Pick your auth service — 20 options across the five categories that decide most picks
Your auth choice is one of the highest-leverage decisions in any new build — the wrong pick costs you weeks of integration work and quarters of monthly bill. The directory filters by hosted SaaS / bundled / self-hosted / library, plus language, pricing, HIPAA eligibility, SSO/SAML readiness. Every entry gives you a one-line summary, a concrete best-for, an honest skip-this-if, and a paragraph of opinion.
12 SIDE-BY-SIDE COMPARISONS → TOP-5 DECISION HUB →Filter the list
Showing 20 of 20
Keycloak
Open-source Java-based IDP. Enterprise-grade self-hosted SSO + SAML, heavy to operate.
Auth.js (NextAuth)
Open-source library for Next.js, SvelteKit, SolidStart. Free, self-managed user database.
Better Auth
Newer TypeScript-first OSS auth library. Designed as the modern Auth.js alternative.
Authentik
Modern open-source self-hosted IDP. Python-based, lighter than Keycloak.
SuperTokens
Open-source self-hosted auth library. SDK-style integration, app-database-aware.
Lucia
Lightweight TypeScript auth library. Library-not-framework — minimal opinions, BYO everything.
Ory
Cloud-native open-source identity stack — Kratos (auth), Hydra (OAuth2), Keto (authorisation).
Clerk
TypeScript-first hosted auth with the cleanest developer experience in the category in 2026.
Supabase Auth
Postgres-native auth bundled with Supabase. Free, owned-data, integrates with RLS.
FusionAuth
Self-hosted auth from a US team. Lighter than Keycloak, paid for support, free for self-hosting.
Descope
Drag-and-drop auth flow builder for teams that want to compose passwordless flows visually.
WorkOS
B2B-only auth focused on enterprise SSO, SAML, SCIM. Not a B2C product.
Kinde
Newer hosted auth from the Australian team behind Canva-grade design polish.
Stytch
Passwordless-first hosted auth — magic links, SMS, biometric, embedded auth.
Magic
Passwordless link auth, web3 wallet integration, the original "no passwords" hosted product.
Auth0
matureThe enterprise hosted auth incumbent. Acquired by Okta in 2021. Mature, expensive, procurement-default.
Frontegg
B2B-focused hosted auth with self-service admin and entitlements built in.
Firebase Auth
Google's bundled auth — email, social, phone, anonymous. Generous free tier, locks you into Google.
AWS Cognito
Amazon's bundled identity service. Cheap at scale, complex to set up, AWS-locked.
Microsoft Entra ID
Microsoft's identity platform (formerly Azure AD). Enterprise default for Microsoft-shop B2B.
No services match your current filters.
How this directory is curated
This is not a scraped catalogue of every authentication library on GitHub. It is the 20 services worth knowing about in 2026 — picked because each one either belongs in your shortlist for a specific brief or is the answer-of-record for a specific procurement context (Microsoft-shop / AWS-shop / Red Hat-shop).
Star counts are approximate, refreshed each quarter. Closed-source / hosted-only products show closed. The HIPAA flag means a BAA is publicly available; the SSO/SAML flag means enterprise SSO and SAML are out of the box rather than premium-tier add-ons.
The auth choice is the easy half — your migration is the hard one
Picking the auth service is the easy half. The hard half is migrating user accounts off the old stack without breaking sessions, getting your team adopted, and surviving the SOC2 / HIPAA audit conversations. The 30-min call is the right starting place — describe your stack, your scale, your compliance constraints; I tell you what fits.