Stack Auth
Last verified 2026-05-05 · Reviewed by guptadeepak
Editorial verdict
Stack Auth is a 2023-vintage open-source alternative to Clerk for Next.js teams who want strict MIT licensing and self-host as an option. The DX is at the developer-first tier; the breadth of compliance, SDK coverage, and enterprise federation is not. For Next.js startups under 50k MAU prioritizing OSS guarantees, Stack Auth is a credible pick alongside Clerk and Kinde.
Last verified by @guptadeepak on 2026-05-05.
At a glance
- Best for
- Next.js teams that want strict-OSS self-hostable CIAM with Clerk-grade DX
- Pricing
- tiered-mau
- Free tier
- 10,000 MAU
- Deployment
- cloud-saas, self-hosted
- SOC 2 Type II
- Partial
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $500K
- Latest round
- Pre-seed · $500K · 2024
- Years in business
- 3 yrs
- Round led by
- Y Combinator
- Profitable
- Not disclosed
Investors
Open-source Clerk alternative (Zurich); YC-backed pre-seed.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Next.js-first DX with pre-built components that drop in faster than any other CIAM in 2026.
- MIT-licensed self-hostable Community edition, strict OSS without commercial-use clauses.
- Modern API design with idiomatic React server-component support.
- Built-in B2B Organizations and team management included from the free tier.
Limitations
- Very young (2023), small customer base, narrow battle-test coverage.
- Compliance footprint is minimal, SOC 2 Type II in progress, no other attestations.
- Smaller SDK breadth than Clerk, heavily focused on Next.js / React.
- Enterprise federation is partial; not yet at Auth0 / WorkOS level.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Partial |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Server functions + webhooks |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Partial |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $0/mo |
|---|---|
| 100,000 MAU | $290/mo |
| 500,000 MAU | $1,300/mo |
| 1,000,000 MAU | $2,600/mo |
- Generous free tier; paid plans start at $49/month
- Self-hosted Community edition is fully open source under MIT
- Pre-built Next.js components included in SDK
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Next.js teams that want strict-OSS self-hostable CIAM with Clerk-grade DX
- Open-source projects requiring MIT-licensed auth
- Greenfield startups under 50k MAU
Not for
- Workloads requiring HIPAA, FedRAMP, ISO 27001, or PCI DSS
- Teams not committed to Next.js / React
- Mid-to-large enterprise federation requirements
FAQ
- How does Stack Auth compare to Clerk?
- Both target Next.js / React DX excellence at the developer-first tier. Clerk is more mature, has broader features, and a larger customer base; Stack Auth is open-source under MIT with a self-host option Clerk does not offer. For OSS-mandated environments, Stack Auth wins; for production maturity, Clerk wins.
- Is Stack Auth fully open source?
- Yes, MIT licensed across the codebase. Self-hosted Community edition is unrestricted at any scale. Stack Auth Cloud is the managed offering with paid tiers.
- Should I pick Stack Auth or Hanko?
- Both are OSS-leaning developer-first CIAM. Hanko is passkey-first and EU-headquartered with strict GDPR posture; Stack Auth is Next.js-first and US-headquartered with broader auth method support. The pick depends on whether your binding constraint is passkey orchestration (Hanko) or Next.js DX with B2B Organizations (Stack Auth).
Sources
- Stack Auth Pricingaccessed 2026-04-22
- Stack Auth Documentationaccessed 2026-04-22
- Stack Auth GitHubaccessed 2026-04-22
What Stack Auth is
Stack Auth launched in 2023 with a focused thesis: open-source the Clerk-style developer experience under MIT. The product surface is Next.js-first, with pre-built React server components that deliver the fastest "npm install to working login" path among the OSS CIAM in this index. Both managed (Stack Auth Cloud) and self-hosted (MIT Community edition) deployments are available from the same codebase.
Where Stack Auth wins
Next.js DX is at the level of Clerk's, with strict MIT licensing, no commercial-use clauses or contributor licensing surprises. Self-hosting is unrestricted. Pre-built React server components and idiomatic hooks make first-login under 30 minutes for Next.js teams.
Where Stack Auth hurts
Very young, small customer base, narrow battle-test coverage. Compliance is in progress only. SDK breadth is heavily Next.js / React focused; teams not on that stack should look elsewhere. Enterprise federation is partial; for serious B2B SAML edge cases, look at Auth0 or WorkOS.
How Stack Auth compares
The closest comparisons are Clerk vs Stack Auth, Hanko vs Stack Auth, and Stack Auth vs BetterAuth for the OSS-Next.js-first decision. For broader OSS CIAM, Keycloak, FusionAuth, and Zitadel are alternatives.
Editorial changelog (1 entry)
Routine profile review: capabilities, pricing, and editorial verdict re-verified.