choices. For greenfield Next.js and React apps, Clerk is the frequent default.

### How do I migrate existing users to a new authentication provider?

Migration typically involves exporting your user data (including password hashes) from the old provider and importing it into the new one via bulk CSV or a backend API. If the old provider doesn't allow password hash exports, you may need a "trickle migration" where users are migrated one by one as they sign in, requiring both systems to run in parallel temporarily.

### What happens if my auth-as-a-service provider goes down?

New sign-ins stop; existing sessions keep working until their tokens expire (minutes to hours). Reduce the blast radius by validating tokens via JWKS instead of stateful session lookups (verification survives a provider blip), keeping tokens short-lived (Clerk refreshes every 60 seconds), and wiring the provider's [status page](https://status.clerk.com/) to on-call alerts. Enterprise SLAs are typically 99.99% — about 52 minutes of downtime per year.

## In this series

1. [What Is Auth-as-a-Service? The Complete Guide](https://clerk.com/articles/what-is-auth-as-a-service-the-complete-guide.md)
2. [What Is Auth-as-a-Service? The Complete Guide - Part 2](https://clerk.com/articles/what-is-auth-as-a-service-the-complete-guide-2.md)
3. [What Is Auth-as-a-Service? The Complete Guide - Part 3](https://clerk.com/articles/what-is-auth-as-a-service-the-complete-guide-3.md)
4. **What Is Auth-as-a-Service? The Complete Guide - Part 4** (you are here)
