Stack Auth

Open-source authentication, honestly reviewed. No marketing fluff — just what you get when you decide to stop paying Clerk $100/month.

TL;DR

• What it is: Open-source (MIT + AGPL) authentication and user management platform — think Clerk or Auth0, but self-hostable and vendor-lock-free [7].
• Who it’s for: Next.js developers and early-stage founders who want production-quality auth in minutes without a $25–$100/month SaaS bill. Particularly strong for B2B apps that need multi-tenancy and team management from day one [3][7].
• Cost savings: Clerk’s paid plans start at $25/month and scale past $100/month as your user base grows. Stack Auth self-hosted runs on a standard VPS with your existing infrastructure costs. Cloud plans range from $39–$299/month — still cheaper than Auth0 at scale [3].
• Key strength: Genuinely fast time-to-working-auth. Multiple founders report going from zero to functional login in under an hour [1]. The built-in user dashboard replaces the first internal admin tool most teams end up building anyway [README].
• Key weakness: The framework story is almost entirely Next.js and React. If you’re on Django, Rails, Laravel, or any non-JS backend, you’re limited to the REST API — the tight component integration doesn’t exist for you. Also: the “NOASSERTION” license flag in package metadata is worth reading carefully (the README clarifies MIT + AGPL, but the split matters for self-hosting vs. modification).

---

What is Stack Auth

Stack Auth is an authentication and user management platform you can drop into a Next.js project with a single CLI command. The pitch from the GitHub README is “open-source Auth0/Clerk alternative,” which is the most precise description they could have chosen — it’s not trying to be an identity provider for enterprise SSO federations, it’s trying to be the thing you reach for when you’re starting a SaaS and don’t want to hand $100/month to Clerk for the rest of your product’s life [7].

What makes it different from the field is a combination of things that are individually available elsewhere but rarely assembled together. React components with dark/light mode out of the box — you get <SignIn /> and <SignUp /> that look good immediately without CSS wrestling [README]. Multi-tenancy built in from the start — organizations, teams, invitations, and team switching are first-class features, not bolt-ons [README]. User impersonation — support and debugging flows that usually take a week to build internally ship on day one [README]. OAuth token management for third-party APIs — Stack Auth doesn’t just handle login with Google, it manages the ongoing access tokens for Gmail and Google Calendar so you can call those APIs without reimplementing OAuth refresh logic yourself [README].

The project is YC-backed, sits at 6,746 GitHub stars with 513 forks [7][3], and describes itself as what you’d get if “Supabase Auth or next-auth, but better” [3]. That’s a self-comparison worth interrogating, but the feature set backs it up: next-auth is a library you assemble, Stack Auth is a platform that includes a hosted dashboard, email templates, and team management that next-auth doesn’t ship.

---

Why people choose it

The testimonials on the Stack Auth homepage skew unusually developer-specific, which is a signal in itself. The Product Hunt listing has a 5.0 rating [1]. One founder (QAComet) writes: “We were able to replace our Clerk implementation with Stack in a matter of hours. It’s empowering to have the flexibility of an open-source alternative with a simple to use interface and a responsive team.” [homepage]. Another (Tailwind Health): “It’s so easy to get Stack Auth up and running, and the founders are amazing too.” Guillermo Rauch of Vercel gave a quote — “React Components as the universal integration API” — which is the closest thing to celebrity endorsement the auth world has [homepage].

The consistent thread across every review is time-to-working: people choose Stack Auth because they had auth running before they expected to. That’s the Clerk pitch too, which makes sense — the target audience is developers who have already been burned by how long it takes to wire up next-auth manually, and who have priced Clerk and flinched.

The second reason is multi-tenancy without extra work. Auth0 and Clerk both support organizations, but as add-ons or higher-tier features. Stack Auth ships team management, invitations, and org-scoped roles at every tier [README][7]. For a B2B SaaS founder, this is the feature that closes the decision — you don’t want to duct-tape multi-tenancy onto an auth system six months after launch.

The third reason is self-hosting as a real option, not a fallback. OpenAlternative describes it as an open-source alternative to Clerk, Auth0, AWS Cognito, and WorkOS [7]. The key word is “self-hostable” as a primary path, not a punishment for not paying. You can run it on your own infrastructure, own your user data completely, and never worry about a pricing change from a vendor.

---

Features

From the README and first-hand product descriptions:

Authentication methods:

• Email/password with verification and password reset [README]
• OAuth (Google, Facebook, GitHub, and others) with proxied providers — no need to create OAuth apps on every platform yourself [3]
• Magic links [README]
• Passkeys (FIDO/WebAuthn — biometric login across devices) [README]
• SSO [7]
• Two-factor authentication [7]

Frontend components:

• <SignIn /> and <SignUp /> with dark/light mode, OAuth buttons, and password flow in one component [README]
• Account settings component — profile update, email verification, password change, all included [README]
• Team switcher component for multi-tenant apps [README]
• Headless or headful: use the shadcn/ui-based components or strip them and use the SDK directly [homepage]

User management:

• User dashboard with filtering, analytics, and edit controls [README]
• User impersonation for support and debugging [README]
• User-associated metadata with client-side vs. server-side access controls [3]

Multi-tenancy:

• Organizations with email invitations [README]
• Team roles and org-specific RBAC — define arbitrary permission trees, assign per-org roles [README]

Authorization:

• Role-based access control with arbitrary permission graphs [README]
• Organizations can define their own roles independently [README]

Developer infrastructure:

• JWT and session management handled automatically — no refresh token logic to write [README][homepage]
• REST API for custom integrations [7][README]
• Webhooks via Svix [README]
• Automatic emails on sign-up, password reset, email verification — editable with a WYSIWYG editor [README]
• OAuth token management for third-party APIs (Gmail, Google Calendar, OneDrive) — handles refresh automatically [README]

Deployment:

• Docker (self-hosted) [7]
• npm/CLI for managed setup [README]
• Cloud-hosted option at stack-auth.com

---

Pricing: SaaS vs self-hosted math

Stack Auth Cloud:

• Free: available with limited functionality [3]
• Paid: $39–$299/month subscription tiers [3]

The specific feature gates between tiers aren’t publicly documented in detail in available sources, but the AlternativeTo listing confirms the pricing range. Data on exactly what’s behind each tier paywall is not available in current sources.

Self-hosted:

• Software license: $0 (MIT + AGPL — see the license note below) [README]
• Infrastructure: your existing VPS or cloud compute

License clarification worth making: the merged profile shows “NOASSERTION” for the license field, which typically means the license couldn’t be auto-detected from the package. The README explicitly states “licensed under MIT and AGPL.” The split matters: MIT applies to the client-side SDK portions, AGPL to the server. AGPL has a copyleft clause — if you modify the server and expose it over a network, you must publish your changes. For most founders self-hosting without modification, this is irrelevant. For anyone building a product on top of Stack Auth’s server code, read the AGPL terms before deploying [README][3].

Competitor comparison (approximate, from general availability):

• Clerk: free to 10k MAU, ~$25/month Hobby, ~$100/month Pro
• Auth0: free to 7,500 MAU, then $23+/month; enterprise plans run into hundreds per month at scale
• AWS Cognito: $0.0055/MAU after 50k free — cheap at small scale, surprising at large scale with advanced features enabled
• WorkOS: primarily enterprise, pricing not publicly listed

Self-hosted Stack Auth against Clerk at 50k MAU and moderate feature use: the difference is $100+/month in perpetuity vs. your VPS costs, which you’re likely already paying for your application. Over two years, that’s $2,400+ returned to the runway.

---

Deployment reality check

Stack Auth deploys via Docker and offers a CLI setup wizard (npx @stackframe/stack-cli@latest init) for the managed cloud path [README][7]. The self-hosted path requires Docker and a Postgres database.

What you actually need for self-hosting:

• A server with Docker (your existing app server works if it has spare capacity)
• PostgreSQL (can share with your application database or run separately)
• A domain with HTTPS — Stack Auth handles auth flows, so HTTPS is non-negotiable
• An SMTP provider for email verification and password reset flows
• Environment variables for OAuth provider credentials if you want social login

What the reference sources confirm: OpenAlternative [7] shows the last commit was 5 hours ago and the repository is actively maintained. AlternativeTo [3] shows 35 open issues, 513 forks — healthy engagement, not a dormant project.

What’s not covered in the available sources:

• Upgrade path complexity (schema migrations between versions)
• Memory/CPU requirements under load
• Any deployment pain reports

The Product Hunt reviews [1] are uniformly positive with no setup complaints, which can mean either setup is genuinely smooth or that Product Hunt’s audience is pre-filtered for technical comfort. The “5 minutes to working auth” claim in the README is plausible for the managed cloud path — self-hosted will take longer depending on your infrastructure familiarity.

The Next.js caveat: The tight component integration (<SignIn />, hooks, server components) requires Next.js. If you’re on another framework, you use the REST API only — you don’t get the component layer. This is an architectural constraint, not a bug, but it matters if your stack isn’t Next.js [README][3].

---

Pros and cons

Pros

• Genuinely fast setup for Next.js apps. The CLI wizard and pre-built components mean working auth in under an hour for most founders [1][homepage]. This is the actual differentiator versus assembling next-auth yourself.
• Multi-tenancy included at every tier. Organizations, teams, invitations, org-scoped RBAC — shipped by default, not a $99/month add-on [README]. Critical for B2B apps.
• Impersonation out of the box. The internal admin tool most teams spend a sprint building [README].
• OAuth token management beyond login. Few auth platforms handle ongoing API token refresh for Gmail, Google Calendar, etc. Stack Auth does [README].
• Passkeys support. FIDO-compliant passwordless login is increasingly what users expect; shipping it yourself is weeks of work [README].
• Headless option. The shadcn/ui components are optional — you can use the SDK headlessly and build your own UI [homepage].
• Active development. Last commit within hours of this writing, open issues being addressed [7].
• Guillermo Rauch endorsement. Not nothing for developer credibility [homepage].

Cons

• Next.js or REST API only. If you’re not on Next.js, you lose the component layer and write all UI integration yourself [README]. Not an option for Python, Ruby, or Go backends without a separate Next.js frontend.
• AGPL on the server. For founders who want to modify the server and keep changes private, AGPL is a meaningful restriction. Read the license [README].
• Cloud pricing is not cheap. $39–$299/month for the managed cloud [3] is comparable to Auth0 or Clerk. The cost advantage only materializes if you self-host.
• Limited third-party review data. Product Hunt has a 5.0 rating from 4 reviews [1] — too small to be statistically meaningful. No substantial independent reviews are available beyond directory listings. The self-reported testimonials on the homepage are positive but unverifiable.
• 6,746 stars vs. competitors. Better Auth has 27,906 stars, Keycloak has 33,975, Authentik has 21,076 [7]. Stack Auth is the newest entrant in a crowded field.
• No documented migration path. If you self-host and want to switch providers later, user data export procedures aren’t addressed in available sources.
• “NOASSERTION” license flag. Automated tooling will flag this in compliance checks, requiring manual resolution [merged profile].

---

Who should use this / who shouldn’t

Use Stack Auth if:

• You’re building a Next.js app and want auth done before lunch.
• You’re building B2B SaaS that needs multi-tenancy — teams, invitations, org roles — without building it yourself.
• You’re paying Clerk or Auth0 and the bill has started to sting, and you’re comfortable running Docker.
• You want user impersonation for support without a week of engineering time.
• You need to call Google or Outlook APIs on behalf of users and don’t want to manage OAuth token refresh yourself.

Skip it if:

• Your backend is Python, Ruby, Go, or anything non-JS. You’ll be stuck with the REST API while React developers get components — unequal leverage.
• You need AGPL-clean server code that you can modify privately.
• You need detailed audit logs or compliance certifications (SOC 2, HIPAA) — not documented in available sources as current offerings.
• You want the largest community and ecosystem. Keycloak (33k stars), Better Auth (27k stars), and Authentik (21k stars) all have larger communities [7].
• You’re building for enterprise clients who will demand SSO federation, fine-grained attribute-based access control, and dedicated support SLAs — look at Zitadel or Keycloak instead.

---

Alternatives worth considering

From the OpenAlternative listing [7] and the category:

• Better Auth — 27,906 stars, framework-agnostic, TypeScript-first. If Stack Auth is too Next.js-specific, Better Auth is the more portable option with broader framework support [7].
• Keycloak — 33,975 stars, Java-based, the enterprise-grade identity provider. Heavyweight to run but battle-tested at scale. Right for large teams with dedicated ops [7].
• Authentik — 21,076 stars, Python-based. Strong on SSO federation and identity provider features. Better choice if you need SAML, LDAP, or complex identity workflows [7].
• SuperTokens — 15,016 stars, another Clerk/Auth0 alternative with self-hosting emphasis. Similar positioning to Stack Auth, worth comparing if you’re framework-agnostic [7].
• Zitadel — 13,574 stars, identity infrastructure with strong API-first design. Good for teams that want programmatic control over identity [7].
• Supabase Auth — if you’re already on Supabase, the built-in auth is mature and free. Stack Auth’s own README positions itself against Supabase Auth but “better” is debatable if Supabase is your database already [3].
• Hanko — 8,902 stars, passwordless-first, passkey-native. If passkeys are your primary auth strategy, Hanko is more purpose-built [7].
• Clerk — the incumbent in the “beautiful auth components” category. Better framework support, larger ecosystem, but proprietary and priced accordingly.

For a Next.js founder choosing between Stack Auth and Clerk, the decision is: do you want to self-host (Stack Auth) or pay for someone else to operate it (Clerk)? The developer experience is genuinely comparable. For non-Next.js stacks, look at Better Auth or SuperTokens first.

---

Bottom line

Stack Auth is the honest answer to “how do I get production-quality auth into my Next.js app without a recurring SaaS bill.” It’s not the most powerful authentication system in the open-source field — Keycloak and Authentik have decades of enterprise use behind them. It’s not the most framework-agnostic — Better Auth covers more stacks. What it is: the cleanest on-ramp from zero to working login for a Next.js application, with multi-tenancy and RBAC included from day one instead of bolted on later.

The ceiling is the Next.js coupling. If your stack diverges from that, the component advantage disappears and you’re comparing REST APIs with competitors who have more stars and larger communities. But for the founder who’s staring at a Clerk invoice and asking whether there’s a self-hosted alternative that won’t require a week of setup — there is, and this is it.

If the Docker deployment is the blocker, that’s the kind of one-time infrastructure setup that upready.dev handles for clients.

---

Sources

1. Product Hunt — Stack Auth: Open-source Auth0/Clerk Alternative (5.0, 4 reviews). https://www.producthunt.com/products/stack-auth
2. AlternativeTo — Stack Auth (6,760 stars, 513 forks, pricing $39–$299/month). https://alternativeto.net/software/stack-auth/about/
3. OpenAlternative — Stack Auth: Open Source Alternative to Clerk, Auth0 and AWS Cognito (comparison with Hanko, Better Auth, Keycloak, Authentik, SuperTokens, Zitadel). https://openalternative.co/stack-auth

Primary sources:

• GitHub repository and README: https://github.com/stack-auth/stack (6,746 stars, MIT + AGPL license, YC-backed)
• Official website: https://stack-auth.com
• Documentation: https://docs.stack-auth.com