Skip to content
Deepak Gupta markCIAM Compass
hard90 days5 phases

Migrating from Auth0 to a Self-Hosted CIAM: A 90-Day Playbook

Updated 2026-05-06

Prerequisites

  • Engineering capacity for 2+ FTE-equivalent for the duration of the migration
  • Audit of all Auth0 Actions, Rules, and custom database connections currently in production
  • Operational competence for stateful service deployment (Postgres, Redis, observability stack)
  • Decision made on destination CIAM (Keycloak, FusionAuth, Zitadel, Ory) and its operational fit

Phases

  1. 1

    Discovery and inventory

    14 days

  2. 2

    Parallel deployment of destination CIAM

    21 days

  3. 3

    Shadow traffic and validation

    21 days

  4. 4

    User migration and cutover

    21 days

  5. 5

    Auth0 decommission and post-migration audit

    13 days

Migrating from a managed CIAM like Auth0 to a self-hosted alternative is meaningfully harder than migrating between managed platforms. The team takes on operational responsibility for a stateful service, builds in-house competence around upgrades and incident response, and accepts that "support" now means internal SRE rather than vendor SLAs. This playbook covers the 90-day path for a typical mid-market deployment landing on Keycloak, FusionAuth, Zitadel, or Ory.

Phase 1, Discovery and inventory (14 days)

The largest planning failure is underestimating Action complexity and the operational scope of self-hosted CIAM. Inventory both before estimating, then map each item to its destination-CIAM equivalent. Migration timelines depend on Action count and operational readiness, not user count, most teams that miss the 90-day target miss because they skipped this phase or rushed it.

Auth0 inventory. Every Action and Rule (legacy) currently deployed, with notes on the external services each touches. Every custom database connection. Every Enterprise Connection if multi-tenant. Every claim and metadata field consumed by the application. Every Auth0 Management API integration in admin tooling.

Operational inventory. Where the destination CIAM will run (Kubernetes cluster, VM fleet, managed Postgres). How HA topology works (multi-region, single-region with failover). Backup and restore procedures. Observability integration (logs, metrics, traces). Security patching cadence.

Skills inventory. Who owns the destination CIAM operationally after launch. What gaps exist (Java for Keycloak, Go for Zitadel/Ory, etc.). Hire or train accordingly during this phase.

Phase 2, Parallel deployment (21 days)

Stand up the destination CIAM in production-grade configuration. Configure Organizations, Enterprise Connections, MFA policy, branding, custom domains. Re-implement Actions in the destination's hooks model, this is where the bulk of engineering time goes.

Wire internal admin tooling to talk to both Auth0 and the destination. Don't migrate users yet. Run synthetic tests against the destination to validate the full auth surface (registration, login, MFA, recovery, SSO, token issuance) matches Auth0's behavior.

Phase 3, Shadow traffic and validation (21 days)

Replicate auth decisions at the destination for a fraction of production traffic. The pattern: each authenticated request to Auth0 is asynchronously replayed against the destination, decisions are compared, and divergence is flagged.

Standard ramp (CIAM migration practitioner reports, 2024–2026): start at 1% of traffic, validate for 48 hours, ramp to 10%, validate for a week, ramp to 50%, hold until cutover. Investigate every divergence; most will be claims-format or claim-mapping bugs that wouldn't have surfaced without shadow traffic.

Phase 4, User migration and cutover (21 days)

Bulk-export users from Auth0 via the User Import / Export API. Bulk-import into the destination. For bcrypt-hashed passwords, the destination accepts hashes natively and re-hashes on next login transparently. For legacy hash algorithms (MD5, SHA-1, custom database connections), run a forced password reset campaign for the affected minority.

The cutover is a DNS / configuration change, not a code change. With shadow traffic green for weeks, the destination is already authenticating the same users as Auth0; the cutover redirects production auth flows.

Keep Auth0 running for 30 days post-cutover with the database in read-only mode as a rollback path.

Phase 5, Decommission and post-migration audit (13 days)

After 30 days of green production at the destination, deprovision Auth0. Archive the audit log export. Remove Auth0 SDK code from the application. Update documentation, runbooks, and on-call playbooks for the destination CIAM.

Run a post-migration security audit: token formats, claims, MFA enforcement, recovery flows, audit log coverage. Verify the destination matches the Auth0 baseline on each axis.

When this playbook does not apply

The 90-day timeline assumes a typical mid-market deployment with under 100 Enterprise Connections and a manageable Action inventory. Larger deployments, 500+ Enterprise Connections, complex per-tenant Action variants, or regulated workloads requiring formal compliance attestation rebuild, should plan for 6–9 months and dedicated migration teams.

For destination-specific guidance, see Auth0 vs Keycloak, Auth0 vs FusionAuth, and the Auth0 migration pillar guide.

Last updated 2026-05-06.