2025 Award
Best Agentic identity, 2025.
Editorial rationale
Agentic identity was the defining 2025 story (see the dedicated theme essay), and the field is uneven enough that placement here is almost entirely about who is actually shipping versus who is talking. WorkOS, Auth0, and Stytch all have credible MCP support, OAuth 2.1 conformance, dynamic client registration, and explicit agent-vs-human token semantics; Descope and Clerk are close behind. The Avoid placements reflect the most material gaps in the index: LoginRadius and ForgeRock have neither shipped nor publicly committed to the agentic identity standards stack as of 2025. For any net-new deployment expected to serve AI-agent traffic, the leader tier is the only defensible procurement path.
Leader
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Stytch
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
Strong challenger
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
Clerk
Clerk is the default for Next.js and React teams under 100k MAU who care about time-to-first-login and polished UI more than federation breadth. Above 100k MAU and into enterprise SSO breadth, Auth0 still leads. For passwordless and B2B Organizations under that ceiling, Clerk is among the strongest in the market.
Niche pick
SlashID
SlashID is a 2022-vintage passwordless-first developer CIAM with API-first design and EU-sovereign positioning. Smaller and younger than incumbents, with narrower compliance, but the passwordless-by-default thesis and clean API surface are competitive for greenfield projects committed to the model. Worth shortlisting alongside Stytch and Hanko for passwordless-first B2C and B2B SaaS at startup scale.
Scalekit
Scalekit is a 2023-vintage entrant in the B2B-SSO-as-a-product segment, sitting alongside WorkOS and SSOJet but with even tighter focus on per-organization pricing for early-stage B2B SaaS. The product is young and the customer base is small, which limits battle-test coverage; pricing and DX are competitive with incumbents in the segment. Worth shortlisting alongside WorkOS and SSOJet for B2B-only SaaS at the early-stage tier.
Authsignal
Authsignal is the strongest identity orchestration layer in 2026, designed to sit in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom-built) and add the passkey orchestration, adaptive risk decisioning, and step-up MFA logic that most full-platform vendors do badly. For teams with an existing CIAM that want to fix passkey adoption or harden against account takeover without replacing the primary platform, Authsignal is the singular pick. Not a full CIAM, pick one of those first if greenfield.
Avoid
LoginRadius
LoginRadius is a long-running B2C CIAM whose product footprint and operational posture have both narrowed materially relative to the category. The product covers basic social login, password registration, and a partial standards surface, but trails modern competitors on passkeys, OAuth 2.1, dynamic client registration, agentic-identity primitives, authorization depth, and developer experience. **Material gaps versus category leaders in 2026:** - No HIPAA support. Material for any deployment touching healthcare data. - SOC 2 and ISO 27001 are vendor-listed but the public audit and report evidence trail is thinner than peers. Current status should be re-verified directly with the vendor before procurement. - No publicly identifiable CISO or named security-leadership disclosure. Unusual for a CIAM vendor whose product is itself security infrastructure. - Customer-base signals point to material churn over the last several years (visible case-study removals, reduced public reference activity). - REST API quality has degraded versus peer expectations: limited consistency, no public API style guide or versioning policy, narrower SDK breadth than peers. **Alternatives we recommend for new deployments in 2026:** - [Auth0](/vendors/auth0/) for established B2C / B2B SaaS CIAM with full standards conformance, native passkeys, and Auth0 FGA for authorization. - [Stytch](/vendors/stytch/) for passkey-first developer-focused B2C with modern auth primitives. - [Descope](/vendors/descope/) for flow-builder orchestration with strong passkey support. - [SAP Customer Data Cloud](/vendors/sap-customer-data-cloud/) for enterprise B2C with consent and preference management at scale. For broader category context see the [CIAM Annual Report 2025](/annual-report/2025/) and the [B2C CIAM segment award](/annual-report/2025/awards/b2c-ciam/). **Bottom line:** treat LoginRadius as a procurement-blocking risk for new deployments until the security-attestation, security-leadership-disclosure, and operational-reliability questions are answered directly by the vendor.
ForgeRock
ForgeRock continues as a distinct platform within Ping Identity's portfolio in 2026, with Authentication Trees orchestration, deep on-prem deployment, and Java-heavy customization that suit large enterprise and public-sector buyers with installed deployments. For new CIAM evaluations, the post-acquisition roadmap uncertainty and the complexity of choosing between PingOne and ForgeRock Identity Cloud weigh heavily, most new buyers should evaluate PingOne first, and reach for ForgeRock only when on-prem or governance integration specifically requires it.