Ask HN: What do you use for user management/IAM in your SaaS app?
4 comments
Hi! I have a side project (that I haven't infiltrated with Claude Code yet, lol) that I need to dust off and get back to work on. It's essentially a B2B SaaS product where I needed to solve the usual suspects: multi-tenancy, SSO, RBAC, passkeys, sessions, and letting customers self-configure their IAM. Since it's a side project and I'm not paying for anything yet, I went ahead and integrated with WorkOS.
My project is built in Elixir, so I implemented the flows where my application has no login screen UI. I just push all unauthenticated users straight to WorkOS. WorkOS and their AuthKit (hosted login page) handles the heavy lifting (User/Pass, Passkey, MFA, SSO, etc) and sends them back to my application with a JWT. I check if the user exists, and if not, just-in-time provisioning kicks in on my side and we're done. Tenant identified, and tenant user authenticated all wrapped up in a single JWT.
Why WorkOS?
Simple... I don't want to be responsible for any authentication headaches. I don't want to self-host or duct tape a bunch of different components together. I'd rather put as much of that control in the client's hands (or WorkOS's if they don't have their own IAM). Plus, I like what WorkOS offers. Documentation is solid, though I still need to figure out their Fine Grained Authorization (FGA) product, formerly known as Warrant. In the end, nothing lives on my side except workos_tenant_id, workos_user_id, and my application data. The tenant has full control over their IAM, all the features of WorkOS via their own admin panel and ultimately who can access my SaaS application.
How's it going so far?
I have exactly zero customers except my development tenant. Everything works as expected so far. Maybe I'll have a different story when I get a customer willing to foot the bill for all the WorkOS bells and whistles in production. But implementation has been smooth, and AuthKit works great for dev/testing as a hosted login page, one-click testing SSO flows, etc.
If I had to re-implement, would I still choose WorkOS?
I probably would've done the same deep research you're doing, hoping to find that needle in a haystack. As a bootstrap developer, I'd try to avoid the paid options and figure out the open source/roll-your-own route. But if I had a plan to afford the paid ones, I'd probably evaluate WorkOS against other paid options properly.
My project is built in Elixir, so I implemented the flows where my application has no login screen UI. I just push all unauthenticated users straight to WorkOS. WorkOS and their AuthKit (hosted login page) handles the heavy lifting (User/Pass, Passkey, MFA, SSO, etc) and sends them back to my application with a JWT. I check if the user exists, and if not, just-in-time provisioning kicks in on my side and we're done. Tenant identified, and tenant user authenticated all wrapped up in a single JWT.
Why WorkOS?
Simple... I don't want to be responsible for any authentication headaches. I don't want to self-host or duct tape a bunch of different components together. I'd rather put as much of that control in the client's hands (or WorkOS's if they don't have their own IAM). Plus, I like what WorkOS offers. Documentation is solid, though I still need to figure out their Fine Grained Authorization (FGA) product, formerly known as Warrant. In the end, nothing lives on my side except workos_tenant_id, workos_user_id, and my application data. The tenant has full control over their IAM, all the features of WorkOS via their own admin panel and ultimately who can access my SaaS application.
How's it going so far?
I have exactly zero customers except my development tenant. Everything works as expected so far. Maybe I'll have a different story when I get a customer willing to foot the bill for all the WorkOS bells and whistles in production. But implementation has been smooth, and AuthKit works great for dev/testing as a hosted login page, one-click testing SSO flows, etc.
If I had to re-implement, would I still choose WorkOS?
I probably would've done the same deep research you're doing, hoping to find that needle in a haystack. As a bootstrap developer, I'd try to avoid the paid options and figure out the open source/roll-your-own route. But if I had a plan to afford the paid ones, I'd probably evaluate WorkOS against other paid options properly.
Hey I'm the founder of WorkOS.
Glad things are working well for you. If you have any feedback/ideas, I would love to hear them. Thanks! [email protected]
Glad things are working well for you. If you have any feedback/ideas, I would love to hear them. Thanks! [email protected]
Hi! I'm biased as one of the Stytch founders but wanted to share my POV in case it's helpful. As others mentioned, any of the open source options are not going to be low management overhead, but can be great in terms of cost and flexibility. I worked with Keycloak in a previous role and I think it's a really great option if you do go the open source route, just be prepared to spend time managing it.
> True multitenancy Many of the paid options you mentioned (workos, clerk, etc same goes for auth0) aren't actually multitenant, they've tacked on a concept of organizations to a user first data model. This presents some limitations as a result of users as the first class entity versus organizations, for example, membership across multiple organizations with different auth requirements (ie I can log into my personal with sign in with email/google but to log into a company account I need 2fa or SSO), multiple SSO connections per organization or a single SSO connection across multiple organizations (both common in enterprises where there's lots of M&A).
Happy to go into more detail on any of this or answer any specific questions you have!
> True multitenancy Many of the paid options you mentioned (workos, clerk, etc same goes for auth0) aren't actually multitenant, they've tacked on a concept of organizations to a user first data model. This presents some limitations as a result of users as the first class entity versus organizations, for example, membership across multiple organizations with different auth requirements (ie I can log into my personal with sign in with email/google but to log into a company account I need 2fa or SSO), multiple SSO connections per organization or a single SSO connection across multiple organizations (both common in enterprises where there's lots of M&A).
Happy to go into more detail on any of this or answer any specific questions you have!
Feels like you might be overthinking this. Most of the tools you listed already cover 90% of what you’re asking for. If you’re starting a SaaS from scratch and haven’t got a single user yet, sinking too much time into picking the “perfect” auth solution will slow you down more than making a “wrong” choice ever will. The bigger risk is not shipping at all.
I’ve worked with Supabase, Clerk, Keycloak, and Kratos on different projects. None of the open-source options truly deliver on “low management overhead”. You’ll always have to deal with updates, patches, and some manual babysitting.
If you refuse to compromise on your feature list, your realistic options shrink fast. In that case, Zitadel is a solid choice, but be ready for higher costs from day one. My advice is to trim the must-have list, go with a managed service, get real users, and revisit the decision when scale actually becomes a problem.
I’ve worked with Supabase, Clerk, Keycloak, and Kratos on different projects. None of the open-source options truly deliver on “low management overhead”. You’ll always have to deal with updates, patches, and some manual babysitting.
If you refuse to compromise on your feature list, your realistic options shrink fast. In that case, Zitadel is a solid choice, but be ready for higher costs from day one. My advice is to trim the must-have list, go with a managed service, get real users, and revisit the decision when scale actually becomes a problem.
1. True multitenancy - Concept of users/organisations 2. SAML/OIDC/Active Directory connect 3. Multi-factor authentication 4. RBAC/ABAC access control model 5. Session management 6. Social sign-on 7. Low management overhead 8. Modern UI/UX
I want to optimise for the lowest total cost of ownership over 3+ years, and aim for 10-50k users. The market is filled with IAM products, some of them are:
1. Keycloak (OpenSource) 2. Supertokens (OpenSource with paid plans) 3. Supabase (OpenSource with paid plans) 4. Authelia (OpenSource with paid plans) 5. Authentik (OpenSource with paid plans) 6. Logto (OpenSource with paid plans) 7. Clerk (Paid) 8. Zitadel (OpenSource with paid plans) 9. FusionAuth (OpenSource with paid plans) 10. Stytch (Paid) 11. WorkOS (Paid) 12. Ory Kratos (OpenSource with paid plans)
Every time I ask Gemini/Claude/ChatGPT/... to do a deep-research and give me one recommendation for a tool from here, I get a different answer, with different rationale. I have also read so many articles for both very high praise and very staunch criticisms of all of these tools. With so many options around, which one do you choose, why, and how is that decision coming along so far? Thank you.