Auth0
Okta, Inc. · Okta (acquisition closed May 2021, $6.5B)
Last verified 2026-03-23 · Reviewed by guptadeepak
Editorial verdict
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Last verified by @guptadeepak on 2026-03-23.
At a glance
- Best for
- Mid-market SaaS with mixed B2C and B2B Enterprise SSO needs
- Pricing
- tiered-mau
- Free tier
- 25,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Public company
- Total raised
- $330M
- Latest round
- Acquired · $6.5B · 2021
- Years in business
- 13 yrs
- Round led by
- Okta
- Profitable
- Not disclosed
Raised ~$330M of VC before Okta acquired it for $6.5B in 2021; now Okta Customer Identity Cloud (NASDAQ: OKTA).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Largest developer ecosystem in CIAM, npm install rates, sample apps, and community size are the category benchmark.
- Most extensive social and enterprise federation library out of the box.
- Mature B2B Organizations model for SaaS tenant separation.
- Auth0 FGA brings Zanzibar-style fine-grained authorization without a separate vendor.
Limitations
- MAU pricing scales steeply, cost per MAU often exceeds $0.05–$0.10 above 100k.
- Actions-based extensibility creates lock-in; portable to neither Okta Workflows nor a self-hosted runner.
- Passkey UI is generic, no device-aware prompting; expect 5–10% adoption without orchestration.
- MCP / agentic identity is partial via Actions; no first-class agent token model in 2026.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Partial |
| ReBAC | No |
| FGA engine | Yes |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, angular, ios, swift, android, kotlin, java, python, go, ruby, php, dotnet |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Actions (Node.js serverless) |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | Partial |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | Yes |
| HIPAA | Yes |
| PCI DSS | Level 1 (with config) |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | High (via Okta) |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | No |
| Integrates with CMPs | OneTrust, Cookiebot |
Pricing
| 10,000 MAU | $240/mo |
|---|---|
| 100,000 MAU | $1,200/mo |
| 500,000 MAU | $4,500/mo |
| 1,000,000 MAU | $9,500/mo |
- MAU overages compound quickly above 50k
- Enterprise connection fee for SAML
- Adaptive MFA gated to higher tiers
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Mid-market SaaS with mixed B2C and B2B Enterprise SSO needs
- Teams that prioritize developer ecosystem and React/Next.js DX
Not for
- Cost-sensitive consumer apps above 500k MAU
- Teams that need MCP-native AI agent identity in 2026
- Self-hosted / data-sovereignty-mandatory deployments
FAQ
- Is Auth0 the same as Okta?
- Auth0 is a product line owned by Okta since 2021. It runs as Okta Customer Identity Cloud while Okta Workforce Identity Cloud handles employee access.
- Does Auth0 support passkeys?
- Yes. Auth0 supports WebAuthn passkeys natively across web and mobile SDKs, but the default UI does not perform device-aware prompting, which keeps adoption rates around 5–10% without orchestration.
- What does Auth0 cost at 500k MAU?
- At 500k MAU, expect $4,000–$5,000 per month on the Essentials/Professional tier, rising to $10k or more once Enterprise SSO connections, MFA add-ons, and FGA usage are layered in. Always request a custom quote at this scale.
- Can I self-host Auth0?
- No. Auth0 is cloud-only SaaS. For self-hosting, look at Keycloak, Ory, FusionAuth, or Zitadel.
Sources
- Auth0 Pricing Pageaccessed 2026-04-22
- Auth0 Documentationaccessed 2026-04-22
- Okta Q1 FY26 Earningsaccessed 2026-04-22
What Auth0 actually is
Auth0 is Okta's developer-focused CIAM product line, sold as Okta Customer Identity Cloud. It runs as a multi-tenant SaaS in AWS regions across the US, EU, AU, and JP, with optional Private Cloud deployments for regulated customers. The buyer is typically an engineering team standing up auth for a SaaS product who needs B2C onboarding plus B2B Enterprise SSO without building either from scratch.
The product surface is wide: hosted login pages, a Universal Login customizer, a Rules-then-Actions extensibility model (Actions is the current path; Rules and Hooks are deprecated), and a fine-grained authorization product (Auth0 FGA) modeled on Google's Zanzibar paper. Organizations is the B2B model, tenants-within-a-tenant, and remains one of the more mature implementations in the market.
Where Auth0 wins
The default play is "don't think about auth for the first 18 months." Below 50k MAU the free tier covers most B2C apps, and the paid tier's per-MAU cost is competitive. The SDK coverage is the broadest in the category, the docs are well-maintained, and the community is large enough that nearly every integration question has been answered somewhere.
For B2B SaaS, Organizations plus Enterprise SSO connections cover the SAML / OIDC matrix that buyers ask for in security questionnaires. Auth0 FGA, while still under-used, gives teams a Zanzibar-style permission engine they would otherwise have to buy from Authzed or build on OpenFGA themselves.
Where Auth0 hurts
Pricing is the lasting friction. Above 100k MAU the per-user math compounds, Enterprise SSO connections are billed per-connection, Adaptive MFA is gated to higher tiers, and MAU overages can double a quarterly bill before procurement notices. At 500k MAU expect $4–5k per month on standard tiers, climbing to $10k+ as add-ons accumulate.
The Actions extensibility model is convenient but proprietary. Code written for Actions does not run on Okta Workflows, on a self-hosted Keycloak, or anywhere else, outbound migration involves rewriting every Action against the new vendor's hooks model. Combined with Auth0's database connection format, this is the lock-in vector that makes outbound migrations a 60–90 day exercise.
Passkey support is technically present but UX-naïve. Without device-aware prompting (the prompt should know whether the user has a synced passkey on this device), adoption stalls at 5–10%. Teams pursuing serious passwordless rollouts increasingly pair Auth0 with an orchestrator like Authsignal or Corbado, or migrate to a passkey-native vendor.
How Auth0 compares
For B2B SaaS under 100k MAU, Clerk is the most credible direct alternative on developer experience and time-to-first-login. For pure B2B with deep Enterprise SSO needs, WorkOS and Frontegg win on the SSO-first feature set. For self-hosted, Keycloak and FusionAuth are the standard alternatives. For passkey-first consumer apps, Stytch and Hanko deserve serious evaluation.
Editorial changelog (1 entry)
Capability matrix and pricing bands re-verified against the vendor's latest documentation and changelog.