unsubbed.co

Authgear

Authgear gives you managed authentication platform on your own infrastructure.

Apache-2.0 Free authgear/authgear-server · 1.5K authgear.com Go 2 deploy options SSO 2FA LDAP REST API GraphQL Webhooks Mobile App

Open-source identity management, honestly reviewed. What you actually get when you self-host your auth layer.

TL;DR

  • What it is: Open-source (Apache-2.0) customer identity and access management (CIAM) platform — think Auth0, but the code lives on your server [4][5].
  • Who it’s for: SaaS developers and mobile app teams who need passkeys, biometric login, SSO, and MFA out of the box, and either want to self-host for data sovereignty or pay per project rather than per MAU [1].
  • Cost savings: Auth0’s paid plans start around $35/month for 500 MAUs and scale sharply past 10K users. Authgear Cloud has a free tier; self-hosted runs on your own infrastructure with no per-user fees. Pricing details for paid cloud tiers aren’t published transparently on the website — more on that below.
  • Key strength: Genuinely broad authentication method coverage — passkeys, biometrics (iOS/Android), passwordless OTP via email/SMS/WhatsApp, social login, TOTP, SAML/OIDC/OAuth 2.0 — in one deployable unit with a pre-built UI [README].
  • Key weakness: Significantly smaller community than every major competitor in this space. At 1,645 GitHub stars [4], it’s a fraction of Keycloak (33,951), authentik (21,050), or Logto (11,923) [5]. Most documented production deployments are from Asia-Pacific enterprises, not the North American SaaS market this site’s audience lives in.

What is Authgear

Authgear is a Customer Identity and Access Management (CIAM) platform. You deploy it — on their cloud or your own server — and it handles everything between “user clicks Sign In” and “your backend receives a verified JWT”: login flows, MFA, session management, user profile storage, admin APIs, and audit logging [README].

The GitHub description positions it as “Open source alternative to Auth0 / Clerk / Firebase Auth” with passkeys, SSO, MFA, passwordless, and biometric login [README]. The homepage pitches it as “Your Managed IAM Solution,” targeting three segments: consumer-facing apps (B2C), extended workforce (employees, partners, contractors), and B2B SaaS apps that need per-tenant authentication customization [website].

The company behind it is SkyMakers Digital Limited, a Hong Kong-based outfit [2]. The product was previously called Skygear Auth before rebranding to Authgear [website]. Their documented enterprise customers — Bupa Hong Kong, CIMIC Group, Hongkong Land, K11, MTR — are all large Asia-Pacific organizations [README], which is worth noting if you’re a US/EU startup trying to gauge community health and regional support.

The Apache-2.0 license is the critical differentiator in the commercial sense: you can self-host it, modify it, and embed it in a commercial product without signing a commercial agreement or worrying about “Fair-code” restrictions like those attached to n8n [1].

Why people choose it over Auth0, Clerk, and Keycloak

The third-party review coverage for Authgear is thin compared to category leaders. The most substantive comparative analysis available is actually written by Authgear itself [1] — a blog post ranking open-source Auth0 alternatives where Authgear unsurprisingly appears favorably. That bias is real. What the article does do usefully is lay out the honest structural reasons teams leave Auth0:

Versus Auth0. The complaints that drive people away from Auth0 are consistent across forums: MAU-based pricing that becomes punitive at scale, limited flexibility in customizing authentication flows without paying for enterprise tiers, and increasing friction as compliance requirements grow [1]. Authgear’s self-hosted model sidesteps the per-user pricing entirely. For a consumer app expecting 50K+ MAUs, the math can tip quickly — Auth0’s Professional tier prices aren’t publicly listed beyond initial tiers and require custom quotes at scale [1].

Versus Clerk. Clerk is the developer-experience darling of the current cycle — component-first, React-native, almost zero configuration. Authgear is positioned differently: it’s not trying to win on drop-in React components, it’s trying to win on feature completeness (biometric, passkeys, SAML B2B) and operational ownership. If your app is a Next.js startup and you want Clerk’s <SignIn /> component, Authgear won’t match that experience [5].

Versus Keycloak. Keycloak has 33,951 stars and dominates enterprise self-hosted auth, but it’s widely described as operationally heavy — it needs JVM memory, its configuration UI is dense, and mobile biometric flows require significant custom work [4]. Authgear ships mobile SDKs for iOS and Android with biometric login as a first-class feature, not a bolt-on [README]. For a team building a consumer mobile app, that’s a meaningful difference.

Versus authentik and Zitadel. Both have substantially larger communities and more active GitHub activity [5]. authentik (21,050 stars) is oriented toward workforce SSO and homelab use. Zitadel (13,552 stars) targets developer-first B2B SaaS. Authgear’s positioning is closest to Logto (11,923 stars) — consumer-first CIAM with B2B capabilities added on. Logto has nearly 7x the stars and comparable feature coverage. That’s a real signal about ecosystem size that prospective users should weigh.

On data sovereignty. The self-host pitch is clearest for regulated industries. Authgear’s docs explicitly describe it as a microservices identity layer using JWT tokens, OIDC, and zero-trust principles — centralized auth without routing user credentials through a third-party cloud [website][3]. For healthcare, fintech, or any company with data residency requirements, owning the auth server matters.

Features: what it actually does

Based on the README and documentation:

Authentication methods:

  • Email/password
  • Passwordless via Magic Link, OTP via email, SMS, WhatsApp [README]
  • Passkeys (WebAuthn) [README]
  • Biometric login on iOS and Android [README]
  • Social login (OAuth providers) [README]
  • 2FA: TOTP (Google Authenticator, Authy), SMS OTP, Email OTP [README]
  • Anonymous users — temporary accounts that promote to full users on signup [3]

Enterprise identity and SSO:

  • OIDC / OAuth 2.0 / SAML 2.0 [README]
  • B2B Enterprise Connections: ADFS, LDAP [README]
  • RBAC (Role-Based Access Control) [README]
  • M2M (machine-to-machine) via Client Credentials flow with scoped API resources [3]
  • Single Sign-On across multiple applications [website]

Pre-built UX:

  • Customizable signup/login pages, dark/light mode [README]
  • Pre-built user account settings page [README]
  • Auth UI skinning through portal configuration [3]

Admin and developer tooling:

  • Authgear Portal: web UI for user management and project configuration [README]
  • Admin API: full GraphQL interface (accessible via GraphiQL Explorer in portal) [README][3]
  • Webhooks for integration with external systems [README features]
  • REST API [README features]
  • SDKs for iOS, Android [README]
  • Helm charts for Kubernetes deployment [README features]

Security infrastructure:

  • Audit logs for user activity and Admin API operations [README][3]
  • Brute-force protection, bot protection, rate limiting [README]
  • Session management with access tokens and refresh tokens [3]
  • JWT-based access tokens for microservice authorization [website]

What’s in the free tier vs. commercial: The website doesn’t publish a clear feature gate list between free self-hosted and paid commercial tiers. This is a real transparency gap compared to how competitors present their pricing.

Pricing: SaaS vs self-hosted math

Authgear Cloud: The website offers a “Get Started for Free” button but doesn’t publish a public pricing table with specific tiers and MAU limits. There’s mention of a free tier and paid plans, but concrete numbers require signing up or contacting sales. This is a significant transparency issue — you can’t evaluate the cost model without an account or a sales call [website].

Self-hosted:

  • Software license: $0 (Apache-2.0) [README]
  • Infrastructure: your server costs
  • No per-MAU or per-transaction fees

Auth0 for comparison (the primary incumbent being displaced):

  • Free: up to 7,500 MAUs
  • Essential: starts around $35/mo at low MAU counts
  • Professional and Enterprise tiers: pricing requires custom quotes past initial tiers; costs can reach hundreds to thousands per month at scale [1]

Concrete case: A SaaS with 25,000 MAUs on Auth0’s Professional tier is looking at costs that can exceed $200-300/month depending on features needed. Self-hosting Authgear on a $20/month VPS eliminates that line item entirely — but requires someone to operate it. The deployment overhead is real; Authgear is not a single binary like PocketBase.

Bottom line on pricing: If Authgear Cloud’s tiers and limits aren’t published, you’re flying blind on cost comparison. Self-hosted is free software on your infrastructure, which is the clear story. Cloud pricing requires a sales conversation, which is a friction point the best competitors (Zitadel, Logto) don’t impose.

Deployment reality check

Authgear runs on Kubernetes with Helm charts, or Docker [README]. This is not a simple single-container deploy — it’s a production-grade auth service that involves a database, Redis (likely), and SMTP configuration at minimum.

What the README advertises:

  • “Get started in 5 minutes with developer-friendly SDKs and a comprehensive portal” [README]
  • Helm deployment for Kubernetes
  • Docker-based options

What “5 minutes” actually means: Five minutes to get the Authgear Cloud demo running is credible. Five minutes to have a self-hosted production instance with your custom domain, SSL, database, and email provider configured is not realistic for anyone.

Realistic self-hosted requirements:

  • Kubernetes cluster or a server capable of running Docker Compose with multiple services
  • PostgreSQL database (not bundled like simpler tools)
  • A reverse proxy with HTTPS
  • SMTP provider for email OTP and magic links
  • Domain configuration for the auth endpoint
  • Time to configure the portal, set up OAuth apps, and test your flows

For a technical founder or a team with one DevOps-capable developer, this is manageable. For a non-technical founder, this is a “hire someone once” situation. The complexity is comparable to self-hosting Keycloak, not comparable to adding a Clerk package to your project.

Mobile SDK reality: The biometric and passkey features require iOS and Android SDK integration — not a web configuration. If you’re building a mobile app and want biometric login, you’ll need to integrate the SDK into your native app, handle the Authgear endpoint in your app config, and test on real devices. The SDKs exist and are documented [README], but it’s engineering work, not portal configuration.

Community support: Discord exists [README]. The GitHub repo is active (last commit recent per [4]). But with 1,645 stars and a primarily Asia-Pacific user base, you won’t find the volume of community tutorials, Stack Overflow answers, or YouTube guides that Keycloak or even SuperTokens has accumulated. If you get stuck on an unusual configuration, you’re probably opening a GitHub issue or asking in Discord.

Pros and cons

Pros

  • Apache-2.0 license — genuinely permissive. Self-host it, modify it, embed it in your SaaS product, no commercial licensing conversations needed [README][1].
  • Best-in-class mobile auth features — biometric login on iOS and Android, passkeys, and passwordless OTP via WhatsApp (rare) are first-class features, not integrations [README]. If you’re building a consumer mobile app, this matters.
  • Pre-built UI that’s production-ready — customizable signup/login and account settings pages mean you don’t have to build auth screens from scratch [README].
  • Full enterprise auth stack in one tool — SAML, OIDC, LDAP/ADFS, RBAC, audit logs, MFA all in one deployable unit [README]. Competitors often split these across tiers.
  • GraphQL Admin API — full programmatic access to user management via GraphQL with a built-in explorer [README][3].
  • Genuine enterprise adoption — large organizations (Bupa, MTR) are production users [README], which at least suggests it handles real load.
  • Zero-trust JWT architecture — documented approach to microservices auth with proper token scoping [website][3].

Cons

  • Small community relative to competitors. 1,645 stars [4] versus authentik (21,050), Zitadel (13,552), Logto (11,923), SuperTokens (15,013) [5]. Community-generated tutorials, troubleshooting guides, and integration examples are sparse.
  • Opaque cloud pricing. No public pricing page with tier details and MAU limits. Comparing cost against Auth0 requires a sales conversation [website].
  • Asia-Pacific focus. Documented customers are all Hong Kong / Australia companies [README]. US/EU community activity and regional support quality are unknown.
  • Not simple to self-host. Kubernetes/Helm as the primary deployment model means this is not a weekend Docker Compose project for beginners. Deployment complexity is comparable to Keycloak.
  • No standalone binary. Tools like PocketBase or Logto have simpler deployment stories. Authgear is a multi-service architecture.
  • Third-party review coverage is nearly nonexistent. The most substantive comparative article available is written by Authgear itself [1]. Independent benchmarks, migration guides, and honest failure reports don’t exist in volume yet.
  • “5 minutes” onboarding claim. Applies to the cloud demo, not self-hosted production setup. The gap between the claim and the reality will frustrate people who take it literally.

Who should use this / who shouldn’t

Use Authgear if:

  • You’re building a consumer mobile app that needs biometric login, passkeys, and passwordless OTP — and you want one library that handles all of it.
  • You’re a SaaS team that needs SSO, SAML, and per-tenant auth customization, and you want to self-host for data sovereignty or cost at scale.
  • You have Kubernetes infrastructure and someone who can operate it.
  • The Apache-2.0 license matters — you want to embed the auth system in a product you’ll sell or redistribute.
  • You’re in a regulated industry (finance, healthcare) where data residency requires the auth server to stay in your own infrastructure.

Skip it (consider Logto or Zitadel instead) if:

  • You want a similarly featured self-hosted CIAM with 7-8x more community activity and better English-language documentation.
  • You need extensive third-party integration guides and community-built tutorials to reduce your own research time.

Skip it (consider SuperTokens or Better Auth instead) if:

  • You’re a developer-first team that wants to integrate auth as a library with code-level customization rather than a portal-configured service.

Skip it (use Clerk) if:

  • You want the fastest possible integration for a Next.js or React app, component-first UI, and developer ergonomics trump operational control.

Skip it (use Keycloak) if:

  • You’re in enterprise IT managing workforce SSO with Active Directory, need the largest possible community, and are willing to invest in the operational overhead.

Stay on Auth0 if:

  • Your MAU count is under 7,500 (free tier) and the setup overhead of self-hosting isn’t worth it yet.
  • Your team doesn’t have infrastructure experience and the Authgear Cloud pricing is unclear enough that you can’t make a cost comparison.

Alternatives worth considering

From the openalternative.co listings and the Auth0 alternatives comparison [4][5][1]:

  • Keycloak — dominant enterprise choice, 33,951 stars, comprehensive but operationally heavy [4]. Best for workforce/internal SSO.
  • authentik — 21,050 stars, strong for self-hosted workforce identity, good UI, active community [5].
  • Zitadel — 13,552 stars, developer-focused B2B SaaS auth, serverless-friendly, transparent pricing [5].
  • Logto — 11,923 stars, closest feature match to Authgear (consumer CIAM + B2B), much larger community [5].
  • SuperTokens — 15,013 stars, code-first, self-hosted, strong customization [4][5].
  • Stack Auth — 6,761 stars, 5-minute setup claim, Next.js-focused [4][5].
  • Better Auth — 27,879 stars, TypeScript-native framework approach, fastest-growing in the space [5].
  • Auth0 — the incumbent being displaced. Easiest onboarding in the category, largest integration library, most expensive at scale.

The honest competitive map: if you want self-hosted consumer CIAM with mobile biometrics and SSO, Authgear and Logto are the two tools to evaluate seriously. Logto has more community momentum; Authgear has stronger mobile-native features and enterprise customer references in its README.

Bottom line

Authgear is a credible, feature-complete authentication platform that covers ground most competitors spread across multiple products: passkeys, biometric mobile login, passwordless OTP, SAML enterprise SSO, RBAC, and audit logs in one Apache-2.0-licensed deployable. The enterprise customer list — Bupa, MTR, Hongkong Land — suggests it handles real production loads. The GraphQL admin API and Kubernetes deployment story are built for teams that take infrastructure seriously.

The honest caveat is the community gap. At 1,645 GitHub stars against competitors with 10,000–30,000, you’re betting on a less-tested tool with fewer community resources when things go sideways. The cloud pricing opacity is a friction point that shouldn’t exist in 2026. And the deployment complexity means this is not a tool for a non-technical founder to spin up alone on a Sunday afternoon.

For a technical SaaS team building a consumer mobile app that needs the full auth stack on their own infrastructure — particularly one with Asia-Pacific operations or data residency requirements — Authgear deserves a serious evaluation. For everyone else, the star counts on Logto, Zitadel, and authentik reflect community trust that Authgear hasn’t yet earned at the same scale.

Sources

  1. Authgear Blog“Top Open-Source Auth0 Alternatives in 2026: Secure & Self-Hosted Options” (March 5, 2026). https://www.authgear.com/post/top-open-source-auth0-alternatives (Note: authored by Authgear — read with appropriate bias in mind)
  2. Authgear“Data Privacy Policy”. https://www.authgear.com/data-privacy
  3. Authgear Docs“Glossary”. https://docs.authgear.com/reference/glossary
  4. OpenAlternative.co“Open Source Projects tagged ‘Keycloak’”. https://openalternative.co/tags/keycloak
  5. OpenAlternative.co“Open Source Projects tagged ‘Authentication’”. https://openalternative.co/tags/authentication

Primary sources:

Features

Authentication & Access

  • LDAP / Active Directory
  • Single Sign-On (SSO)
  • Two-Factor Authentication

Integrations & APIs

  • GraphQL API
  • REST API
  • Webhooks

Mobile & Desktop

  • Android App
  • Mobile App

Category

Security & Authentication (159) Authentication & SSO (40)

Replaces

Auth0
17 tools
Clerk
11 tools
Okta
25 tools
workos
WorkOS
13 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0