Stytch
Twilio · Twilio (October 30, 2025)
Last verified 2026-05-08 · Reviewed by guptadeepak
Editorial verdict
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
Last verified by @guptadeepak on 2026-05-08.
At a glance
- Best for
- Consumer apps prioritizing high passkey adoption out of the box
- Pricing
- tiered-mau
- Free tier
- 10,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Public company
- Total raised
- $146M
- Latest round
- Series B · $90M · 2021
- Years in business
- 6 yrs
- Round led by
- Coatue
- Profitable
- Not disclosed
Raised $146M as an independent passwordless startup at a $1B valuation; acquired by Twilio in October 2025 (terms undisclosed).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Best-in-class passkey orchestration in 2026, conditional UI default, device-aware prompting, recovery flow design baked in.
- Distinct B2C and B2B products with appropriate models for each (B2B Organizations, B2C consumer flows).
- Modern API surface with strong TypeScript typing across SDKs.
- Acquired by Twilio in 2025, which expanded the product into Twilio's communications stack while keeping the developer-first DX.
Limitations
- No first-class FGA / Zanzibar-style fine-grained authorization, pair with OpenFGA, Authzed, or Permify for complex authz.
- Compliance footprint is narrower than Auth0, no FedRAMP, PCI DSS not directly available.
- Smaller SDK breadth than Auth0 (ecosystem effect, not technical limitation).
- Adaptive MFA decisioning is less mature than Auth0 or Descope's orchestration layer.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Partial |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Partial |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, ios, swift, android, kotlin, python, go, ruby |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | No |
| Extension model | Webhooks + JWT customization |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | Partial |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $99/mo |
|---|---|
| 100,000 MAU | $950/mo |
| 500,000 MAU | $3,200/mo |
| 1,000,000 MAU | $6,200/mo |
- Consumer (B2C) and B2B products are priced separately
- Enhanced fraud / device fingerprinting gated to higher tiers
- Enterprise SSO connections billed per-connection
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Consumer apps prioritizing high passkey adoption out of the box
- B2B SaaS teams wanting B2B Organizations + Enterprise SSO without paying enterprise prices below 100k MAU
- Teams switching off Auth0 for cost reasons under 500k MAU
Not for
- Workloads requiring FedRAMP or extensive compliance attestations
- Authorization-heavy use cases needing Zanzibar-style FGA
- Self-hosted deployments
FAQ
- Was Stytch acquired by Twilio?
- Yes, Twilio announced the acquisition on October 30, 2025. Stytch operates as a Twilio subsidiary; the product line, DX, and pricing model remain separate from Twilio Verify, with no codebase or API merge. See Deepak Gupta's analysis at guptadeepak.com/twilio-stytch-developer-ciam-auth0-alternatives-2025/ for the post-acquisition positioning.
- How does Stytch's passkey adoption compare to other vendors?
- Stytch customers consistently report 30–50%+ passkey adoption within six months of launch, materially above the 5–10% baseline seen on vendors without device-aware prompting. The orchestration layer is the differentiator, see the passwordless guide for what "orchestration quality" means.
- Does Stytch have B2B Organizations like Auth0?
- Yes. Stytch B2B is a separate product surface with first-class Organizations, Enterprise SSO connections, and SCIM. Feature parity with Auth0 Organizations for most B2B SaaS use cases under 100k MAU.
Sources
- Stytch Pricingaccessed 2026-05-08
- Stytch Documentationaccessed 2026-05-08
- Twilio acquires Stytch (October 30, 2025), Deepak Gupta's analysisaccessed 2026-05-08
What Stytch is
Stytch launched in 2020 as a passwordless-first CIAM API, and shipped its B2B product line in 2022. Twilio acquired it in 2025; the product remains a separate API surface from Twilio Verify, with its own SDK family, docs, and pricing. The buyer is typically an engineering team that wants modern passkey-first auth without building the orchestration layer themselves.
Where Stytch wins
The passkey orchestration story is the differentiator. Most CIAM vendors have shipped WebAuthn support; few have shipped the prompting layer that decides when to ask, what to do when a user has no passkey on this device, and how to handle recovery. Stytch's defaults are aggressive in the right direction, conditional UI on by default, device-aware prompting, recovery flows that don't backdoor MFA, and customers consistently land at 30–50% passkey adoption inside six months.
The B2C / B2B split is also more honest than competitors who try to serve both segments with one model. B2C customers get progressive profiling, magic links, and consumer-grade fraud signals; B2B customers get Organizations, Enterprise SSO with SAML / OIDC, and SCIM provisioning. Pricing the two product lines separately reflects that the buyer journey is different.
Where Stytch hurts
Authorization is the weakest leg. There's no native Zanzibar-style FGA engine, and ABAC support is partial. Teams with serious authorization needs end up running OpenFGA, Authzed, or Permify alongside, which is fine but adds a vendor.
Compliance breadth is narrower than Auth0, no FedRAMP, PCI DSS not directly attested, ISO 27001 yes. For consumer apps and most B2B SaaS this is fine; for federal workloads it isn't.
Adaptive MFA decisioning is less mature than Descope's no-code flow editor or Auth0's Actions-driven adaptive policies. Stytch's adaptive layer is improving but in 2026 it's still primarily rule-based rather than learned.
How Stytch compares
For B2C passkey-first apps, Hanko and Corbado are the closest competitors on adoption quality. For B2B SSO breadth, WorkOS and Frontegg are alternatives. For broader compliance footprint, Auth0 remains ahead. The most common direct comparison is Auth0 vs Stytch and Stytch vs Descope.
Editorial changelog (2 entries)
Capability matrix and pricing bands re-verified against the vendor's latest documentation and changelog.
Updated to reflect Twilio acquisition (October 30, 2025). Status changed to 'acquired'; verdict and FAQ rewritten with post-acquisition positioning. Sources updated with link to Deepak Gupta's analysis of the deal.