Authentication is one of those features that looks one afternoon and bills like a month. There are good reasons to use a managed provider in 2026, and good reasons to roll your own. The choice is more nuanced than the marketing makes it sound, and getting it wrong costs you in the corners of your product that customers actually notice.
This is the framework we walk founders through when we’re scoping a SaaS build. It draws on real production engagements across all four options.
You don’t build auth because it’s hard. You build auth because the off-the-shelf options don’t match the shape of your product. If they do, use them.
1. What “auth” actually covers in 2026#
Founders use auth to mean one feature. Real auth is six:
- Authentication. Proving who the user is — email/password, OAuth, magic link, passkeys, SSO.
- Session management. Cookies, tokens, refresh logic, multi-device handling.
- Authorization (RBAC). What this user can do once they’re in.
- User management. Invitations, password resets, account deletion, audit logs.
- Organisations / teams. For B2B SaaS, the layer above users.
- Compliance surface. MFA, session timeouts, password rules, breach detection.
Anyone selling you "auth in 5 minutes" is selling you #1 and #2. The other four are where the work lives.
2. The four real options#
| Option | Best for | Setup time | Monthly cost (small SaaS) | Lock-in |
|---|---|---|---|---|
| Clerk | B2B/B2C SaaS, Next.js / React-heavy stacks | < 1 day | $0 free, then $25 / first 1,000 MAUs | High UI, low data |
| Auth0 | Enterprise, regulated industries, custom flows | 2 – 4 days | $0 free, then $35+ / 1,000 MAUs | High overall |
| Supabase Auth | When you’re already on Postgres + Supabase | 1 – 2 days | Included in Supabase plan | Medium |
| Build your own | Highly custom flows, full data control, regulated industries with deep budget | 2 – 4 weeks | Hosting only | None |
Two more honorable mentions worth considering: WorkOS (best-in-class for SSO, SAML, and enterprise B2B) and NextAuth / Auth.js (excellent for thin auth on top of your own database).
3. Clerk#
A modern hosted auth provider that ships beautiful pre-built React components for sign-up, sign-in, organisations, and user profiles.
Where Clerk wins#
- Best-in-class developer experience for React/Next.js. Drop in
<SignIn />and you’re mostly done. - First-class B2B primitives. Organisations, invitations, roles, permissions — all built in.
- Modern auth methods. Magic links, passkeys, social logins out of the box.
- Great free tier. Up to 10,000 MAUs free in 2026.
- Strong session model. Multi-device, refresh tokens, anomaly detection.
Where Clerk hurts#
- UI lock-in. Their pre-built components are the strength — until you need to deeply customise. Going off the rails is real work.
- Data lives in Clerk. Your user records are theirs. Exporting later means migration work.
- Cost climbs quickly past 10K MAUs. A 50,000-MAU SaaS pays Clerk ~$500–$800/mo — not crazy, but visible.
- Less mature for non-React stacks. They support more than React, but the polish is React-first.
When Clerk is right#
You’re building a React/Next.js B2B or B2C SaaS, you want auth + orgs + invitations + roles working in a day, and you can live with Clerk-owned user records.
4. Auth0#
The enterprise default, now owned by Okta. The most mature, most configurable, most expensive of the hosted options.
Where Auth0 wins#
- SSO and SAML out of the box. Enterprise sales conversations get instantly easier.
- Compliance attestations. SOC2, HIPAA, FedRAMP — their compliance is your compliance.
- Custom flows via Actions. You can run arbitrary code in the auth pipeline.
- Mature MFA, session, and breach detection.
- Multi-tenant identity primitives for B2B-of-B2B products.
Where Auth0 hurts#
- Pricing is steep above the free tier. A 50,000 MAU SaaS often pays $1,500–$3,000/month on Auth0.
- Configuration complexity. The dashboard is dense and unforgiving.
- Developer experience is dated compared to Clerk or Supabase.
- Lock-in is real. Migration off Auth0 is engineering weeks, not days.
- The Okta acquisition has pushed pricing aggressively upward.
When Auth0 is right#
You’re selling to enterprise, you need SSO/SAML/SCIM from day one, your compliance buyer specifically asks about your identity provider, and you have the budget to support it.
5. Supabase Auth#
Auth that ships free as part of Supabase’s Postgres-as-a-service offering.
Where Supabase wins#
- Zero extra cost if you’re already using Supabase for your database.
- Auth lives in your own Postgres. No migration if you ever leave Supabase — the user table is yours.
- Row-level security integration. The tenant_id you authenticate becomes the basis for multi-tenant data isolation.
- Good defaults. Email/password, OAuth, magic links, MFA.
Where Supabase hurts#
- B2B primitives are thinner. Organisations and team invitations require more custom work than Clerk gives you.
- You’re committing to Supabase’s broader platform. Auth is excellent; you’ll find yourself using their storage, edge functions, and database tooling.
- Less mature SSO/SAML story. Possible, but not as polished as Auth0 or WorkOS.
- UI is bring-your-own. No pre-built components like Clerk.
When Supabase is right#
You’re building on Postgres anyway, you want auth integrated tightly with your data, and you don’t need heavy enterprise SSO from day one. Bootstrapped or seed-stage SaaS, especially with smaller teams, often land here profitably.
6. Build your own#
Roll auth in your own application, against your own database, using libraries like lucia-auth, next-auth / Auth.js, passport, or Devise.
Where rolling your own wins#
- Full data ownership. Users live in your tables. No third party.
- No per-MAU cost. Hosting only.
- Unlimited customisation. Auth flow does whatever you need.
- Easier compliance posture for regulated industries that want full data control.
Where rolling your own hurts#
- Maintenance is forever. Security patches, library updates, edge cases.
- The corners are work. Password reset emails, account lockout, breach detection, session security — each is a known feature and each is real engineering.
- MFA is engineering, not configuration. TOTP libraries exist; integrating them safely is still 2–3 days.
- You’ll write less-mature auth than Clerk or Auth0 spent thousands of engineering-hours building. Be honest about this.
When building your own is right#
You’re in a regulated industry that requires full data control, your auth flow is genuinely unusual, or you have the engineering bandwidth and the discipline to maintain it forever. We’ve done this for a couple of our own products where the customisation pressure justified it.
We were asked once to add a custom auth flow to a Clerk-based SaaS. Two weeks in, we’d effectively rebuilt half of Clerk on top of Clerk. We pulled out and migrated the customer to a thin in-house auth instead. The lesson: if you’re fighting your auth provider, the provider isn’t the right one. Don’t bend a hosted service into shapes it doesn’t want.
7. The decision matrix#
| Your situation | Pick |
|---|---|
| Next.js B2B SaaS, want orgs + invites fast | Clerk |
| Enterprise sales from day one (SSO required) | Auth0 or WorkOS |
| Already on Supabase / Postgres | Supabase Auth |
| Highly custom flow, regulated, deep budget | Build your own |
| Pre-revenue prototype | Clerk free tier |
| 10K+ MAU growth, watching costs | Supabase or build your own |
| Need SAML / SCIM specifically | WorkOS or Auth0 |
| Adding auth to existing Node app | Auth.js (NextAuth) |
8. The honest cost curve#
For a B2B SaaS growing from 0 → 100K MAUs over two years:
| MAUs | Clerk monthly | Auth0 monthly | Supabase monthly | Build-your-own monthly |
|---|---|---|---|---|
| 1,000 | Free | Free | Included | Hosting only (~$10) |
| 10,000 | Free | ~$240 | Included | ~$25 |
| 25,000 | ~$300 | ~$700 | $25 + included | ~$50 |
| 50,000 | ~$650 | ~$1,800 | $25 + included | ~$100 |
| 100,000 | ~$1,500 | ~$3,500 | $25 + included | ~$200 |
These are 2026 list prices, before enterprise negotiation. The trend is clear: hosted providers are dramatically cheaper at small scale and meaningfully more expensive at large scale.
The break-even where rolling your own pays back the engineering investment is usually somewhere between 25K and 50K MAUs — assuming you would have spent those 2–4 weeks of engineering on something else valuable.
9. Migration paths#
You will likely migrate auth providers at some point. Ranking the pain:
| From | To | Difficulty |
|---|---|---|
| Clerk → Auth0 | Hard (data export + flow rebuild) | |
| Auth0 → Clerk | Hard | |
| Supabase → anything | Easy-medium (users already in your DB) | |
| Anything → build your own | Medium (one-time bulk import + flow rebuild) | |
| Build your own → hosted | Hard (re-architecting auth flow) |
The lesson: providers where the user data lives in your database (Supabase, build-your-own) are easiest to migrate from. Providers where data lives in their database (Clerk, Auth0) are stickier.
If you anticipate migration risk, prefer Supabase or build-your-own.
10. Compliance pressure#
For SOC2, HIPAA, ISO 27001, GDPR, the auth choice intersects with your overall compliance posture:
- SOC2 Type II. All four options work. Auth0 / Clerk give you their attestation; Supabase has its own; build-your-own requires you to demonstrate your controls.
- HIPAA / BAA. Auth0 offers a BAA at the enterprise tier. Clerk has BAA support at higher tiers. Supabase has BAA on enterprise. Build-your-own is fine but requires more documentation.
- GDPR. All four work. Data residency favours Supabase (EU regions) or build-your-own.
Pick the option that matches your compliance roadmap, not the one a blog post recommended.
11. The five auth decisions that cost real money#
Independent of which provider you pick, get these right early. They’re expensive to retrofit.
- Email is the user identifier, not username. Username-based auth is a 2010-era choice that you’ll regret in 2027.
- Session length and refresh strategy. Default 7-day sessions with sliding refresh works for almost everyone.
- Email verification before allowing actions, not after. Otherwise you ship spammers a paying tier.
- MFA is optional in v1, but the primitive should be there. Adding the TOTP column to a million-row user table later is unpleasant.
- Organisations as first-class objects, not as a foreign key on user. Even if you launch single-user, the data model survives.
12. The opinion in one paragraph#
For a new B2B SaaS in 2026: start on Clerk if your stack is React/Next.js and you want orgs working in a day. Start on Supabase Auth if you’re already on Supabase and want auth that lives in your own Postgres. Start on Auth0 only if SSO/SAML is required from day one. Build your own only when your auth flow is genuinely unusual or you’re in a regulated industry with the budget to support it. The migration risk between these is bigger than the per-month cost difference at startup scale, so pick once and pick carefully.
If you’re weighing this and want a second opinion before you wire it in, tell us what you’re building. We’ll send notes within one business day — including which provider fits, and which we’d push back on.
FAQ#
What’s the best auth provider for a Next.js SaaS in 2026? Clerk for B2B-shaped products with organisations, Supabase Auth if you’re already on Supabase, Auth0 only if SSO/SAML is a day-one requirement, build-your-own for highly custom flows.
How much does Clerk cost in 2026? Free up to 10,000 MAUs, then around $25 per 1,000 additional MAUs. A 50K MAU SaaS pays ~$650/month.
Is Auth0 still worth it in 2026? For enterprise sales with SSO/SAML/SCIM requirements, yes. For B2B SaaS without those needs, it’s often overkill and overpriced compared to Clerk or Supabase.
Should I roll my own auth? Rarely. The exceptions: highly custom flows, regulated industries with full-data-control requirements, or post-50K MAU scale where the per-MAU pricing of hosted options compounds. See section 6.
Does Supabase Auth scale to enterprise? Yes, but SSO/SAML is less polished than Auth0 or WorkOS. For enterprise B2B with heavy identity requirements, combine Supabase with WorkOS for SSO.
How long does auth integration take? Half a day to one day for Clerk in a new project. Two to four days for Auth0. One to two days for Supabase. Two to four weeks for a credible build-your-own.
Want a second opinion before you wire in auth? Tell us what you’re building and we’ll send notes within one business day.