Start Here: How to Choose a CIAM Platform (A Guided Path)
Updated 2026-06-08 · 11 min read · By @guptadeepak
Key takeaways
- Pick CIAM in this order: identity shape, then build vs buy, then hard constraints, then scale and cost, then must-have primitives.
- Your identity shape (B2C, B2B SaaS, hybrid B2B2C) determines more than any single feature.
- Build only when identity is your product; for almost everyone else, buying wins.
- Hard constraints (data residency, self-host, FedRAMP, HIPAA) eliminate most of the field before you compare features.
- Model your 24-month MAU, not your current MAU. The per-MAU curve is where teams get trapped.
Why order matters
Most teams open three vendor sites, build a feature spreadsheet, and pick the row with the most checkmarks. That is backwards. Features converge across the category every quarter. What does not converge is fit: whether a platform matches your identity shape, survives your constraints, and prices sanely at the scale you are heading toward. Decide fit first, and the feature comparison becomes a short tie-breaker among two or three real candidates instead of a forty-eight-row exercise.
Work the five questions below in order. Each one removes vendors from consideration, so by the time you reach feature comparison the list is small.
Step 1: What is your identity shape?
This is the single most determining question, and the one teams under-weight.
- B2C (consumer). Individuals sign up for themselves. You care about registration conversion, social login, passwordless and passkeys, fraud and bot signals, and cost per monthly active user at volume. Tenancy is flat.
- B2B SaaS. Your customers are companies, and each company is a tenant with its own users, roles, and (eventually) its own identity provider. The decisive capabilities are the Organizations / multi-tenant model, per-tenant Enterprise SSO (SAML and OIDC), and SCIM provisioning. This is the axis most teams discover too late.
- Hybrid B2B2C. You serve both: consumers directly and business tenants whose end users also log in. You need two planes that coexist cleanly. See the reference architectures guide for how to keep them separate.
Workforce identity (your own employees logging into internal tools) is a different category, IAM, and out of scope here. If that is your problem, you want workforce SSO and lifecycle management, not CIAM. The distinction is covered in CIAM vs IAM vs IDaaS.
Result of Step 1: you now know whether B2B Organizations and SSO are must-haves or irrelevant. That alone splits the index roughly in half.
Step 2: Build or buy?
Build CIAM only when identity is itself your product, or when a hard requirement genuinely has no vendor answer. For everyone else, buying wins on time-to-market, on the security surface you do not have to own, and on three-year total cost once you account for the unhappy paths: account recovery, MFA enrollment edge cases, session revocation, breach response, and compliance evidence.
If you are leaning build, read build vs buy first, then come back. Open source self-hosting (Keycloak, FusionAuth, Zitadel, Ory) is a middle path: you avoid per-MAU fees and own your data, but you take on the operations. The honest cost there is on-call, not licensing.
Result of Step 2: managed SaaS, self-hosted open source, or build. This removes another large slice of the field.
Step 3: What are your hard constraints?
These are binary. A vendor either clears them or it is out. Apply them before any feature comparison.
- Data residency. Must data stay in the EU, in-country, or in your own cloud account? This eliminates vendors without the right regions or a self-host option.
- Self-hosting. Required for sovereignty, air-gapped environments, or a security mandate? That narrows you to the open source tier.
- Compliance floor. FedRAMP for US public sector, HIPAA for health data, PCI context, strong SOC 2 and ISO posture. The capability matrix scores each of these, so you can filter directly.
Result of Step 3: a much shorter list, often single digits, of vendors that can legally and architecturally serve you at all.
Step 4: What is your cost behavior at scale?
Price the band you will reach, not the one you are in. CIAM pricing is dominated by the per-MAU curve, and the trap is committing at 20k MAU to a model that becomes the largest line item in the budget at 500k.
Use the TCO calculator to model your 24-month MAU against the documented band assumptions. Two patterns to watch: B2C apps that will cross 100k MAU should price aggressively (this is where self-host or hyperscaler-native options start to win), and B2B teams should check whether Enterprise SSO is gated into a higher tier, because that is the cost that arrives exactly when you start closing enterprise deals.
Result of Step 4: you can rank the survivors by cost behavior, not just sticker price.
Step 5: Which primitives are non-negotiable?
Now, and only now, compare features, restricted to the handful of capabilities that would block you:
- Passkeys and passwordless as a first-class path, not a bolt-on, if conversion and phishing resistance matter.
- B2B Organizations, SSO, and SCIM if you are selling upmarket.
- Fine-grained authorization (ReBAC / Zanzibar-style) if your product has complex sharing or permissions.
- Agentic identity (scoped agent tokens, MCP support, agent-versus-human separation) if AI agents will act on behalf of your users. This is the newest axis and the one the market is moving on fastest.
Your reading path
Map your Step 1 answer to where to go next:
- B2C: the vendor index filtered to B2C-strong platforms, the passwordless guide, and the consumer-apps vertical.
- B2B SaaS: the B2B SaaS vertical, the Organizations and tenants guide, and the enterprise SSO guide.
- Leaving a platform you already run: the alternatives guides, organized by the pain that triggers a switch.
- Want it done for you: answer six questions in the vendor selector and it narrows the field to your shape.
Then take your three-to-five-vendor shortlist to the head-to-head comparisons for the final tie-break, and read the methodology so you know exactly how each rating was made.
The path in one view
- Shape decides whether B2B Organizations and SSO are must-haves.
- Build vs buy decides managed, self-hosted, or in-house.
- Constraints (residency, self-host, compliance) eliminate most vendors.
- Cost behavior at your 24-month scale ranks the survivors.
- Primitives break the final tie among two or three real candidates.
Decide fit before features, and CIAM selection stops being a spreadsheet and becomes a short, defensible decision.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Clerk
Clerk is the default for Next.js and React teams under 100k MAU who care about time-to-first-login and polished UI more than federation breadth. Above 100k MAU and into enterprise SSO breadth, Auth0 still leads. For passwordless and B2B Organizations under that ceiling, Clerk is among the strongest in the market.
FusionAuth
FusionAuth is the right answer when you want self-hosted CIAM without taking on Keycloak's operational weight, and want the option to switch to managed without changing vendors. Single-binary deploy, modern docs, and a genuinely usable Community tier make it the practical default for self-host evaluations in 2026, particularly for B2C and mid-market B2B SaaS that don't need FedRAMP or Zanzibar-style FGA.
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
Stytch
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
FAQ
- I just need login for my app. Do I really need to think this hard?
- If you only need consumer login today and have no near-term B2B or compliance requirements, a modern developer-first platform will get you live in days, and the rest of this guide takes ten minutes to confirm you are not about to pick something you will migrate off in a year. The expensive mistakes are made by teams that pick on the first screen and discover the Organizations model, SSO economics, or data-residency gap only after they have built against the platform.
- Should I just pick the most popular vendor to be safe?
- Popularity is a weak proxy. The most popular platform is an excellent fit for one shape (mid-market, mixed B2C and B2B, under roughly 100k MAU) and a poor fit for others (very high-volume B2C where cost dominates, or strict self-host requirements). Match the platform to your shape and constraints, not to its market share.
- How many vendors should end up on my shortlist?
- Three to five. Fewer and you risk anchoring on the first option; more and the evaluation never converges. This guide is designed to get you from the full index to a defensible shortlist of that size.
Sources
- CIAM Compass vendor index and capability matrix
- CIAM Compass TCO methodology and band assumptions
- FIDO Alliance passkey deployment guidance