Descope
Last verified 2026-04-14 · Reviewed by guptadeepak
Editorial verdict
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
Last verified by @guptadeepak on 2026-04-14.
At a glance
- Best for
- Teams that want orchestration logic without writing it themselves
- Pricing
- tiered-mau
- Free tier
- 7,500 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $88M
- Latest round
- Seed · $53M · 2023
- Years in business
- 4 yrs
- Round led by
- Lightspeed Venture Partners
- Profitable
- Not disclosed
Investors
One of the largest seed rounds in CIAM history: $53M at launch, extended to $88M. Founded by the Demisto (Palo Alto Networks) team.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Identity orchestration (Flows), no-code visual editor for auth flows is the strongest in the market, including conditional logic, branching MFA, and risk-based step-up.
- Fast time-to-passkey-adoption, Descope's Flow templates ship with device-aware prompting and recovery designed in.
- Native MCP support for AI agent identity, early mover among full-platform CIAM vendors.
- Founded by ex-Imperva security veterans, which shows in the bot defense and risk decisioning surface.
Limitations
- Smaller community and template ecosystem than Auth0, fewer Stack Overflow answers, fewer third-party integrations.
- Flow editor adds a learning curve; teams who want code-only auth may find it heavier than Stytch or Clerk.
- Compliance footprint is narrower, no FedRAMP, no PCI DSS direct attestation.
- B2B Organizations model is solid but less battle-tested than Auth0's at >100k tenant scale.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | Partial |
| FGA engine | Partial |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, ios, swift, android, kotlin, python, go, php, java, dotnet |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Flows (no-code visual editor) + Connectors |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | Yes |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | Partial |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | Partial |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $99/mo |
|---|---|
| 100,000 MAU | $850/mo |
| 500,000 MAU | $3,000/mo |
| 1,000,000 MAU | $5,800/mo |
- B2B add-on for SSO connections and SCIM
- Identity orchestration (Flows) included at all tiers
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Teams that want orchestration logic without writing it themselves
- B2C apps targeting high passkey adoption with risk-aware step-up
- Mid-market SaaS evaluating modern alternatives to Auth0 below 500k MAU
- Early adopters of agentic / AI-agent identity
Not for
- Workloads requiring FedRAMP or PCI DSS
- Teams that strongly prefer code-as-config over visual flow editors
- Self-hosted deployments
FAQ
- What is Descope Flows?
- Flows is Descope's visual identity orchestration layer, a no-code editor that lets teams design login, signup, MFA, and recovery flows with conditional branching, risk-based decisioning, and reusable building blocks. It functions as the orchestration layer that vendors like Authsignal sell separately.
- Does Descope support AI agent identity (MCP)?
- Yes, Descope ships native MCP support for issuing scoped, short-lived tokens to AI agents and distinguishing them from human-issued tokens. Among full-platform CIAM vendors, Descope is among the earliest to support this in production.
- How does Descope compare to Auth0 on price?
- Descope is materially cheaper than Auth0 below 500k MAU at standard configurations, especially when Adaptive MFA is included (which Auth0 gates to higher tiers and Descope includes by default). Above 500k MAU the comparison is closer and depends on Enterprise SSO connection counts.
Sources
- Descope Pricingaccessed 2026-04-22
- Descope Documentationaccessed 2026-04-22
- Descope Series A announcement (2022)accessed 2026-04-22
What Descope is
Descope launched in 2022, founded by veterans of Imperva and Identitymind. The pitch from day one was identity orchestration, that the bottleneck in modern CIAM rollouts isn't auth protocol support but the flow logic on top: when to step up, when to silently allow, when to enroll a passkey, what to do when a user lands without one. The Flows visual editor is the product's differentiator and the reason most teams pick Descope over Auth0 or Stytch.
Where Descope wins
Flows is the headline. Where competitors expose a code SDK and ask the team to wire up MFA decisioning, Descope ships a visual editor that handles conditional branching, risk-based step-up, recovery flows, and passkey enrollment as composable building blocks. The pre-built templates ship with device-aware prompting and orchestration patterns that take months to build elsewhere.
The MCP and AI-agent identity story is also more mature than most full-platform CIAM vendors, Descope ships first-class scoped tokens for agents and patterns for distinguishing agent vs human authentication. As MCP-driven AI agents become real production traffic, this matters.
The team's security background (Imperva, Identitymind) shows in the risk decisioning, bot defense, and adaptive MFA surface. These are areas where Auth0 has historically been stronger than Stytch and Clerk; Descope is competitive with Auth0 here while being materially cheaper.
Where Descope hurts
Community size is the lasting friction. Auth0 and Clerk have order-of-magnitude more Stack Overflow questions, more sample apps, more third-party integrations. Descope's docs are good but the ecosystem effect favors the incumbents.
Code-first teams who don't want a visual editor can find Flows heavier than necessary. Stytch's pure-API model is simpler if you're going to write the orchestration in code anyway.
Compliance breadth is narrower than Auth0, no FedRAMP, no PCI DSS direct attestation. For most consumer and B2B SaaS this is fine; for federal or fintech workloads it isn't.
How Descope compares
The two most direct comparisons are Stytch vs Descope and Auth0 vs Descope. For pure B2B SSO with deep federation, WorkOS is closer. For self-hosted, Keycloak and FusionAuth remain the standard alternatives. For orchestration as a separate layer wrapping any underlying CIAM, Authsignal is the specialist option.
Editorial changelog (1 entry)
Editorial review: capability matrix and TCO bands confirmed against the latest vendor documentation.