Honest list: - Managed security updates. You're now responsible for patching Keycloak/Ory. - SDKs and docs. Auth0's developer experience is genuinely good. Keycloak's docs are dense. - Auth0 Actions / Rules. Custom logic has to be ported or rebuilt in your app layer. - Automatic bot detection. Auth0 Adaptive MFA and attack protection. Self-hosted replacements exist but need configuration.

- Flat monthly cost. No MAU surprises. - Enterprise SSO without the price shock. Keycloak's SAML support is production-grade. - Data sovereignty. User data stays in your infrastructure. - No vendor lock-in on user data. You own the database.

Replacing Auth0: Self-Hosted and Open-Source Alternatives

Auth0 and Okta CIAM pricing compounds fast above 10k MAU. Here are the alternatives I deploy, a migration playbook, and what to watch out for with SOC 2.

By Andrii Votiakov on 2026-03-09

Auth0 is the easy choice when you're small. Sign up, paste in the SDK, ship it. Then your MAU grows, you add a second app, someone turns on MFA — and suddenly you're looking at a $5-15k/month invoice for something that is, underneath it all, a database with an OAuth wrapper. That's when people start asking whether there's a better option.

Quick answer

Above roughly $5,000/month in Auth0 or Okta CIAM spend, a self-hosted or cheaper-SaaS auth stack is almost always worth evaluating. Supabase Auth and Clerk solve the "managed, no-ops" need at a fraction of the cost. Keycloak and Ory Kratos solve the "I want full control" need. Which one fits depends on your team's ops capacity and your compliance requirements.

When does Auth0 pricing tip over?

Auth0 pricing is MAU-based with steep tier jumps. The Professional plan starts at around $240/month for 1,000 MAU. At 10,000 MAU you're at roughly $1,500/month. At 50,000 MAU you're in enterprise territory — and enterprise territory means a sales call, not a price page.

Okta CIAM is similar. The public pricing disappears above about 15,000 MAU, and what I've seen from clients is $0.05-0.15 per MAU per month, plus add-ons for MFA, passwordless, and enterprise SSO features.

The compounding factors:

SAML/enterprise SSO — often a separate paid add-on ($2k+/month on Auth0's Professional plan)
Custom domains — paid
Machine-to-machine tokens — priced per token, not MAU; easy to run up
MFA beyond SMS — often a higher tier

If you're doing B2B SaaS and offering SSO to customers, you'll hit the expensive tier faster than you expect. I've seen companies at 20,000 MAU paying $8,000/month once enterprise SSO is factored in.

The alternatives

Supabase Auth

Best fit when you're already on Supabase, or want a fully managed option with a generous free tier and predictable pricing. Supabase Auth covers email/password, magic links, OAuth social providers, and phone/OTP. SAML SSO is available on the Team plan ($25/month flat, not per-MAU).

What it doesn't do well: it's tightly coupled to the Supabase ecosystem. If you're not on Postgres and don't want to be, it's not the right call.

Clerk

Clerk is the "we designed this for developer experience" option. Great embeddable UI components, solid Next.js / React integrations, decent pricing up to ~50k MAU. Clerk charges per MAU but at lower rates than Auth0, and includes enterprise SSO on paid plans without punishing add-on pricing.

Trade-off: Clerk is still SaaS. You're not escaping vendor dependency; you're trading an expensive vendor for a cheaper one. That's often the right move — just know what you're getting.

Keycloak

Keycloak is the self-hosted workhorse. Red Hat backs it, it's been around since 2014, it handles SAML, OIDC, LDAP/AD federation, MFA, social login, fine-grained authorisation — the whole picture.

Running cost: a couple of containers, a Postgres database, a load balancer. Call it $150-400/month depending on HA requirements.

The cost you don't see: Keycloak's admin UI is not pleasant. Configuration is XML-heavy in places, and the documentation assumes you already know OAuth and SAML inside-out. I'd estimate 2-4 weeks to stand up a solid, production-ready Keycloak deployment, plus one engineer knowing it ongoing.

That said, for B2B SaaS companies offering SSO to enterprise customers, Keycloak saves $3-10k/month compared to Auth0 Enterprise. That math is very clear.

Ory Kratos + Ory Hydra

Ory is the developer-native option. Kratos handles identity (registration, login, account recovery, MFA). Hydra handles OAuth2 and OIDC. Both are headless — no default UI, you build your own flows. That's the point: full control over every screen, every flow, every token.

If you have strong frontend engineering capacity and care deeply about UX ownership, Ory is the right architecture. If you want it to "just work" with minimal implementation, it's probably not.

Authentik

Authentik is the sleeper pick. Self-hosted, supports SAML + OIDC + LDAP + Radius, has a cleaner admin UI than Keycloak, and ships as a Docker Compose stack or Helm chart. It's particularly good as a self-hosted SSO proxy in front of internal tools — replace your $2k/month Okta SSO with a $50/month VM running Authentik.

Worth evaluating if Keycloak feels like overkill for your use case.

The migration playbook

Week 1: Audit your current Auth0 usage

Before writing a line of code, understand what you're actually using:

How many applications are registered in Auth0?
Which OAuth flows are in use (Authorization Code, PKCE, Client Credentials, Device Flow)?
Are you using Auth0 Actions or Rules? These are the migration headache — they're custom JS logic that runs in Auth0's pipeline.
Do you have SAML integrations with enterprise customers? Get the list now.
Are you using Auth0's Universal Login (hosted UI) or a custom login page?

Week 2-3: Stand up the replacement

Deploy your chosen alternative in a staging environment. Map your current Auth0 configuration: social providers, callback URLs, token lifetimes, MFA policies.

For Keycloak: set up realms, clients, identity providers, and authentication flows that mirror your Auth0 setup. Test each OAuth flow against your staging environment before touching production.

For Supabase Auth / Clerk: mostly config — connect social providers, set up custom domain, test email templates.

Week 3-4: Migrate users

This is the sensitive part. Auth0 can export users, but passwords are hashed with their algorithm — you can't import plain passwords anywhere else.

Two approaches:

Forced re-registration: Works for low-traffic or internal tools. Send users an email, force password reset at next login.
Just-in-time migration: At login, check if the user exists in the new system. If not, validate credentials against Auth0 via their Management API, import the user, and hash their password in the new system. Transparent to users, no bulk migration needed.

JIT migration is the right call for most production apps. It requires keeping Auth0 running (read-only, no new signups) during the transition period — typically 30-60 days until the long-tail users have migrated.

Week 5-6: Cut over

Update your app's auth SDK config to point at the new issuer URL. For OIDC, this usually means updating the ISSUER, CLIENT_ID, and CLIENT_SECRET env vars.

Run your existing test suite against the new auth layer. Smoke-test every login path: email/password, each social provider, MFA, magic link, enterprise SSO if applicable.

Week 7+: Decommission

Keep Auth0 in read-only mode for 30 days. Then cancel.

SOC 2 considerations

This is the question I get asked most during auth migrations: "Won't replacing Auth0 hurt our SOC 2?"

The answer is nuanced. Auth0 has SOC 2 Type 2 attestation, which makes it easy to tick the box in a vendor security review. When you self-host, you're now responsible for the controls Auth0 was covering — encryption at rest, access logging, incident response for the auth layer.

Keycloak and Ory don't come with attestations. What they do: they give you the controls. You just have to implement and document them. If you're already running SOC 2, you have the processes — this is adding auth to your existing scope, not starting from scratch.

For companies going through their first SOC 2, I'd think carefully before self-hosting auth at the same time. Supabase and Clerk both have SOC 2 Type 2, so they're a clean swap from a compliance perspective. Authentik is working towards it. Keycloak/Ory don't have it and won't — it's your responsibility when self-hosting.

What you give up

Honest list:

Managed security updates. You're now responsible for patching Keycloak/Ory.
SDKs and docs. Auth0's developer experience is genuinely good. Keycloak's docs are dense.
Auth0 Actions / Rules. Custom logic has to be ported or rebuilt in your app layer.
Automatic bot detection. Auth0 Adaptive MFA and attack protection. Self-hosted replacements exist but need configuration.

What you gain

Flat monthly cost. No MAU surprises.
Enterprise SSO without the price shock. Keycloak's SAML support is production-grade.
Data sovereignty. User data stays in your infrastructure.
No vendor lock-in on user data. You own the database.

Realistic numbers

Recent client — B2B SaaS, ~35,000 MAU, 12 enterprise customers with SAML SSO:

Auth0 Enterprise: $7,200/month
Migration target: Keycloak on EKS (3 pods, HA Postgres RDS)
Compute + DB: ~$280/month
3 weeks migration engineering (one-time): ~$9,000
Ongoing ops (0.5 hours/week): ~$250/month equivalent

Total ongoing: $530/month. Saving: $6,670/month, $80k/year. Migration paid back in 5 weeks.

The SAML integrations took the longest — re-configuring 12 enterprise SSO connections took about a week. The JIT user migration ran cleanly; 94% of users migrated within 3 weeks.

For the full build-vs-buy framework that applies to auth and every other SaaS category, that post is worth reading first.

If you want help running the numbers on your auth spend and whether migration makes sense for your setup, book a call.