Launch HN: Stack Auth (YC S24) – An Open-Source Auth0/Clerk Alternative

Hmm. Am I the only one who immediately jumps to the thought that any VC backed "open source" tool is just using open source as a cost of customer acquisition, and will soon find a way to pay-wall necessary features? The majority of the effort will be in the paid SaaS product, not the open source stuff.

Maybe I'm getting old and jaded, but that's not really the spirit of open source.

This looks very refreshing! Congrats for officially launching,I think StackAuth was mentioned here before.

What are your plans for supporting "old school" frameworks, like django, rails, bootstrap, et al?

I know that it makes sense to target greenfield projects first, and I presume most new projects are started with some new cool tech (if looking at npm downloads or some other vanity metric or online questionnaire), but I think there's a long tail of users of other tech that would potentially provide high quality feedback based on real world experience at various settings.

I'm only saying this as it looks like you want to own the whole auth stack, all the layers and all the workflows, from dba to sales so to speak.

Congrats on the launch. I have a golang backend, postgres db and a react app. I have added auth using email, password salting and saving in pg. It was about 1 day of work to implement all of this.

I do not have OAuth or SAML however. Is that the differentiating factor, if I have to use your solution ? Is a basic auth setup such a complex thing to handroll ourselves ? I do not intend to be snide but genuinely curios about it. Incorporating your project, its lifecycle management, etc. seems more work than implementing a 3-4 APIs (/signup /signin /verify-email /forgot-password /reset-password) and a periodic job (trigger emails and stuff). Is it so complex that we should bring in a new dependency with its own deployment, backup, monitoring etc. lifecycle management ?

Sorry, I'm very well versed in the authentication space, but after spending 10 minutes browsing the documentation i truly can't understand the architecture. There are no drawings, it just jumps straight to npx install or comparing itself to other solutions, assuming i know all of them.

Is this a frontend UI? Is it an authentication proxy? Is there any data stored? ..where? What are the different deployable components? What runs in my own backend, in the frontend or in the cloud? If it is managed and requires an API key, what part is open source?

This is really awesome. On almost every project I’ve worked on, I’ve never been able to trust and truly rely on proprietary services and companies to handle my authentication and authorization. I’ve been forced (i.e., it was already decided) to use Auth0 before and I hated every minute of it.

Congratulations on launching Stack Auth and providing a better alternative!!!

How would you compare yourselves to SuperTokens (https://supertokens.com/)? I ask because they’re another open source, YC backed auth system, and one that I’ve quite enjoyed using on a side project. There seem to be a lot of similarities between you two, would be interested to hear your take on the differences!

Absolutely wild how many of these there are now! I feel like I'm reading an announcement like this every few weeks.

Congrats on the launch. What's your approach to security? I notice there's no mention of any penetration testing, no security policy, no responsible disclosure policy, no place to report security vulnerabilities.

You're absolutely right (in other comments) that getting the UX and so on right for authn/authz is really hard, and there are a ton of edge cases, but I know from experience that there are a ton of security edge cases too. Things like rotating session tokens at the right time, how that interacts with password resets, HTTP referrers, etc, is all quite tricky to get right. I've built with battle-hardened, decades-old frameworks and still gotten a few details wrong.

To delegate all of this responsibility to a third party product, even if it's open-source, rather than building it yourself, is to give up control. Sure you can edit the code, but can you find the bug in an unfamiliar codebase, effectively test in a testing environment your unfamiliar with, and create a valid build? That's a lot harder.

If I were to delegate that responsibility to a product like this, I'd want to know that they've taken security at least as seriously as I do, ideally much more seriously because it's the core of their product. Right now I'm not convinced.

I'd suggest preparing a comparison table on the home page, at least against open source competitors, to help prospects decide. You emphasize completeness (authz + authn), and simplicity here:

   The dominant player in this space is Auth0, who appeals to enterprises but lags behind in developer-friendliness and has strong vendor lock-in. A newer one is Clerk, which markets directly to devs, but is still entirely proprietary. Open-source solutions like Supabase Auth or Auth.js/NextAuth are only authN, and don't provide the rest of the toolchain.

Your pricing seems multi-tenant friendly. What other differentiating factors can you think of?

How does this compare to Ory Kratos, also an open source option - https://www.ory.sh/comparisons/ory-versus-auth0/

Hi Zai and Konsti!

I expect we're in your target demographic, small team using Next.js and Supabase with a lot of ambition and not enough time in the day :)

Stack Auth is one of those things I didn't quite realize I might want – we're using Supabase Auth at the moment during our EAP, with Nango as an OAuth proxy, and I've been hesitant to build out organizations without a good reference implementation – we've rolled it ourselves before and never been really satisfied with the results. At the moment we're rolling a deployment-per-org, which is ok for small teams, if a little cumbersome to manage, but we'll need a solution for larger companies. I've had supabase_rbac[1] in the back of my mind for this.

Stack Auth seems like it could solve a few of these, but do you see yourselves proxying APIs for OAuth, or will you leave that to other service providers?

1: https://database.dev/pointsource/supabase_rbac

Have you seen this? https://github.com/logto-io/logto

How does it compare?

This is great. Competition is definitely needed in the Authentication/Authorization space.

Quick question. How would this compare to supabase/gotrue [0] and permify [1]?

[0]: https://github.com/supabase/auth

[1]: https://github.com/Permify/permify

What is your 2FA story like? This is one of the things Auth0 locks behind expensive plans but is a day zero day need for me.

Would be interested to hear a comparison with keycloak.

Can you explain the example in the docs?

    Here’s an example. To retrieve the current user, simply call:
    
    export function MyComponent() {
      const user = useUser({ or: "redirect" });
      return <div>{user ? `Hi, ${user.displayName}` : 'You are not logged in'}</div>;
    }
    
    That’s it! Stack will either return a User object or redirect the user to the login page.

It seems like the "not logged in" message is dead code as the earlier logic would instead redirect to the login page. Am I misunderstanding something?

Can I have my own user database table without setting up web hooks?

Congrats for the launch! We also launched an open sources (Apache 2 licensed) auth0 alternatives with paid hosting / enterprise support as revenue few years ago. Glad to see more efforts to help make software more secure for consumers!

https://github.com/authgear/authgear-server

i tried to use it & kept getting stuck! so turned to Clerk, which was easier to integrate

Small things like: - the install script uses npm, I ran into a few dependency conflicts :( - the redirect url for google auth didn't work for me. (using github codespaces) - then gave up after that

Happy to work with you all to fix these small things! Overall it looks good and I would use it later if i'm not in a rush!

Auth is the biggest headache of starting a new project. From your Github README, this looks pretty awesome!

My site is a golang static site with a few pages as a reactjs spa. Do you guys planning on adding support for the general stack using something like the new web components API?

I'd change the name. The last time I saw a legit site with a hyphen in its name was probably early 2010s. It doesn't engender trust.

I started to integrate with WorkOS recently. I have an auth server that uses WorkOS for the authentication and then my auth server handles refreshing the access token etc with the client. It can also handle multiple clients.

Could your service be a replacement for WorkOS. Currently I'm only using their Google OAuth and their Google SAML. I see that your SAML is paid only.

Congrats on the launch! This looks great.

I see you plan on making money by charging for the hosted service. Given that, and given recent history in the industry with companies starting out with this model only to rug-pull it from users later and move to a more restrictive license, can you publicly commit to keeping the code MIT/AGPLv3-licensed into the future?

I don't think your differentiators are enough for folks to pull the trigger on something like this. There are a ton of folks in the space--supabase, supertokens, ory to name a few, not including the cloud providers who offer this service as well--how do you differentiate yourself from them?

That looks good, specially pricing wise all the existing tools are simply unaffordable for B2C platforms where the majority of your users are not paying but you have to foot a massive Auth bill for then...

We use Ory right now, but it is very hard to setup and integrate into.

I see you're using bcrypt for now with a salt cost of 10. How do you plan to: 1. Make sure you keep increasing the cost over time 1a. Maybe even newer algorithms 2. Update old password hashes, even if the user does not log in

Regarding managed hosting - I don't see a mention of using your own custom domain anywhere. Did I miss it? Which tiers can use custom domains, if they are supported?

Also, do you support m2m tokens, ie. client credentials flow? What are the limits, if any?

I notice you're mentioning: "We support Next.js frontends" and "Idiomatic Next.js APIs". What is it about your product that is NextJS specific? Can someone who has no interest in using NextJS still use your product?

Congratulations on the launch! The UX already feels like such a breath of fresh air compared to the other solutions we've tried out. Can already see this adding so much value for us, and super excited to try it out!

Looks nice, congratulations on the launch!

I suspect the answer is "no" here, but can Stack be used as an OAuth provider itself? I think all I see in the documentation is using other OAuth providers for authentication.

As someone who came from Auth0 and god-awful Amazon Cognito, we've been using FusionAuth for years. Their APIs and SDKs have been amazing to work with.

They even have a lambda feature to add additional logic around certain workflows or adding claims to your JWTs.

https://fusionauth.io

It does what Auth0 does but significantly more cheaper and you can also self-host if you want.

I built the Pulimi plugin for it which helps us easily configure it. If you don't use Terraform or Pulumi, they have this really cool kickstart feature where you can define a config file that will call their APIs on first time startup to set up the server. Really useful for local dev.

As someone battling with Auth0's various broken integrations this sounds great.

Any idea how easy it is to use with PGP / Symfony?

Also, cheeky wishlist request, any support for Mastodon logins?

Can I enable the social login with this tool directly, without manually creating and setting up the "app"/"project" on those social platforms?

how does this compare to keycloak and supertokens?

I think Clerk looks great but it starts to get quite expensive if MFA is a requirement. Do you have 2FA/MFA in your roadmap?

I'm integrating Zitadel right now (also open-source but with a paid hosted version) - how would you compare?

Any comparisons to Propel Auth? (Another YC funded auth service that seems to have lot of overlap here)

I was sceptical but your responses so far may have won me over.

Are you planning on implementing passkeys at all?

Heya, congrats on launch! Welcome to the authN/authZ/user management party!

I work for a competitor (FusionAuth) but think that there's plenty of room to solve this for developers. I love the fact that you have a self-hostable option as we've found that for a set of developers, that flexibility really matters.

I think that Clerk has shown there's an appetite for components that handle common user management tasks. I think they had a blog post about how components are the new APIs, but can't find it. I'm a bit surprised it has taken so long for an OSS competitor with your messaging to emerge.

Where I stand depends on where I sit (ofc), but I think that component based solution trade security for UX and DX. That tradeoff may make sense for some applications, but it's good to walk into it with eyes wide open.

There's a reason that a redirect to an isolated, hardened Authorization Server (to use OAuth nomenclature) is the standard and that modern RFCs like OAuth 2.1 discourage developers from using the password grant (which is essentially what every component library is doing).

I believe a redirect is the correct option because if you isolate all user interaction to that server via a browser redirect, you can:

* lower the amount of code that handles sensitive PII and user credentials

* lock down access to this system

* delegate changes to specialized internal teams or vendors

* easily increase the security of the authentication process for existing applications without any code changes by ratcheting the security up at the Authorization Server (requiring additional factors or passkeys, for example)

The cost comes from the redirect. A redirect is fine for many traditional applications, but is not great for SPAs and, to a lesser extent, mobile apps. I believe this has a UX impact, though I haven't been able to find any numbers or studies and we've got plenty of customers who are doing fine with this approach.

There's also a DX impact because styling the Authorization Server pages may not use the same technology stack or deployment process as the rest of the application.

Anyway, congrats again on your launch!

What does dual licensing AGPL/MIT do? Isn’t the MIT license more permissive in all cases?

Looks nice! How is it different from other well-known projects, like Ory and Logto?

If ever there was a case for OSS M&A it would be this project merging with auth.js

This is pretty awesome and well encompassing for basic authentication!

Congratulations on the launch Zai and Konsti!

I’m working on a hobby project that I had to build in basic email password auth using Auth.js due to a clients specific requirement.

I’ve experienced all the headaches you mentioned above, so I’ll be certainly taking a deeper look into this.

Again, great work!

Cheers!

wow, I've been waiting for a project like this! Clerk seems fine, Auth0 is fine, but I'd rather build on open-source. Can't wait to start integrating this into my next project

> frustration with the incumbents

That's to say the least.

Do you guys only offer SAML in your hosted SaaS?

Reminds me of ory project

huge congrats on the launch! Auth can be a huge pain...

A bit of a meta point, but Clerk must be doing really well if they're already positioned as the thing to make alternatives to.

> Rolling your own crypto is already hard enough

Wait, what? Do you role your crypto to handle standard auth flows? Is this some machine generated text?

how does this compare to Supabase Auth?

I want to be able to just put self-hosted Clark in front of my postgres DB

but I'm forced to use Supabase because of its Auth integration and I don't know what open source self-hosted Authentication/Authorization out of the box exists

Lucia-Auth v2 left me just confused state. It's frustrating that everything requires $$$/month

Could be simplified: "Sign in using NSA services"

Auth doesnt need a new service/company. It needs an ai chatbot that walks engineers through adding auth to their project. Its the developer experience that is the problem