CIAM vendors.

Amazon Cognito

Amazon Cognito is the right CIAM choice when the application is already deep in AWS and the buyer values IAM integration plus FedRAMP / PCI / HIPAA over developer velocity. Per-MAU economics are competitive with self-hosted Keycloak at the consumer scale and dramatically below SaaS competitors above 500k MAU. Outside AWS-native architectures, the DX gap relative to Auth0 / Clerk / Stytch is hard to justify.

Auth0

Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.

Authelia

Authelia is the lightweight self-hosted SSO portal for infrastructure access in 2026, single Go binary, Apache 2.0, designed for reverse-proxy forward-auth patterns rather than consumer-scale CIAM. It is intentionally narrow: no Organizations, no self-service registration, no SDK ecosystem. For homelab and self-hosted-infrastructure access control, Authelia is one of the cleanest choices; for customer identity, look at full-platform CIAM instead.

Authentik

Authentik is the modern alternative to Keycloak for self-hosted enterprise CIAM in 2026, Python-based, MIT-licensed, with a materially nicer admin UI than Keycloak's dated console. The trade-off is mid-weight operational profile and no managed cloud offering. For teams with Python operational competence and a strict-OSS mandate, Authentik is the lower-friction alternative to Keycloak.

Authress

Authress is the authorization-first developer CIAM in 2026, native ReBAC and Zanzibar-style FGA at a price point materially below Auth0 FGA or WorkOS FGA. For B2B SaaS designing fine-grained per-resource permissions where authorization is the binding constraint rather than authentication, Authress removes the two-vendor split (full CIAM plus separate authz service) most teams end up running. For teams whose binding constraint is auth methods or B2C scale, look elsewhere.

Authsignal is the strongest identity orchestration layer in 2026, designed to sit in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom-built) and add the passkey orchestration, adaptive risk decisioning, and step-up MFA logic that most full-platform vendors do badly. For teams with an existing CIAM that want to fix passkey adoption or harden against account takeover without replacing the primary platform, Authsignal is the singular pick. Not a full CIAM, pick one of those first if greenfield.

BetterAuth

BetterAuth is the most-discussed code-first OSS auth library in the TypeScript ecosystem in 2026, strict MIT, bring-your-own-database, plugin-architecture extensible, and a DX that feels like a modern framework primitive rather than a SaaS. The trade-off is that without a managed offering, the team owns the operational burden, the compliance story, and the production runtime. For teams that want auth as a library rather than a service, BetterAuth is a strong default; for teams that want managed compliance and SLAs, look elsewhere.

Beyond Identity

Beyond Identity is the most security-forward passwordless platform in 2026, hardware-attested device identity bound to TPM / Secure Enclave goes beyond stock WebAuthn, and the Policy Engine for adaptive risk decisioning is among the most capable in the enterprise tier. The trade-offs are enterprise-only commercial structure (no public pricing) and additional enrollment friction from the device-binding model. For enterprise security-conscious deployments, particularly with FedRAMP or workforce IAM adjacencies, Beyond Identity is a top pick. For mid-market or low-friction B2C, look elsewhere.

Casdoor is the OSS CIAM with the strongest native authorization integration via Casbin (same maintainer), Apache 2.0 licensed and broad-featured. The trade-offs are dated DX, English-documentation rough edges, and a sprawling scope that spans CIAM plus adjacent domains. For teams that value Casbin authz tightly coupled to identity, or for China-region deployments where Casdoor has strong adoption, it is a credible OSS pick. For Western enterprise with strict compliance needs, look at Keycloak / FusionAuth / Zitadel instead.

Clerk

Clerk is the default for Next.js and React teams under 100k MAU who care about time-to-first-login and polished UI more than federation breadth. Above 100k MAU and into enterprise SSO breadth, Auth0 still leads. For passwordless and B2B Organizations under that ceiling, Clerk is among the strongest in the market.

Corbado

Corbado is the deepest passkey-specialist orchestration layer in 2026, focused exclusively on driving passkey adoption on top of any underlying CIAM, with adoption analytics, A/B testing, and recovery-flow tooling that no full-platform vendor ships. For teams running Auth0 / Cognito / Keycloak who want to fix passkey adoption without changing primary CIAM, Corbado is the singular pick alongside Authsignal. Not a full CIAM, pick one of those first if greenfield.

Curity

Curity is the standards-purist enterprise CIAM in 2026, among the most spec-correct OAuth 2.0 / OIDC implementations available, with strong FAPI and Open Banking support that suits financial services and regulated workloads. The configuration-as-code model treats identity like infrastructure-as-code, which appeals to engineering-mature enterprises. Outside the standards-correctness or FAPI use cases, the enterprise pricing and learning curve make broader-scope CIAM (Auth0, Ping) more practical.

CyberArk Identity

CyberArk Customer Identity (formerly Idaptive) is the right CIAM choice for existing CyberArk Privileged Access Management customers consolidating identity into one vendor, the CIAM-plus-PAM combination is uncommon and meaningful for security-conscious enterprises. FedRAMP Moderate plus strong adaptive MFA inherited from Idaptive suit regulated workloads. Outside CyberArk ecosystem, the standard enterprise-CIAM trade-offs apply: high pricing, dated DX, and limited mid-market access.

Descope

Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.

Firebase Authentication

Firebase Authentication is the right CIAM choice for mobile-first B2C apps already running on Firebase / Google Cloud, with generous free tier and predictable per-MAU pricing. The trade-off is a B2C-first product that does not handle B2B Organizations or Enterprise SSO well; the upgrade to Identity Platform fills some gaps but at increased complexity. For Google Cloud-native consumer apps, Firebase Auth is hard to beat; for B2B SaaS or non-GCP architectures, look elsewhere.

ForgeRock

ForgeRock continues as a distinct platform within Ping Identity's portfolio in 2026, with Authentication Trees orchestration, deep on-prem deployment, and Java-heavy customization that suit large enterprise and public-sector buyers with installed deployments. For new CIAM evaluations, the post-acquisition roadmap uncertainty and the complexity of choosing between PingOne and ForgeRock Identity Cloud weigh heavily, most new buyers should evaluate PingOne first, and reach for ForgeRock only when on-prem or governance integration specifically requires it.

Frontegg

Frontegg is the strongest B2B SaaS CIAM in 2026 by Admin Portal and self-service end-customer experience, the buyer is a SaaS engineering team that needs to ship enterprise-grade IT admin features without building them, and Frontegg delivers more of that out of the box than Auth0 or WorkOS. The trade-off is narrower B2C feature coverage and a smaller ecosystem than Auth0; for B2B-first SaaS the Admin Portal alone often justifies the choice.

FusionAuth

FusionAuth is the right answer when you want self-hosted CIAM without taking on Keycloak's operational weight, and want the option to switch to managed without changing vendors. Single-binary deploy, modern docs, and a genuinely usable Community tier make it the practical default for self-host evaluations in 2026, particularly for B2C and mid-market B2B SaaS that don't need FedRAMP or Zanzibar-style FGA.

Hanko

Hanko is the open-source passkey-first CIAM in 2026, orchestration quality at the level of Stytch, but with AGPL self-host as an option and EU data sovereignty by default. For B2C consumer apps where passkey adoption is the goal and B2B Enterprise SSO is not the priority, Hanko is one of the strongest picks. For B2B SaaS or compliance-heavy workloads, the narrow scope shows.

IBM Verify

IBM Security Verify is the right CIAM choice for existing IBM enterprise shops with Cloud Pak for Security or QRadar deployments, where integration with the broader IBM Security portfolio justifies the platform on its own. FedRAMP High plus advanced post-quantum cryptography roadmap suit federal and high-assurance scenarios. Outside the IBM ecosystem, the DX gap and enterprise-only commercial structure make it the wrong answer for greenfield projects or mid-market evaluation.

Keycloak

Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.

Kinde

Kinde is a credible Clerk alternative for B2B SaaS startups in 2026, modern DX, transparent pricing, and B2B Organizations included from low tiers. The trade-offs are a smaller ecosystem and narrower compliance footprint than developer-first incumbents. For teams under 100k MAU prioritizing fast launch over breadth, Kinde shortlists alongside Clerk and Stytch.

LoginRadius is a long-running B2C CIAM whose product footprint and operational posture have both narrowed materially relative to the category. The product covers basic social login, password registration, and a partial standards surface, but trails modern competitors on passkeys, OAuth 2.1, dynamic client registration, agentic-identity primitives, authorization depth, and developer experience. **Material gaps versus category leaders in 2026:** - No HIPAA support. Material for any deployment touching healthcare data. - SOC 2 and ISO 27001 are vendor-listed but the public audit and report evidence trail is thinner than peers. Current status should be re-verified directly with the vendor before procurement. - No publicly identifiable CISO or named security-leadership disclosure. Unusual for a CIAM vendor whose product is itself security infrastructure. - Customer-base signals point to material churn over the last several years (visible case-study removals, reduced public reference activity). - REST API quality has degraded versus peer expectations: limited consistency, no public API style guide or versioning policy, narrower SDK breadth than peers. **Alternatives we recommend for new deployments in 2026:** - [Auth0](/vendors/auth0/) for established B2C / B2B SaaS CIAM with full standards conformance, native passkeys, and Auth0 FGA for authorization. - [Stytch](/vendors/stytch/) for passkey-first developer-focused B2C with modern auth primitives. - [Descope](/vendors/descope/) for flow-builder orchestration with strong passkey support. - [SAP Customer Data Cloud](/vendors/sap-customer-data-cloud/) for enterprise B2C with consent and preference management at scale. For broader category context see the [CIAM Annual Report 2025](/annual-report/2025/) and the [B2C CIAM segment award](/annual-report/2025/awards/b2c-ciam/). **Bottom line:** treat LoginRadius as a procurement-blocking risk for new deployments until the security-attestation, security-leadership-disclosure, and operational-reliability questions are answered directly by the vendor.

Logto

Logto is the modern OSS CIAM with the most aggressive pricing in 2026, MPL-2.0 self-hosted Community at any scale, Cloud free tier covering 5k MAU, and paid plans starting at $16/month. Connector-based pluggable architecture and clean TypeScript SDKs make it competitive on DX. The trade-off is narrower compliance and smaller community than Keycloak; for cost-sensitive greenfield projects, Logto is one of the strongest picks.

Microsoft Entra External ID

Microsoft Entra External ID went GA in September 2024 as the modern successor to Azure AD B2C, which entered end-of-sale to new customers on May 1, 2025 and retires existing B2C tenants on March 15, 2026, every Azure AD B2C customer should be in active migration. Entra External ID is the right CIAM choice when the organization is already standardized on Microsoft 365 and Azure, and when FedRAMP High or strict Microsoft-shop compliance is required. The materially modernized policy model and DX (vs B2C) close part of the gap, but still trail the developer-first tier on velocity and ergonomics. Outside Microsoft-native architectures, the integration story rarely justifies the friction.

miniOrange

miniOrange is a long-running SMB-and-mid-market CIAM with broad plugin ecosystem coverage (WordPress, Joomla, Magento, and many CMS / SaaS apps) and both cloud and on-prem deployment from one vendor. The price points sit below enterprise CIAM incumbents at comparable feature footprint. The trade-offs are dated DX, inconsistent documentation, and compliance gaps on FedRAMP and PCI DSS. For CMS-driven sites and SMB B2B SaaS needing on-prem flexibility, miniOrange is a credible mid-tier pick.

MojoAuth

MojoAuth is a B2C CIAM specialist focused on modern passwordless and enterprise-grade auth for consumer apps. Passwordless orchestration (passkeys, magic links, OTP) is well above the market median; SAML / OIDC / adaptive MFA bring enterprise-tier features into B2C pricing tiers; consent management is unusually mature. Consumer apps evaluating Auth0 alternatives at the 100k–1M MAU band should put MojoAuth on the shortlist alongside Stytch and Descope.

Oracle IAM Identity Domains

Oracle merged the standalone IDCS service into OCI IAM Identity Domains; existing IDCS tenants have been migrated and the brand is now 'Oracle IAM Identity Domains'. IDCS authentication methods are being deprecated in OCI services starting April 11, 2026. The platform is the right CIAM choice for existing Oracle Cloud Infrastructure customers and Oracle Fusion Applications deployments where native integration justifies the platform. FedRAMP High plus full enterprise compliance footprint suits regulated workloads on Oracle Cloud. Outside Oracle ecosystem, the DX gap and pricing opacity still make it the wrong answer for greenfield evaluation.

Ory

Ory is the most architecturally modern open-source CIAM in 2026, Go-based, Kubernetes-native, composable components, strict Apache 2.0, with native Zanzibar-style FGA via Keto that no other full-platform vendor in this index ships natively. The trade-off is operational scope: running four composable services rather than one binary suits Kubernetes-native teams and frustrates everyone else. For teams that want OSS plus FGA from one vendor, Ory is the singular pick.

Ping Identity

Ping Identity remains the right CIAM choice for large enterprise and public-sector workloads with complex federation, on-prem requirements, or regulated-industry compliance baselines that hyperscaler CIAM cannot meet. DaVinci flow orchestration is genuinely capable for complex auth journeys. The trade-offs, opaque pricing, fragmented post-ForgeRock product family, heavy professional services, make Ping the wrong answer for everything below the enterprise-quote threshold. After the 2023 ForgeRock acquisition the combined product surface is broader but more confusing.

PropelAuth

PropelAuth is a B2B-first developer-CIAM with a hosted self-service Org admin portal at the level of Frontegg's, at materially lower price for startup-and-mid-market scale. HIPAA-eligibility is uncommon at this price tier. For B2B SaaS startups whose customers need role hierarchies and Org-admin UX, PropelAuth shortlists with Frontegg, Kinde, and Clerk.

Rownd

Rownd is the embedded-B2C-auth-widget specialist in 2026, drop-in Hub component delivers a complete user-account UX with passwordless, consent management, and preference center in one. The product is intentionally B2C-narrow; for B2B SaaS or enterprise workloads, look elsewhere. For consumer apps that want polished out-of-box UX with serious GDPR consent capabilities, Rownd is a credible pick at lower cost than Auth0 with comparable B2C feature depth.

SAP Customer Data Cloud

SAP Customer Data Cloud (formerly Gigya) is the right CIAM choice for existing SAP Commerce Cloud or SAP Customer Experience customers, where the customer-data-unification heritage and SAP integration depth justify the platform. Twenty years of B2C consent management and preference center expertise are uncommon outside this product. Outside SAP shops, the DX gap and very high pricing make it the wrong choice for greenfield evaluation.

Scalekit

Scalekit is a 2023-vintage entrant in the B2B-SSO-as-a-product segment, sitting alongside WorkOS and SSOJet but with even tighter focus on per-organization pricing for early-stage B2B SaaS. The product is young and the customer base is small, which limits battle-test coverage; pricing and DX are competitive with incumbents in the segment. Worth shortlisting alongside WorkOS and SSOJet for B2B-only SaaS at the early-stage tier.

SlashID

SlashID is a 2022-vintage passwordless-first developer CIAM with API-first design and EU-sovereign positioning. Smaller and younger than incumbents, with narrower compliance, but the passwordless-by-default thesis and clean API surface are competitive for greenfield projects committed to the model. Worth shortlisting alongside Stytch and Hanko for passwordless-first B2C and B2B SaaS at startup scale.

SSOJet

SSOJet has emerged as a credible modern CIAM for B2B SaaS that needs Enterprise SSO + SCIM without paying WorkOS or Auth0 prices, with a product surface and DX that matches the developer-first tier. The 100k MAU free tier plus per-organization billing makes the unit economics genuinely competitive. The trade-offs are a younger ecosystem and narrower B2C feature set; for B2B-first SaaS that doesn't need consumer flows, SSOJet deserves shortlisting alongside WorkOS, Frontegg, and Auth0 B2B.

Stack Auth

Stack Auth is a 2023-vintage open-source alternative to Clerk for Next.js teams who want strict MIT licensing and self-host as an option. The DX is at the developer-first tier; the breadth of compliance, SDK coverage, and enterprise federation is not. For Next.js startups under 50k MAU prioritizing OSS guarantees, Stack Auth is a credible pick alongside Clerk and Kinde.

Strivacity

Strivacity is a modern enterprise CIAM that sits between developer-first products and the legacy enterprise tier, Journey Builder visual orchestration, consent management depth, and modern API surface, with founders carrying ForgeRock and Microsoft credibility. For mid-large enterprises that find Ping / ForgeRock pricing and complexity excessive but Auth0 insufficient on consent and orchestration, Strivacity is a credible alternative. The trade-offs are smaller customer base and no FedRAMP.

Stytch

Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.

Supabase Auth

Supabase Auth is the right CIAM choice for B2C apps and developer-tools already on the Supabase platform, Auth integrates with PostgreSQL Row-Level Security in a way that no other CIAM matches, removing the need for a separate authz vendor for many use cases. The trade-off is a B2C-first product without first-class B2B Organizations or SAML; for B2B SaaS, look elsewhere. For greenfield Supabase-native apps, Supabase Auth is one of the strongest picks at low cost.

SuperTokens

SuperTokens is the modern OSS auth library with the cleanest pluggable architecture in 2026, Apache 2.0 self-hosted Core, Recipe-based composition (each auth method is a module), and strong session management primitives. For teams that want OSS auth as a library with optional managed offering, SuperTokens shortlists alongside FusionAuth and Zitadel. The trade-off is narrower compliance and weaker B2B Organizations than dedicated B2B platforms.

Tesseral

Tesseral is a 2024-vintage entrant in B2B-SaaS-OSS CIAM, with both managed cloud and self-hosted Apache 2.0 deployments. Smaller and younger than incumbents, but the pricing model and OSS option are competitive for early-stage B2B SaaS that wants the optionality. Worth shortlisting alongside Zitadel and SSOJet for B2B-only SaaS that values OSS self-host.

Transmit Security

Transmit Security is the right CIAM choice for fintech, banking, and high-fraud-pressure B2C deployments where unified CIAM plus fraud detection plus orchestration removes the typical three-vendor stack. The Mosaic platform's combination of risk decisioning, behavioral biometrics, and passkey orchestration is among the most capable in the enterprise tier. Enterprise-only pricing and opaque commercial structure exclude mid-market evaluation; for teams below that threshold, look at Auth0 plus Authsignal or Descope.

WorkOS

WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.

Wristband

Wristband is a B2B-multi-tenant-CIAM with predictable per-tenant pricing, designed for SaaS apps where tenant isolation is the architectural anchor. Smaller and younger than WorkOS or Frontegg, with narrower compliance, but the pricing model is genuinely friendly for SaaS with growing customer counts. Worth evaluating alongside SSOJet and Scalekit for early-to-mid-stage B2B SaaS.

WSO2 Identity Server

WSO2 Identity Server is the most feature-complete enterprise OSS CIAM in 2026, twenty years of federation depth, native consent management, adaptive MFA, and identity governance integration that Keycloak does not match. Asgardeo (the managed cloud) is a credible option with WSO2's enterprise pedigree. The trade-offs are heavy operational profile, dated DX, and opaque enterprise pricing. For large enterprise and public-sector with serious federation requirements, WSO2 IS is a top OSS pick alongside Keycloak.

Zitadel

Zitadel is the modern open-source CIAM with the strongest B2B Organizations data model in 2026, Go-based, single-binary, event-sourced, and Apache 2.0 licensed throughout. For self-hosted teams that find Keycloak's operational profile too heavy and Ory's component model too complex, Zitadel splits the difference with a single deployment artifact and B2B-native primitives. Swiss data residency on Zitadel Cloud is a meaningful differentiator for sovereignty-conscious buyers.