WorkOS
Last verified 2026-04-22 · Reviewed by guptadeepak
Editorial verdict
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
Last verified by @guptadeepak on 2026-04-22.
At a glance
- Best for
- B2B SaaS that wants Enterprise SSO, SCIM, and audit logs without paying enterprise prices
- Pricing
- per-organization
- Free tier
- 1,000,000 MAU
- Deployment
- cloud-saas
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- No
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $100M
- Latest round
- Series B · $80M · 2022
- Years in business
- 7 yrs
- Round led by
- Greenoaks
- Profitable
- Not disclosed
Enterprise-readiness APIs (SSO, SCIM, audit logs); $80M Series B in 2022 alongside the Modulz acquisition.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- B2B-first by design, Organizations, Enterprise SSO with SAML/OIDC, SCIM Directory Sync, and audit logs are first-class, not bolt-ons.
- AuthKit free up to 1M MAU is the most generous free tier in the developer-first tier and a credible Auth0 alternative for B2B SaaS.
- FGA (Zanzibar-style fine-grained authorization) shipped in 2024, competitive with Auth0 FGA for new B2B SaaS authz.
- Strong DX with idiomatic SDKs across major languages and a Terraform provider.
Limitations
- B2C-grade features are weaker, no progressive profiling, no native bot detection, no adaptive MFA.
- Compliance breadth narrower than Auth0, no FedRAMP, no PCI DSS direct attestation.
- Adaptive / risk-based MFA decisioning is rudimentary compared to Descope or Auth0.
- MCP / agentic identity is partial, no first-class agent token model in 2026.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | Partial |
| ReBAC | Yes |
| FGA engine | Yes |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, python, go, ruby, php, java, dotnet, kotlin |
| CLI | No |
| Terraform provider | Yes |
| Local emulator | No |
| Extension model | Webhooks |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Partial |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | No |
| HIPAA | Yes |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $0/mo |
|---|---|
| 100,000 MAU | $0/mo |
| 500,000 MAU | $1,500/mo |
| 1,000,000 MAU | $3,500/mo |
- Free up to 1M MAU on AuthKit (the auth product), pricing kicks in for advanced features
- Enterprise SSO connections billed per-org per-month at standard rate
- Audit Log API and Directory Sync (SCIM) priced separately
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- B2B SaaS that wants Enterprise SSO, SCIM, and audit logs without paying enterprise prices
- Teams switching off Auth0 below 1M MAU specifically for cost
- Apps where the buyer is the IT admin, not the end user
Not for
- Consumer (B2C) apps with progressive profiling, bot defense, and adaptive risk needs
- Workloads requiring FedRAMP or PCI DSS
- Self-hosted deployments
FAQ
- How is WorkOS different from Auth0?
- WorkOS is built B2B-first; Auth0 is broader. WorkOS Organizations, Enterprise SSO, SCIM Directory Sync, and audit logs are first-class products, not bolt-ons. Auth0 covers more ground (B2C consumer flows, broader compliance, adaptive MFA) but at materially higher cost for B2B-only use cases below 1M MAU.
- What does WorkOS cost?
- AuthKit (the auth product) is free up to 1M MAU. Pricing kicks in for advanced features, Enterprise SSO connections, Directory Sync (SCIM), Audit Logs, FGA, billed per-org or per-call. For a B2B SaaS at 100k MAU with 20 enterprise customers, expect $500–$1,500 per month.
- Does WorkOS support B2C consumer auth?
- Technically yes, but the product is not designed for it. Missing pieces: progressive profiling, native bot detection, adaptive risk MFA, and B2C-grade fraud signals. For consumer apps, look at Auth0, Stytch, Descope, or MojoAuth.
Sources
- WorkOS Pricingaccessed 2026-04-22
- WorkOS Documentationaccessed 2026-04-22
What WorkOS is
WorkOS launched in 2019 with a tight scope: make it easy for SaaS apps to support enterprise customers. The product line maps to the SOC 2 / IT-admin checklist, Single Sign-On, Directory Sync (SCIM), Audit Logs, MFA, sold as a coherent set of APIs. AuthKit, the user-facing auth product, was added in 2024 and sits on top of the same Organizations model. The buyer is the engineering team at a B2B SaaS that needs to ship enterprise features without building them.
Where WorkOS wins
The B2B-first stance is the differentiator. Every feature assumes the customer is an organization, not a consumer, Organizations are first-class objects, SSO connections live per-organization, audit logs are queryable per-organization. The model maps cleanly to how B2B SaaS actually sells, and the docs are written for the engineer who has just been told by sales that a $50k contract requires SAML SSO by Friday.
AuthKit's free tier, 1M MAU, is the most generous in the developer-first segment and changes the math on Auth0 alternatives. For a B2B SaaS under 1M MAU that doesn't need consumer flows, the underlying auth is effectively free; only the enterprise add-ons (SSO, Directory Sync, Audit Logs, FGA) are billed.
WorkOS FGA, shipped in 2024, brings Zanzibar-style fine-grained authorization to the platform. For B2B SaaS designing role-based and resource-based permissions, this removes the need for a separate authz vendor.
Where WorkOS hurts
The flip side of B2B-first is that B2C-grade features are weaker or missing. There's no progressive profiling, no native bot detection, no adaptive risk-based MFA. For a consumer app at scale, these gaps matter; for B2B SaaS where the IT admin enforces MFA centrally, they don't.
Compliance breadth is narrower than Auth0, no FedRAMP, no PCI DSS direct attestation. ISO 27001 and SOC 2 Type II yes. Most B2B SaaS sales cycles don't ask for FedRAMP, but federal or fintech buyers do.
Agentic identity / MCP is not yet first-class. OAuth 2.1 and Dynamic Client Registration yes, but no scoped agent token model or web bot auth.
How WorkOS compares
The most direct comparisons are WorkOS vs Frontegg and Auth0 vs WorkOS. For broader B2C + B2B coverage, Auth0, Stytch, and Descope are the credible alternatives. For modern enterprise CIAM with strong B2B SSO at lower price points, SSOJet and MojoAuth deserve evaluation.
Editorial changelog (1 entry)
Profile reviewed: capabilities, pricing, and verdict checked against current public sources.