Picking a free auth provider in 2026 is harder than it should be

I spent time comparing ten auth and identity providers that still offer a meaningful free tier: Clerk, Auth0, Supabase Auth, Firebase, WorkOS, Kinde, Better Auth, Keycloak, Logto, and SuperTokens. There is no single winner on every axis.

WorkOS AuthKit has the biggest headline number here: the first million active users are free, with social auth and MFA included. That is hard to beat if you only look at the free-tier line item. But WorkOS is still a managed SaaS, enterprise SSO and Directory Sync are priced per connection, and the public AuthKit docs I read do not spell out EU data residency the way Auth0, Supabase, or Logto do.

For a typical indie SaaS shipping today, my pick is Supabase Auth. Not because it has the largest free tier, but because the overall package is unusually balanced: 50,000 MAU free, $0.00325 per MAU after that on paid plans, native social login, selectable project regions, a public DPA, and a real exit path through open-source GoTrue. That recommendation fits best if you are already on Postgres or willing to adopt Supabase as a platform, not if you need auth bolted onto an unrelated stack.

SuperTokens managed cloud only covers 5,000 MAU free. The generous comparison for SuperTokens assumes self-hosting the OSS core.

If you are React/Next.js-first and want the fastest polished integration, Clerk is still hard to beat on day-one DX. If you need classic enterprise IAM depth, Auth0 is the most battle-tested managed option in this set. If you refuse to let a SaaS vendor own your auth control plane, look at Better Auth, Keycloak, SuperTokens, or Logto OSS.

You cannot compare these on MAU alone

Before the tables, one warning: vendors do not meter the same thing.

Clerk bills on MRU (monthly retained users), not MAU. Logto charges on token usage in addition to MAU. Supabase splits MAU, third-party MAU, and SSO MAU into separate line items. Firebase Identity Platform distinguishes Tier 1 providers (email, phone, social) from Tier 2 (OIDC/SAML).

A perfect apples-to-apples price table is impossible. Treat the numbers below as directional, then read the billing footnotes for your actual login mix.

Pricing, compliance, and exit paths

Provider	Free tier and overage	Social login	EU / GDPR	Self-host escape hatch
Clerk	50,000 MRU per app on Hobby; Pro overage from $0.02/MRU at 50K-100K, lower at higher bands per pricing	Included; no per-login fee published	DPA and DPF support; GDPR notice discusses US transfers; no public EU region selector found	Managed only; migration tooling, Firebase and Auth.js guides, webhook sync to your DB
Auth0	25,000 MAU free; Essentials $35/mo and Professional $240/mo start at 500 MAU per pricing; self-serve overage ladder not fully on-page	Unlimited social connections on free tier	EU/UK regions, Frankfurt tenancy with Dublin failover	Managed SaaS; standards/export-led exit, no self-host path
Supabase Auth	50,000 MAU free; Pro/Team include 100,000 MAU, then $0.00325/MAU; third-party MAU also $0.00325 per pricing; SSO MAU $0.015 after 50 included; phone MFA add-on $75/mo	Apple, Azure, Discord, Facebook, Figma, GitHub, GitLab, Google, Kakao, LinkedIn, Notion, Slack, Spotify, Twitter, Twitch, WorkOS, Zoom, custom OAuth/OIDC; billed through MAU	Project region selection, DPA, trust center	GoTrue OSS; OAuth, MFA, SAML documented for self-host
Firebase	Tier 1: 0-50K free, then $0.0055, $0.0046, $0.0032, $0.0025/MAU; Tier 2 OIDC/SAML: 50 free, then $0.015/MAU per pricing	Google, Apple, Facebook, Twitter, GitHub, Microsoft, Yahoo, OIDC, SAML	Privacy page: auth runs only from US data centers	No self-hosted Firebase Auth equivalent
WorkOS	AuthKit: first 1M active users free, then $2,500/mo per additional 1M per pricing; SSO/Directory Sync from $125/connection	Included in AuthKit; SSO priced per connection	DPA; AuthKit EU region matrix not clearly published	No self-host; on-prem needs WorkOS cloud; air-gapped unsupported; Cognito and Stytch migration guides
Kinde	10,500 MAU free; Pro $0.0175, Plus $0.0163, Scale $0.0151/MAU per pricing; MAU free if you use Kinde Billing	Email, SMS, social included on free tier	EU data region selectable at signup per docs	Managed only; export docs with passwords, bulk import, Auth0 migration guidance
Better Auth	Core framework free OSS; Infrastructure Starter $0/mo: 1 seat, 10K audit logs/mo, 1K security detections/mo per pricing	Built-in social providers; no vendor per-login fee when self-hosted	Depends entirely on where you deploy	Auth lives in your app and DB; migration guides from Clerk, Auth0, Supabase
Keycloak	OSS, self-hosted, no vendor MAU fee	Social login and identity brokering built in	You choose the region	Lowest lock-in; HA, K8s operator, admin REST API
Logto	50,000 MAU and 50K tokens free; Pro $24/mo, then $0.08 per extra 100 tokens per pricing; SSO $48/connector, MFA $48 add-on	3 social connectors on free; token metering can dominate cost	Europe (Netherlands) region selection	Logto OSS self-hostable; Management API migration
SuperTokens	Managed: free under 5,000 MAU, then $0.02/MAU per pricing; OSS self-host unlimited	Core recipe model; no per-login fee published	Self-host wherever you want; managed cloud regions unclear in public docs	OSS self-host; Auth0/Clerk migration playbooks

DX, security, and lock-in

Provider	Fit and lock-in
Clerk	Best React/Next.js DX; framework-specific SDKs; backend SDKs for C#, Go, Java, PHP, Python, JavaScript; device session monitoring; Hobby caps sessions at 7 days. Lock-in: medium-high.
Auth0	45+ SDKs, 35+ quickstarts, 12 languages; passkeys, passwordless, attack protection; claims 10B+ auths/month and 99.99% uptime. Lock-in: high.
Supabase Auth	Best if you are already on Postgres and RLS; SAML, TOTP, phone MFA, identity linking, SSR cookies, rate limits documented. Lock-in: medium-low (GoTrue is OSS).
Firebase	Strongest mobile breadth (iOS, Android, Web, C++, Unity, Flutter); MFA, TOTP, provider linking. Lock-in: very high; US-only auth processing.
WorkOS	Enterprise API; Node, Ruby, Python, Go, PHP, Laravel, Java, .NET; JWT templates, session helpers, Magic Auth, passkeys, SSO. Lock-in: medium-high.
Kinde	Auth plus billing; free tier includes orgs, custom domain, workflows/actions, customizable sessions; passkeys “coming soon”. Lock-in: medium-high, mitigated by export tooling.
Better Auth	Auth as application code; Request/Response backends; React/Vue/Svelte, Next.js/Expo; plugin 2FA, SSO, orgs, SCIM. Lock-in: low.
Keycloak	Classic IAM (OIDC, OAuth2, SAML, brokering, passkeys, auth SPIs, admin APIs); heavy ops burden. Lock-in: very low.
Logto	Passkeys, passwordless, orgs, Secret Vault, session revocation, quickstarts across frameworks; some cloud features are paid add-ons. Lock-in: medium-low.
SuperTokens	Node, Python, Go backends; passkeys in Node/Python; session-centric recipes; Poppy customer case. Lock-in: low-medium.

What the free tiers actually cost you later

WorkOS: huge free headroom, enterprise priced separately

WorkOS AuthKit giving you a million users free is the standout number in this comparison. If your only goal is maximizing managed free headroom, start here.

The catch shows up the moment you need enterprise workflow around identity. SSO and Directory Sync are per-connection SKUs. Radar and custom domains are separate fees. That pricing model makes sense for B2B SaaS, but it is not the same as “all auth is free until we are big.”

Supabase: predictable overage math

Once you leave the free tier, $0.00325 per MAU is much easier to model than Auth0’s plan jumps. Supabase’s billing docs are also unusually explicit about what counts and what does not.

The footnotes matter. Third-party MAU is also $0.00325. SSO MAU and Advanced Phone MFA ($75/mo for the first project on paid plans) are separate line items. Founders often mentally bucket all of that under “auth” and then get surprised on the invoice.

Firebase: cheap MAU, expensive SMS

Tier 1 Firebase auth looks competitive on paper: 50,000 MAU free, then $0.0055, $0.0046, $0.0032, and $0.0025 per MAU at higher volume tiers. The budget risk is phone auth and SMS MFA. Pricing is per message and varies by destination country. If you have a global user base and heavy OTP traffic, SMS can cost more than the MAU line item.

Clerk and Kinde: solid middle tier

Clerk’s 50,000 MRU Hobby tier is generous for an app-first product, but MRU is not MAU. Your bill depends on how Clerk’s retained-user definition maps to your actual usage pattern.

Kinde is interesting if you want auth and billing in one product: MAU can be free when you route payments through Kinde Billing. If you do not want billing in your auth layer, paid overage runs $0.0175/MAU on Pro, $0.0163 on Plus, and $0.0151 on Scale. Reasonable, but not class-leading.

Auth0 and Logto: read the fine print

Auth0 gets expensive fast once you outgrow the 25,000 MAU free tier. The current public pricing page does not show the full self-serve overage ladder; an older official pricing-change post described B2C Essentials scaling at $0.07 per user per month.

Logto can surprise you below 50K MAU. Token metering, MFA add-ons ($48), and enterprise SSO connectors ($48 each) can matter more than the MAU headline. A team under the MAU cap can still hit billing limits on token consumption.

EU residency and getting out later

If you need a clear EU-region story without self-hosting on day one, the strongest managed options here are Supabase, Auth0, Kinde, and Logto.

Supabase lets you pick a project region and publishes a DPA plus GDPR disclosures in its trust center. Auth0 documents EU and UK public cloud regions. Kinde lets you select an EU data region at signup. Logto exposes tenant region selection including Europe (Netherlands), with EU data in Azure West Europe and Private Cloud on Azure for stricter residency needs.

At the other end, Firebase Authentication runs only from US data centers according to Google’s own privacy page. Google publishes DPA, GDPR, and SCC support, but if procurement asks for “keep auth data in the EU,” Firebase is a hard sell.

On lock-in, the vendors split into two camps. Better Auth, Keycloak, SuperTokens, Supabase, and Logto all have credible self-hosting paths. Clerk, Auth0, Firebase, WorkOS, and Kinde are primarily managed; your exit is migration-led, not deployment-led.

The managed vendors that make exit less painful: Kinde (password export), Better Auth (migration guides from multiple vendors), SuperTokens (Auth0/Clerk migration plus session/MFA notes), Clerk (migration utilities), Logto (Management API user migration), and Supabase (GoTrue self-host docs).

flowchart TD
    spike[Free tier changes or auth bill spikes] --> selfHost{Can you self-host the same or compatible stack?}
    selfHost -->|Yes| deploy[Deploy self-hosted target in your preferred region]
    selfHost -->|No| export[Export users, orgs, and identities]
    export --> passwords{Can passwords and MFA factors be exported?}
    passwords -->|Yes| import[Import hashes and factors]
    passwords -->|No| reset[Plan password reset and MFA re-enrollment]
    deploy --> cutover[Run parallel staging cutover]
    import --> cutover
    reset --> cutover
    cutover --> monitor[Dual-run, monitor login success, cut traffic]
    monitor --> done[Revoke old sessions, decommission former provider]

The cheapest time to design your escape hatch is before you ship, not when pricing changes. If vendor policy volatility worries you, pick a provider that lets you keep auth data in your own database or region.

DX, security, and scale (the short version)

On day-one ergonomics, Clerk wins for polished React/Next.js UI. WorkOS wins if you already know you need enterprise SSO on the roadmap. Auth0 wins on “works almost everywhere” breadth. Supabase wins if auth is part of a Postgres plus RLS architecture, not a standalone category pick.

On security depth, Auth0, WorkOS, Keycloak, and Logto have the broadest feature sets. Auth0 has mature attack protection and enterprise deployment options. WorkOS bundles Magic Auth, MFA, passkeys, and SSO around encrypted session cookies. Keycloak has full protocol coverage and pluggable auth flows. Logto covers passkeys and passwordless, though some cloud features are add-ons.

For sovereignty-first setups, Better Auth treats auth as versioned application code. Keycloak is the pick for classic enterprise protocols. SuperTokens fits when sessions and app-embedded integration matter more than traditional IdP admin UIs.

Scale evidence is uneven. Auth0 claims 10B+ authentications per month. Kinde published a customer story at 300,000+ MAU. Keycloak has official HA and benchmark material. Better Auth reported 2-3x latency gains on 50+ endpoints after join optimization. Supabase publishes rate limits and surge-prep guidance rather than a single vanity benchmark number. I prefer that for production planning, even if it is less fun in a sales deck.

What I would pick

flowchart TD
    start[You are launching an indie SaaS] --> selfHostQ{Need self-hosting or minimum lock-in from day one?}
    selfHostQ -->|Yes| embedQ{App-embedded auth or classic IAM?}
    embedQ -->|App-embedded| betterAuth[Better Auth or SuperTokens]
    embedQ -->|Classic IAM| keycloak[Keycloak]
    selfHostQ -->|No| euQ{Need explicit EU region plus OSS escape hatch?}
    euQ -->|Yes| supabase[Supabase Auth]
    euQ -->|Prefer auth-only over BaaS| logto[Logto]
    euQ -->|No| volumeQ{Largest free managed tier plus future enterprise SSO?}
    volumeQ -->|Yes| workos[WorkOS]
    volumeQ -->|No| reactQ{React/Next.js DX above all else?}
    reactQ -->|Yes| clerk[Clerk]
    reactQ -->|No| supabaseDefault[Supabase Auth]

Choose Supabase Auth unless a specific constraint overrides it.

Choose WorkOS if you are clearly building B2B SaaS with enterprise SSO on the roadmap and want maximum free managed volume now. Choose Clerk if React/Next.js polish is the deciding factor and you can live with higher lock-in. Choose Logto if you want an auth-focused product with OSS fallback and explicit EU tenancy. Choose Better Auth, Keycloak, or SuperTokens if you do not want your authentication control plane held hostage by a SaaS vendor.

For a typical bootstrapped SaaS, I would ship on Supabase Auth, keep user metadata in Postgres from day one, and preserve the option to move to self-hosted GoTrue, Logto OSS, SuperTokens, or Better Auth if pricing or compliance requirements change. Speed now, leverage later.

Gaps in the public docs

A few items stayed unclear in the sources I reviewed.

Auth0’s current public self-serve overage formula is less explicit on the 2026 pricing page than in older official pricing-change posts. Clerk’s GDPR materials discuss transfer mechanisms, but I did not find a public EU-hosting selector for the auth plane. WorkOS publishes GDPR/DPA materials, but AuthKit’s region matrix is thinner than Auth0, Supabase, Kinde, or Logto. SuperTokens public docs did not clearly expose managed-cloud region options or a full enterprise add-on price sheet. Better Auth is not directly comparable on MAU because the core product is a self-hosted framework, not a metered hosted auth service.