[grinich]

I work at WorkOS / AuthKit.

We took the Heroku approach. All apps get a free *.authkit.app domain for the hosted login page.

AuthKit never has any WorkOS branding. Clerk puts "Powered by Clerk" on your login page unless you pay. This feels gross. Imagine if Heroku/Vercel were injecting ads into your app?!

AuthKit has free MFA. I believe everyone should get secure auth. Clerk charges to enable MFA. They also charge for passkeys and features like impersonation. Why?

Custom domains cost us $ to run (we pay Cloudflare) so we charge for this. It's also designed for commercial apps. The authkit.app is great for any hobby app.

[nextweek2]

This isn't a criticism but feedback from someone that is looking for a 3rd party auth service.

I am starting up my own business, I have spent some time evaluating AuthKit and I can't justify investing time on it. Specifically, I want to target small to medium sized companies that want SSO built into my services.

The fact that the auth would be at an *.authkit.app domain is disconcerting, users would think they have been click-jacked because they have left the domain they were expecting. Your comment about custom domains costing because of Cloudflare is strange given how much CF charge verses the $99 per month cost you charge, there seems to be a big order of magnitude difference, since under the Pro plan they charge 10c per additional domain. Perhaps you have additional services behind that, but it seems strange: https://www.cloudflare.com/en-gb/plans/ The "Powered By x" would actually be preferable, many people are used to seeing thing like that on payment screens.

Also, the SSO connectors being $125 per month per connection, rules out my target market. That is a lot in my market and it doesn't ease off as I grow, it's a fixed base cost. As I grow to 20-30 customers I'd be better off hiring a developer to implement the same features.

I get it that I am not the target market; that big businesses wouldn't bat an eyelid at that kind of costs. But for my purposes, I can't justify your costs. Good luck to you.

[grinich]

There are several open source options out there (several linked above) that could be a good fit for your business economics. I know lots of folks talk about Supabase and Auth.js on X.

If you have the time and patience, you can also certainly build it yourself. There's no miracles here, just complex engineering and solving a thousand edge cases.

If you decide to use open source, make sure you quickly update dependencies so you're always running latest. Ruby-SAML had a major vulnerability disclosed last month and thousands of apps were affected: https://workos.com/blog/ruby-saml-cve-2024-45409

[phaedrus13]

The Clerk branding is a non issue really. I mean, you just use the components and remove it with CSS lol, easy peasy. Although, I left it on one of my apps because I actually thought it made it look more secure but that's just me. My users aren't in the "know" so ymmv.

Splitting hairs, but the authkit.app domain basically is an ad no?

Yeah, I agree on the MFA and Passkeys. Impersonation is a toss up for me, I understand where they're coming from but also would be nice if it was in the free tier.

Looking at the authkit docs, unless I'm using Next or Remix... I need to store the refresh token, manage refreshing the access token, verify the access token, manage revoking the session and deleting the cookies. Clerk does all that for me so that's a win in my book (I understand you folks are working on more SDKs, so that'll be cool).

I don't doubt that Authkit is good, and I like seeing the competition. Clerk has been good to me for quite some time now. I've had to go into their Discord a few times for help and they were awesome, so that's kept me around even through the problems I've had. I've never felt like I was getting inferior support for being a free customer. I guess I'm more ride or die for Clerk than I thought lol.

But hey, to your credit you've convinced me to try out authkit on my next project so that's a win for you there. I'm always open to seeing what's out there.