Stack Auth Vs Keycloak
Open-source CIAM comparison: Stack Auth (now Hexclave) for Next.js DX vs Keycloak (CNCF) for enterprise self-hosted IAM. Pricing, features, limits, when to pick each.
Pricing
Contact Sales
freemium
Category
auto-detected
0 features tracked
Quick Links
Overview
Stack Auth vs Keycloak is a decision between two open-source identity approaches that solve different jobs. Stack Auth (rebranded to Hexclave) is a YC S24 open-source Auth0/Clerk-style platform: drop-in React/Next.js components, teams, RBAC, webhooks, optional payments/emails/analytics apps, plus managed cloud or self-host. Keycloak is a mature CNCF incubating IdP (Apache 2.0): full SSO, OIDC/OAuth 2.0/SAML, LDAP/AD federation, identity brokering, themes, authorization services, and multi-cluster ops—you run it (or buy Red Hat’s supported build).
Stack Auth / Hexclave: hexclave.com · pricing hexclave.com/pricing · docs docs.stack-auth.com / docs.hexclave.com · GitHub github.com/hexclave/hexclave. Keycloak: keycloak.org · downloads keycloak.org/downloads · docs documentation · GitHub github.com/keycloak/keycloak (~35k+ stars; 26.7.x line in mid-2026).
The founders’ framing on Hacker News still holds: Stack is to Keycloak/Ory what Clerk is to Auth0—modern DX and productized user infrastructure versus a general-purpose enterprise IAM server. Choose by where identity lives (your app’s user layer vs organization-wide IdP), ops appetite, and protocol depth—not by “which has more GitHub stars.”
Naming note: Stack Auth rebranded to Hexclave. APIs, dashboards, and legacy @stackframe/* packages still work; new packages are @hexclave/next, @hexclave/react, @hexclave/js. Community and search still say “Stack Auth,” so this profile uses both names.
Key features
Stack Auth (Hexclave)
- Productized auth UI — Prebuilt
SignIn,SignUp,UserButton, account settings, team switchers; setup wizard vianpx @stackframe/stack-cli@latest init(legacy) or Hexclave CLI. Strong Next.js App Router focus (docs note Pages Router is not supported on the Stack path). - Auth methods — Email/password, magic links/OTP, social OAuth (Google, GitHub, Microsoft, Apple, Discord, and others), passkeys, TOTP 2FA. Hosted or handler-style auth pages; config can live in a declarative project config synced with the local dashboard.
- Teams & RBAC — Multi-tenant teams, invitations, team-level and project-level permissions with hierarchical nesting. Closer to “SaaS orgs” than Keycloak realms-by-default.
- Platform apps — Dashboard-enabled modules: API keys, emails, teams, RBAC, webhooks, analytics, session replays/clickmaps, fraud protection, data vault, payments (Stripe), launch checklist, Vercel integration. Auth is the core; the platform expands into user infrastructure.
- Open source + managed — Client SDKs MIT; server AGPLv3 with commercial license options. Self-host for free or use managed cloud (no lock-in story marketed heavily vs pure SaaS CIAM).
- Migrations — Public positioning includes password-preserving imports from Clerk, Auth0, Firebase Auth, and Supabase Auth (confirm current importers in docs for your source).
- Tokens — ES256 JWTs with JWKS for verification; REST API near parity with SDK for polyglot backends (Python examples use HTTP against the API).
Keycloak
- Standards-first IdP — OpenID Connect, OAuth 2.0, SAML 2.0. Single sign-on and single logout across many apps—not only one product’s frontend components.
- Identity brokering & social — Admin-console configuration for social IdPs and external OIDC/SAML providers without app code changes.
- User federation — Built-in LDAP and Active Directory; custom user storage SPIs for other directories or databases.
- Admin & account consoles — Central admin for realms, clients, roles, flows, sessions; end-user account console for profile, password, 2FA, linked identities.
- Authorization services — Fine-grained authorization beyond basic roles when RBAC is not enough (policies, permissions managed from the console).
- Extensibility — Themes, custom authenticators, SPI plugins, Quarkus-based distribution, Operator/container deploys, clustering and (preview) multi-cluster/stateless modes in recent 26.x lines.
- Organizations — Organizations feature fully supported since Keycloak 26.0 for B2B-style tenancy patterns inside the IdP.
- CNCF + Red Hat path — Community project under CNCF incubation; Red Hat build of Keycloak (RHBK) for supported enterprise distributions via Runtimes / Application Foundations / OpenShift-style subscriptions (not a separate SKU in isolation).
| Dimension | Stack Auth / Hexclave | Keycloak |
|---|---|---|
| Primary job | App CIAM + user infrastructure for SaaS | Organization IdP / IAM for many apps & services |
| DX focus | Next.js/React components in minutes | Admin console + adapters; steeper learning curve |
| Protocols | OAuth/OIDC-oriented product auth; SSO on higher tiers | OIDC, OAuth 2.0, SAML 2.0 depth |
| Directory | App user store (managed or self-host DB) | LDAP/AD federation + internal store |
| Hosting | Managed freemium or self-host | Self-host (or RHBK support); no SaaS from upstream |
| License | MIT clients + AGPL server | Apache 2.0 |
Pricing
Neither product is “Auth0 enterprise quote” by default—but cost models differ completely.
Stack Auth / Hexclave (managed)
Public Hexclave pricing (confirm live at hexclave.com/pricing):
| Plan | Price | Auth users | Highlights |
|---|---|---|---|
| Free | $0 forever | Up to 10,000 | 1 dashboard admin; 1,000 emails/mo; email, OAuth, magic links; community support |
| Team | $49/month | Up to 50,000 | 4 admins (+$29/mo each extra); 25k emails/mo; onboarding call; priority support |
| Growth | $299/month | Unlimited | Premium support & SLA; higher analytics caps; same admin model as Team |
- Self-host: Free software cost; you pay infra, ops, and optional commercial license if AGPL is a problem for your distribution model.
- Auth user definition: Any user account counts (including inactive); delete unused accounts to reclaim quota.
- Payments app: No extra Hexclave fee on top of Stripe (and Connect) processing fees when using the Stripe integration.
- Enterprise: Custom for HIPAA, SOC 2 Type II report needs, DPAs, on-prem—contact sales.
Pricing gotcha: Free is generous for prototypes (10k users) but MFA/passkeys/SSO/custom branding sit in the feature matrix by tier—read the full comparison table before assuming Free is production-complete. Growth’s $299 for unlimited users is simpler math than many MRU-metered CIAM vendors at mid-scale.
Keycloak
- Upstream Keycloak: $0 license. Cost is engineering time, HA Postgres (or supported DB), Kubernetes/VMs, backups, upgrades, monitoring, and incident response.
- Red Hat build of Keycloak: Entitled via Red Hat Runtimes, OpenShift Container Platform, Application Foundations, and related bundles—not typically sold as a standalone small SaaS SKU. Budget Red Hat subscription + certified configs if you need vendor support SLAs.
- Hidden cost: Multi-week (or multi-month) ownership for production hardening, theme/custom flow work, and version upgrades (e.g. 24 → 26 migration threads are common in the community).
Rough TCO framing: A solo founder shipping a Next.js SaaS often pays less in calendar time with Stack’s free/Team tier than standing up HA Keycloak. A bank or multi-app enterprise with LDAP, SAML partners, and 24/7 IAM on-call often pays less risk with Keycloak/RHBK than rewriting enterprise federation in a product CIAM.
Limits & gotchas
- Category mismatch — Stack optimizes for “ship product auth.” Keycloak optimizes for “be the company IdP.” Using Keycloak only as a Clerk substitute for a single Next app is possible but often overkill; using Stack as the sole corporate SSO for 40 internal tools may under-serve SAML/LDAP needs.
- Stack maturity & rebrand — Younger project than Keycloak; smaller operator ecosystem. Rebrand (Stack → Hexclave) means dual docs/package names in the wild—budget a careful upgrade path and pin package versions.
- Stack framework skew — Best path is JS/TS (Next, React, TanStack Start, JS SDK). Python is REST-first, not component-first. Keycloak is language-agnostic via standards.
- AGPL server — Self-hosting Stack/Hexclave server under AGPL can block some corporate open-source policies; commercial licenses exist—legal review early. Keycloak’s Apache 2.0 is usually easier for redistribution.
- Keycloak ops burden — Community praise coexists with “configuration gets messy,” adapter deprecation churn, and upgrade pain. HA, session affinity, Infinispan/cache, and backup/restore are real SRE work.
- Keycloak security patching — As a widely deployed IdP, Keycloak accumulates CVEs (token issues, WebAuthn attestation edge cases, ROPC policy bypasses, dependency CVEs). You own patch latency; RHBK customers get errata channels. Never run unmaintained minor versions on the internet.
- DX vs control — Stack’s hosted components accelerate shipping but couple UI to the vendor. Keycloak themes and free-marker/FTL-style customization are powerful but slow compared to React components.
- B2B enterprise SSO sales — Keycloak (and peers like WorkOS/Auth0) still win many “customer’s Okta/Azure AD SAML” deals. Stack offers OIDC/OAuth SSO on paid matrix features—validate exact enterprise connection requirements before promising procurement.
- Support model — Stack Free = community; paid = priority/SLA. Keycloak Free = forums, GitHub, mailing lists; commercial = Red Hat (or third-party support firms).
Community sentiment
Stack Auth / Hexclave: Launch HN (YC S24) framed the product as open-source Clerk/Auth0 without lock-in; commenters compared it directly to Keycloak and Ory on complexity vs polish. r/nextjs threads ask whether Stack is a good Auth.js alternative, whether self-host is “still alive,” and for production examples—signal of interest mixed with early-adopter caution. Product Hunt and LogRocket-style writeups emphasize five-minute Next setup and open-source positioning. Reddit users still more often default to Clerk, Auth.js, Supabase Auth, or Better Auth; Stack is in the “promising OSS CIAM” bucket rather than ubiquitous default.
Keycloak: Long-running HN and Reddit consensus: extremely capable, enterprise-proven, painful if you treat it casually. Self-hosters compare it to Authentik and Authelia for homelabs (Keycloak often “too heavy”); enterprises praise LDAP/SAML/SSO breadth. Recurring complaints: documentation density without always matching mental models, theme and SPI complexity, JVM resource footprint, and upgrade projects. CNCF incubation (2023) improved governance narrative beyond “just Red Hat.” Security analyses and CVE discussions reinforce that it is high-value attack surface—ops discipline required.
Stack is “Clerk with an exit hatch.” Keycloak is “the IdP your security team already knows how to hate-love.” Pick the pain you can staff.
Comparative review sites score Keycloak higher on protocol breadth and hosting flexibility; Stack higher on developer onboarding for modern JS SaaS. That split matches primary sources more than marketing pages alone.
Who should use it
- Pick Stack Auth / Hexclave if: you are building a Next.js/React SaaS; you want prebuilt auth UI, teams, and webhooks this week; you like open-source with optional managed cloud; 10k–50k users fit Free/Team; you accept AGPL or buy a commercial license for self-host; enterprise SAML fleets are not day-one critical.
- Pick Keycloak if: you need a central IdP for many applications; SAML, LDAP/AD, and complex brokering are requirements; compliance prefers Apache 2.0 self-host under your VPC; you have (or will hire) IAM/platform engineering; Red Hat support paths matter; Organizations + fine-grained auth services match your model.
- Consider neither alone if: you only need enterprise SSO/SCIM for B2B sales (evaluate WorkOS/Auth0); you want Postgres-native RLS with minimal IdP (Supabase Auth); you want pure library control with no server product (Better Auth / Auth.js); you need Google-ecosystem mobile defaults (Firebase).
- Hybrid pattern: some orgs run Keycloak as corporate IdP and still use product CIAM (Stack/Clerk) for the customer app—broker or federate carefully to avoid dual user-of-record chaos.
Alternatives
- Clerk — Highest polish hosted components for Next; proprietary core; strong free MRU tier. Choose when DX beats open-source self-host.
- Auth0 — Enterprise CIAM breadth, Actions, mature marketplace. Choose for polyglot enterprise and procurement comfort; watch plan jumps.
- Supabase Auth — Best when Supabase Postgres + RLS is already home. Choose for cost and data co-location over component suites.
- WorkOS AuthKit — Enterprise SSO, Directory Sync, AuthKit UI. Choose when the sale is IT-led SSO more than full IdP ownership.
- Better Auth / Auth.js — Library-first control in the JS ecosystem. Choose when you reject both SaaS CIAM bills and Java IdP ops.
- Ory (Hydra/Kratos/Keto) — Cloud-native OSS identity suite, more composable/micro than Keycloak monolith. Choose for Kubernetes-native IAM architecture.
- FusionAuth / Authentik / Authelia — Midpoints on self-host spectrum (FusionAuth commercial OSS-friendly; Authentik/Authelia popular in self-hosted communities).
- AWS Cognito / Firebase Auth — Cloud hyperscaler auth. Choose for AWS/Google gravity and managed scale without running Keycloak.
Verdict
Stack Auth (Hexclave) and Keycloak are not drop-in substitutes—they are adjacent layers of the identity stack. Stack wins when product velocity, React/Next components, open-source CIAM, and simple managed pricing (Free → $49 → $299) matter more than being the enterprise IdP of record. Keycloak wins when standards depth (SAML, LDAP, brokering), multi-app SSO, Apache 2.0 self-host under your control, and CNCF/Red Hat ecosystem gravity matter more than five-minute component onboarding.
Bottom line for 2026: default to Stack/Hexclave for a greenfield SaaS auth layer with optional self-host exit; default to Keycloak when identity is platform infrastructure shared across systems and directories. If you need both “pretty app login” and “corporate IdP,” design federation intentionally—or you will rebuild the worst of both worlds. Verify live pricing and feature gates on hexclave.com/pricing and keycloak.org docs before locking architecture; both move faster than static comparison tables.
Alternatives
Best Alternatives to Stack Auth Vs Keycloak
Qwen 3.6 Dense
0Trello Best Project Managemen
0Workos Authkit
0Deno Deploy
0Typography
From $199/mo
Salesforce 2026
0More in auto-detected