Show HN: Stack, an open-source Clerk/Firebase Auth alternative (stack-auth.com)
Hey HN! Happy to finally launch Stack. We made it because we like to put apps into production quickly, and authentication & user management was taking up way too much time.
We have components like <SignIn /> and <AccountSettings /> that automatically adapt to whatever theme & design system you're using. Check the blog post to see the example with Radix UI and Joy UI.
Also, there's an admin dashboard for monitoring and editing accounts. Stack is 100% AGPL/MIT-licensed, so you can self-host it.
Cheers!
73 comments
[ 2.6 ms ] story [ 48.7 ms ] threadMy understanding is that anyone can run the AGPL server. Anyone can modify it. Customers using the modified version can get that code.
I'm not sure where "paying the vendor" fits into this equation...
The AGPL requires that source code be supplied to users of the system. In other words "code flows down-stream". There us no requirement to flow the code "upstream".
Now sure, you might become a user of their service. Or you might get a user to pass the code onto you. And that may have the effect of you getting the changes they made.
But they are not "giving back", and they have no duty to do so.
I know it's a subtle difference, but I think it's helpful to be specific when it comes to legality- it avoids misunderstandings.
Many big companies have blanket policies either banning AGPL completely, or require strict legal review.
Re the payment question: it is a common SaaS licensing model to dual license under AGPL and a commercial license. AGPL serves as a deterrent for business customers to use it without purchasing the commercial license.
Yes, the use of AGPL as part of the stack certainly raises concerns. I don't think it would apply in this case, but equally I am not a lawyer, and i don't want to pay lawyers to fight over it, so personally I don't use AGPL in my stack, validating your point.
Why so many products will call themselves enterprise with no .NET, Java, etc. integrations available is part of why the existing products in those ecosystems are so expensive.
I look forward to playing around with Stack on my own and comparing it to Clerk but I couldn't seriously suggest this at work as there's no backend integrations.
Also, the clerk service has layered integrations, powered by an http layer. We have customers using each part of the layer for varied integration types. That being said, the SDKs for the spa frameworks are the easiest to use.
Do you still need to be in a paid tier in order to ban users? It's been a while since I tried your product out and I seem to remember that being the case in the early days.
If you were comparing something like build vs. buy where you had to build every feature clerk has from scratch, just paying for clerk would be soo much cheaper. But not every app needs every feature, and there's also a lot of open source options out there that make the build out a lot easier, so that comparison isn't completely fair.
But the main idea is that we wanted most apps to cost ~$25/mo - $100/mo, and, if you're building a B2B SaaS, you're going to have far fewer MAUs, and so we wanted the base cost to be higher at ~200/mo.
If you, or anyone reading this, ever feel like they're paying "too much" for Clerk - reach out to us and we'll work out a custom deal or even help you off-board to something else.
Banning users is still currently on the $25/mo tier which feels wrong, it should be in the free tier. We're due for a pricing revamp again quite frankly to make these pricing options more attractive. The tricky thing with the MAU costs is that a lot of folks seems to think they have a monster on their hands and forecast for like 1M MAUs or something, which is so far from reality.
It's tough to balance all of these competing priorities -- and if we don't have enough revenue, we can't keep building and investing in the platform for which we have pretty big ambitions. I will say that over a long period of time we want auth to be free and we want build applications to be 100x easier than they are today. I'm kind of getting ramble-y, but we also recognize that clerk's not for everyone and your use case might not make sense!
[1]: https://en.m.wikipedia.org/wiki/APL_(programming_language) [2]: https://www.keyboardco.com/product-images/ibm_model_m_beige_...
It's unsearchable.
https://news.ycombinator.com/newsguidelines.html
On a more useful note... I kind of wonder what the target audience for this is. Big companies? Dont want to roll their own auth. Startups? Dont want to roll their own auth...
Between big companies and startups, we're definitely targetting startups. Big companies have a wide variety of auth systems to choose from (Auth0, Keycloak, etc.)
Supertokens is pretty complicated and hard to set up in my opinion, but please tell me if you had a different experience
https://github.com/stackframe-projects/stack/blob/main/docs/...
will it adapt to PrimeReact
auth system that worked well with static file buckets would cut like 40% of backend DB / server needs
Also, if you have Keycloak running behind Apache as a reverse proxy, I've had requests between those two randomly drop. I needed to change some obscure setting in the Apache config in regards to connection pooling/keep-alive or something along those lines, mentioned it in a past comment of mine. That was annoying, in addition to having to configure Keycloak in the first place.
But when it works, it works pretty well!
I don’t know if it was even that “bad” per se “10 years ago.” 10 years ago, React was only open source for 1 year. Meteor was Supabase. People were still writing CoffeeScript.
You are lamenting the complexity of changing authorization requirements without changing application code. I don’t know if OIDC was really set in stone back then. There was no Rego or Cedar, there were IAM policies, and that was also relatively new, and attributes-driven SAML. It’s just a lot of development has happened.
> That's why we built Stack.
I’m not convinced this is a strong USP. One could make a decent argument “Stack” doesn’t have “all” the features (yet) - I’ve seen the roadmap.
Firebase, Superbase etc. arguably have more features.
In a nutshell, I think it might be better to have that paragraph really drive home the USP of the product e.g., open source accountability, fairer pricing model etc.
Those are strong tells, instead of the “all the features” narrative. That’s a hard battle to win :)
Regardless, awesome work! And congrats on the launch
I've edited the paragraph a little to reflect that. Hopefully, at some point in the future we can really say "all the features" ;)
In the end, you've recognized correctly that we see ourselves as an open-source company first and foremost.
Unfortunately, my project is not using jsx, so I can't really implement anything that relies on it. I would love to check this out, if I can use it without Next.js or any kind of jsx compatability. But, until then, it's not something useful for any of my use cases.
Unfortunately, I'm not seeing much value-add over Clerk or Auth0. Looks like Stych is going to lock me in to a vendor just as much as the other two, so I'd have to compare them based on those merits alone.
So far, Clerk has a more permissive free tier for B2C users.
Also, it's a pretty big red flag - for me, personally - when a site promises that I can export my data, but requires me to request it via email rather than having a straightforward automated process that will provide me an export in an exact, known format. Put simply: if you haven't figured out how to automate data export (even with many complex options), then I don't have much faith in you to do other stuff with the care I would expect.
> Also, it's a pretty big red flag - for me, personally - when a site promises that I can export my data, but requires me to request it via email rather than having a straightforward automated process that will provide me an export in an exact, known format. Put simply: if you haven't figured out how to automate data export (even with many complex options), then I don't have much faith in you to do other stuff with the care I would expect.
We let you export any and all data automatically from our API (via Search or Get Users), the only data we don't allow you to export by default is password hashes. Anything else you can pull at any time.
We require a human-in-the-loop process there so we can ensure out of band that the request is valid and not coming from compromised API keys etc. I'm not sure if there are any auth services that would provide an automated way to dump password hashes, I'd be nervous if there were given the security concerns.
Any plans to create components for Flutter?
Or, honestly, why anyone would chose to use react server components at all.
I was just kicking the tires on cal.com and saw the same thing - they did all their stuff with the react server components and next.js. And then? Well, it turns out that they needed an API, because apps do.
So they ended up reimplementing most of the logic in a RESTful API anyway.
I just SMH.