Tool Intelligence Profile

Workos Authkit

WorkOS AuthKit: hosted/headless auth UI + User Management. Free to 1M MAUs; custom domain $99/mo; SSO/Directory Sync from $125/connection. MFA, passkeys, Magic Auth free.

auto-detected freemium 0

Pricing

Contact Sales

freemium

Category

auto-detected

0 features tracked

Overview

WorkOS AuthKit is the authentication UI and user-management layer of WorkOS—a developer platform for making B2B SaaS enterprise-ready. Product homes: authkit.com and the WorkOS docs at workos.com/docs/authkit. Parent company site: workos.com. Pricing: workos.com/pricing.

Primary job-to-be-done: ship production sign-up/sign-in (email/password, social, Magic Auth email codes, passkeys, MFA) with a themeable hosted login box, then grow into enterprise SSO (SAML/OIDC), organizations, RBAC, directory sync (SCIM), and abuse protection (Radar) without rewriting identity. WorkOS markets AuthKit as “the world’s best login box,” built on Radix UI (same design-system family used widely in modern SaaS UIs).

AuthKit is not a separate company from WorkOS—it is the user-auth surface that sits on User Management APIs. You can use the hosted AuthKit UI (fastest path; free *.authkit.app domain, optional custom domain) or call the headless APIs and build your own screens (open-source examples on GitHub under workos/authkit). Sessions return JWTs/access tokens your app verifies; user and org state can sync via events/webhooks.

WorkOS positions itself for teams that will eventually sell to IT-led buyers: customers publicly associated with the platform include high-growth SaaS (e.g. Vercel, Loom, Webflow, Drata, Jasper in WorkOS marketing, and community mentions such as Cursor using AuthKit). That pedigree matters more for “will this survive procurement?” than for weekend side projects.

Quick start: Create a WorkOS environment in the Dashboard, enable AuthKit authentication methods you need, install the framework helper (e.g. @workos-inc/authkit-nextjs + @workos-inc/node for Next.js App Router), set Client ID + API key, and redirect unauthenticated users through the hosted AuthKit flow. Staging environments are free; production is billed.

Key features

  • Hosted AuthKit UI — Fully themeable login/sign-up experience (colors, logo, radius, light/dark). No WorkOS branding on the hosted box (a competitive talking point vs vendors that watermark free tiers). Free subdomain on *.authkit.app; production custom domain is a paid add-on.
  • Headless User Management APIs — Build your own UI against the same backend: users, authentication codes, MFA enrollment, Magic Auth issuance, organization memberships. Open examples for hosted vs custom UI live in the public workos/authkit repo.
  • Authentication methods — Email & password; social OAuth (Google, Microsoft, GitHub, and a long list of providers in the API surface); Magic Auth (six-digit email OTP, codes expire in 10 minutes); passkeys (WebAuthn; launched free for AuthKit customers); MFA via TOTP authenticator apps (environment-level enablement; MFA requirement does not apply to SSO users); enterprise SSO (SAML/OIDC connections to Okta, Entra, and others).
  • Organizations & domain policies — Model B2B tenants as organizations with memberships, domain verification, and policies that control which auth methods apply per org (e.g. force SSO for a customer domain). JIT provisioning from IdP logins is part of the enterprise path.
  • RBAC (roles & permissions) — Assign roles to organization memberships; permissions ride on session access tokens. Multiple roles per membership (union of permissions) shipped as a product enhancement. Roles can also be sourced from IdP attributes in enterprise setups.
  • Identity hygiene — Email verification on by default; identity linking/merging to reduce duplicate accounts and spoofing; IdP profile normalization so apps see consistent user fields across providers; password strength feedback and leaked-password-style protections called out in product marketing.
  • Radar (bot & fraud protection) — Signal-based protection on authentication attempts: bots, credential stuffing, suspicious devices, free-tier abuse. First 1,000 checks free; metered thereafter. Sits inside the auth path rather than as a bolted-on CAPTCHA only.
  • Admin Portal — Self-serve UI for customer IT admins to configure SSO and directory connections without your engineers on every Zoom. Repeatedly cited in independent evaluations as the underrated enterprise win.
  • Directory Sync (SCIM) — Separate WorkOS product, same platform: keep app users/groups in sync with Okta, Entra, Workday, custom SCIM, etc. Events via webhooks or Events API. Priced per directory connection with volume discounts.
  • Audit Logs & streaming — Enterprise audit trail with SIEM log streaming and event retention tiers. Useful when security questionnaires ask for exportable auth/admin activity.
  • SDKs & framework helpers — Node, and first-party AuthKit helpers for Next.js, React, Remix, vanilla JS; examples for Python/Flask, Electron (PKCE + deep links), and more under the WorkOS GitHub org. API base: WorkOS REST API.
  • AuthKit for Platforms — Management APIs so platforms (e.g. Convex default auth story) can provision AuthKit for each tenant app without manual setup per project.
  • Test SSO — Dashboard tooling to exercise SSO end-to-end without registering a full production IdP for every dry run.

Pricing

WorkOS publishes transparent, connection- and usage-based pricing at workos.com/pricing (US list; confirm live for changes). Model is best described as freemium / usage: AuthKit user management is free through a very large MAU band; enterprise connections and add-ons meter separately. Staging environments are free; only production is billed.

Product / add-on List pricing (public) What you get
AuthKit (User Management) First 1,000,000 MAUs free; then about $2,500/mo per additional 1M MAUs (volume discounts available) Email/password, social, passkeys, MFA, Magic Auth, enterprise SSO capability in one integration; hosted or headless
Custom domain $99/mo Hosted AuthKit on your domain (e.g. auth.yourapp.com) plus custom email configuration path
SSO connection $125/mo each for connections 1–15; then $100 / $80 / $65 / $50 bands down to custom at 201+ One connection ≈ one IdP relationship for a customer (Okta, Entra, etc.)
Directory Sync connection Same ladder as SSO ($125 → volume discounts) SCIM/directory integration per customer directory
Audit Logs $125/mo per SIEM stream; $99/mo per 1M events retained Streaming + retention for compliance/ops
Radar First 1,000 checks free; then $100/mo per 50k additional checks Bot/fraud/abuse protection on auth attempts
Support Standard free (email, in-product, status, private Slack on free plan features as listed); Scale $1,000/mo; Enterprise custom Faster SLAs, video support, TAM, architecture reviews on higher tiers
Plans shell Pay as You Go (usage) or Annual Credits (custom, prepay discounts, 99.99% uptime SLA, migration help) Enterprise agreements for advanced requirements

MAU definition (WorkOS): a user who performs sign-up, sign-in, or profile update in a calendar month. For most early B2B SaaS products, the 1M free MAU band means AuthKit user fees are not the binding constraint—custom domain + SSO/Directory connection counts are.

Pricing gotchas: Marketing emphasizes “1M free users,” but production brands usually want the $99/mo custom domain immediately. Each enterprise customer’s SAML/OIDC hookup is a billable SSO connection; SCIM is another. Ten SSO customers at list is roughly $1,250/mo before Directory Sync. Model connection growth from your pipeline, not only MAU. Annual credits and volume discounts exist—use them once connection count is material.

Limits & gotchas

  • Free MAU ≠ free enterprise rollout — AuthKit’s generous MAU free tier does not erase per-connection SSO/Directory pricing. Community threads (HN, r/SaaS) repeatedly flag “expensive at scale” when the mental model is “free like a consumer auth hobby plan.”
  • Custom domain is a near-mandatory $99 — Free *.authkit.app works and is unbranded, but buyers and cookie/email reputation often expect auth.yourdomain.com. Budget it for production.
  • Not the most “component-first” DX — Clerk-style drop-in React widgets for user buttons and org switchers are a different product shape. AuthKit is strongest as hosted redirect + API/session model, or headless rebuild. Independent reviews note excellent Next.js paths; other stacks work via SDKs/examples but may feel thinner than pure Node/Next.
  • SSO economics stack — Great for a handful of design partners; painful if you give free SSO to every SMB without pricing it into your own SKUs. Some teams only enable SSO on higher product tiers to offset WorkOS connection fees.
  • MFA vs SSO — Dashboard MFA requirements do not apply to SSO users (IdP owns that factor). Correct for enterprise, confusing if you assumed one global MFA policy for everyone.
  • Radar is not “always free unlimited” — Free allotment is small (1k checks); production traffic needs a cost model. Confirm whether Radar is enabled by default in your environment or requires activation (docs/blog have described preview/contact flows historically—verify current Dashboard state).
  • Framework lag risk — Community reports (e.g. Next.js major version upgrades) can surface temporary SDK friction. Pin versions, watch changelog, and treat auth middleware as critical path.
  • Authorization depth — RBAC covers common B2B roles/permissions. Complex ReBAC/relationship-based auth may need WorkOS FGA (Warrant acquisition lineage) or an external policy engine—do not assume RBAC alone solves multi-resource graphs.
  • Vendor concentration — Identity outage = app outage. Monitor status.workos.com, design clear degraded messaging, and keep export/migration awareness even though WorkOS is modular compared with monolithic CIAM lock-in narratives.
  • HIPAA BAA — Available on enterprise plans per security FAQ; not a free-tier assumption. SOC 2 Type II and GDPR/CCPA are part of the published posture; reports via Trust Center.

Community sentiment

Developer discussion (Hacker News launch threads, 2024–2025 auth comparisons, Reddit r/SaaS and r/nextjs) clusters around a few stable themes:

  • Praise: Transparent published pricing vs opaque CIAM quotes; no “Powered by…” watermark on hosted AuthKit; free MFA and free passkeys as security defaults; Admin Portal reducing IT onboarding load; path from startup login to SAML/SCIM without a full rewrite; solid docs and Slack-oriented support culture; “just works” hosted box for side projects and serious B2B alike when connection math is acceptable.
  • Criticism: The 1M free MAU headline underplays custom domain and per-connection costs; some builders prefer Clerk’s component ecosystem for consumer/prosumer UX; pure self-host fans choose Better Auth / Ory / custom; occasional SDK version friction on framework upgrades; free tier “doesn’t show the enterprise value” until you actually wire SSO and directories.
  • G2 / marketplace tone: Reviews often highlight documentation quality and upfront pricing clarity—consistent with WorkOS’s public pricing page strategy.
  • Independent write-ups (2026): DEV Community / Plain English evaluations of AuthKit + Radar frame WorkOS as optimized for “day 900 enterprise survival” more than “day 0 demo polish,” and note sponsored contexts—still useful for fit/non-fit checklists (B2B yes; pure consumer side project maybe not).

Community shorthand: AuthKit wins when your roadmap includes Okta questions; Clerk wins when your roadmap is “ship a beautiful sign-in this sprint”; Auth0 wins when you need a Swiss-army CIAM and will pay for complexity.

Who should use it

  • B2B SaaS teams that already hear “Do you support SAML/SCIM?” on sales calls, or will within two quarters.
  • Startups choosing identity once who want consumer-grade login now and enterprise SSO later without swapping vendors.
  • Platforms / multi-app builders that need to provision auth for customer-built apps (AuthKit for Platforms pattern).
  • Teams happy with hosted redirect or headless APIs rather than designing every auth micro-interaction in-house.
  • Security-conscious products that want MFA, passkeys, email verification, and bot protection included without paywalling basics.

Who should look elsewhere: pure consumer apps with millions of sticky free users where Cognito/Supabase unit economics dominate; teams that need maximal drop-in React org UI and are fine with Clerk’s MRU model; orgs that must self-host identity in their VPC (Ory, Keycloak, etc.); products that only need a single IdP and already live deep in one cloud’s IAM.

Alternatives

  • Clerk — Best-in-class component DX (especially Next.js), Organizations, and polished hosted UI; different metering (MRU) and feature gates (MFA/passkeys historically on paid tiers). Prefer for product-led consumer/prosumer UX; prefer WorkOS when enterprise SSO/SCIM/Admin Portal is the center of gravity.
  • Auth0 (Okta Customer Identity) — Broad CIAM, Actions extensibility, mature enterprise. Heavier ops and pricing cliffs as you scale; still the default RFP checkbox in many large orgs.
  • Supabase Auth — Excellent when Postgres is already Supabase; generous free tier for early products. Enterprise SSO/directory depth usually needs add-ons or a second system (WorkOS is a common pairing).
  • Firebase Authentication — Fast mobile/web consumer auth on Google Cloud. Weak fit for IT-managed B2B SAML fleets without extra glue.
  • Stytch / Descope / Frontegg / Kinde — Modern auth vendors with varying B2B depth, no-code workflows, or price points; evaluate if you want different DX or packaging than WorkOS’s connection model.
  • Amazon Cognito — Cheap at huge scale inside AWS; configuration and UX polish lag hosted AuthKit for many teams.
  • Better Auth / Auth.js / Ory — Self-host or code-first control. Choose when ownership and infra cost beat managed enterprise features.

Verdict

WorkOS AuthKit is a strong default for SaaS products that treat authentication as infrastructure on the way to enterprise deals. The combination of a free (to 1M MAU), unbranded hosted login box; free security baselines (MFA, passkeys, verification); and a clear ladder into SSO, Directory Sync, RBAC, Admin Portal, Audit Logs, and Radar is coherent and honestly priced on a public page—rare in CIAM.

It is not magic: you will likely pay for a custom domain early, and every serious enterprise customer adds connection cost you should bake into your own pricing. It is also not the prettiest “component playground” if your only goal is a consumer social app this weekend. For the stated job—ship solid login now, survive Okta/Entra questionnaires later without a rewrite—AuthKit is one of the cleanest managed options available in 2026. Confirm live numbers on WorkOS pricing and the Trust Center before you sign, and model connections from your pipeline before you promise free SSO to every tier.

More in auto-detected

Related Comparisons