Launch HN: Stack Auth (YC S24) – An Open-Source Auth0/Clerk Alternative (github.com)
Our GitHub repo is at https://github.com/stack-auth/stack, and there’s a zero-budget demo video here: https://www.youtube.com/watch?v=LTkjdPf2E2Q
Stack Auth was born out of years of frustration with the incumbents. We wanted to build something that is developer-friendly and open-source at the same time.
The dominant player in this space is Auth0, who appeals to enterprises but lags behind in developer-friendliness and has strong vendor lock-in. A newer one is Clerk, which markets directly to devs, but is still entirely proprietary. Open-source solutions like Supabase Auth or Auth.js/NextAuth are only authN, and don't provide the rest of the toolchain.
On the other hand, building your own auth infrastructure is tedious work. Rolling your own crypto is already hard enough, but on top you'll have to deal with OAuth flows, access tokens, RBAC, permission syncing, API keys, and so on. Most handcrafted OAuth or password-based applications in the wild are vulnerable in at least some of these areas.
To us, the solution to this was obvious, so we decided to build it. Stack Auth is 100% open-source, licensed under MIT and AGPL. You can self-host, or choose to use our managed hosting. If you choose the latter, there's no lockin. You can export all your data and/or start self-hosting at any time.
Also, we're more than just authentication — we have authorization (orgs, teams, permissions, RBAC) and user management (impersonation, user dashboard, webhooks).
One interesting feature is what we call "connected accounts": we can manage and refresh your OAuth access tokens even for services that your users don't use for sign in, such as when accessing GMail or OneDrive APIs.
We also put a lot of weight into integrating deeply into the tech stack itself. For now, we support Next.js frontends with a bunch of components and hooks for sign-in, password reset, and organizations. Though, we do have a well-documented REST API (https://docs.stack-auth.com/rest-api/auth), so you can access Stack from any language.
For more info, check out our GitHub repo above, or our documentation (https://docs.stack-auth.com).
Would love to hear about your own stories and opinions on auth. Thanks all!
145 comments
[ 3.3 ms ] story [ 493 ms ] threadI would say we are to Ory what Clerk is to Auth0.
Supertokens, Ory: Developer-friendliness and integrations, mostly (both of these target enterprise customers). Also, Supertokens is open-core. I'd say we're to Supertokens/Ory what Clerk is to Auth0.
I feel like if you took a bunch of literally just that last month of show/launch/announce HN things one could wrap up a whole secure, scalable, promptable, fully formed stack thats just looking for some sort of content.
I suspect the answer is "no" here, but can Stack be used as an OAuth provider itself? I think all I see in the documentation is using other OAuth providers for authentication.
They’re open source (Apache 2.0), developer friendly (nice, documented API), and handles authorization and user management well.
My site is a golang static site with a few pages as a reactjs spa. Do you guys planning on adding support for the general stack using something like the new web components API?
I'd change the name. The last time I saw a legit site with a hyphen in its name was probably early 2010s. It doesn't engender trust.
So, we went with the most popular JS framework first (Next.js), and are gonna go from there once we're confident in it.
[1] https://dev.to/richharris/why-i-don-t-use-web-components-2ci...
I see you plan on making money by charging for the hosted service. Given that, and given recent history in the industry with companies starting out with this model only to rug-pull it from users later and move to a more restrictive license, can you publicly commit to keeping the code MIT/AGPLv3-licensed into the future?
> Though, we do have a well-documented REST API (https://docs.stack-auth.com/rest-api/auth), so you can access Stack from any language.
We also have a setup wizard, which installs Stack Auth into your project, which works only on Next.js apps with the app router. It's as simple as:
They even have a lambda feature to add additional logic around certain workflows or adding claims to your JWTs.
https://fusionauth.io
It does what Auth0 does but significantly more cheaper and you can also self-host if you want.
I built the Pulimi plugin for it which helps us easily configure it. If you don't use Terraform or Pulumi, they have this really cool kickstart feature where you can define a config file that will call their APIs on first time startup to set up the server. Really useful for local dev.
For anyone curious about his experience or other folks experience, we have a series of interviews on our blog here:
https://fusionauth.io/blog/tag/community-story/
Here's the Switchboard post: https://fusionauth.io/blog/switchboard-reduced-migration-tim...
What are your plans for supporting "old school" frameworks, like django, rails, bootstrap, et al?
I know that it makes sense to target greenfield projects first, and I presume most new projects are started with some new cool tech (if looking at npm downloads or some other vanity metric or online questionnaire), but I think there's a long tail of users of other tech that would potentially provide high quality feedback based on real world experience at various settings.
I'm only saying this as it looks like you want to own the whole auth stack, all the layers and all the workflows, from dba to sales so to speak.
We will definitely support those frameworks too, eventually. Though, we think that each integration must be done very carefully — we'd rather have excellent support for one framework and capture its entire audience before going horizontally, than ten mediocre integrations that give our users a headache on setup. We went for Next.js first because a) it's the most popular JS framework for new projects right now, and b) existing Next.js auth is pretty shit.
Congratulations on the launch Zai and Konsti!
I’m working on a hobby project that I had to build in basic email password auth using Auth.js due to a clients specific requirement.
I’ve experienced all the headaches you mentioned above, so I’ll be certainly taking a deeper look into this.
Again, great work!
Cheers!
Congratulations on launching Stack Auth and providing a better alternative!!!
I don't care. Transaction volumes to the auth are comparatively low and computers are cheap so keycloak is a good choice.
I keep repeating this comparison throughout this thread, but Stack is to Keycloak/Ory/etc. what Clerk is to Auth0.
Though, I regularly recommend Keycloak in sales calls when I talk to larger companies willing to invest time and effort into a custom IdP. We are not really looking to replace those use cases.
On the other hand, Auth0 attempts to close of the complexity of the space by creating an opaque/proprietary layer. And then the primary pain point with Auth0 is that it's feature are behind another pricing tier.
If less complexity is what Stack Auth does differently than Keycloak. Does it do so by having a less transparent view of the auth process? Or does it do it by surfacing this complexity in a more digestible format?
Quick question. How would this compare to supabase/gotrue [0] and permify [1]?
[0]: https://github.com/supabase/auth
[1]: https://github.com/Permify/permify
GoTrue and Permify are on a lower abstraction level than us; we connect the entire stack (from frontend to database), while GoTrue and Permify still require a lot of setup and manual integrations.
Auth is literally the next thing I’m working on…
This came up on Reddit and the founder responded directly there, seemed like they were going to add a tool tip or something to make it clearer.
On https://clerk.com/pricing , “Customizable session duration” is listed as a primary benefit of the pro plan, and in the chart we show that the free plan is “Fixed to 7 days”
Apologies we failed to make it clear before you started, that’s definitely not intended. We thought this was a good limitation for the free plan because it doesn’t impact your ability to learn if your product is resonating. If it is, and our default doesn’t work for your app, then we hope you can upgrade now that your product is validated. (It’s maybe worth mentioning that the default of 7 days was selected by copying Google’s session lifetime, also not meant to be nefarious.)
How does it compare?
(For Logto specifically, I'm actually surprised by what they consider "enterprise" features — something like OIDC, 2FA or RBAC should not be gated behind a paywall, IMO.)
Wait, what? Do you role your crypto to handle standard auth flows? Is this some machine generated text?
But it will show our name and logo, and we limit shared key usage to a few users per project, so we highly recommend you set up your own keys before going into production. (The dashboard will let you know in time.)
Is it possible to automate the setup process ?
We implement providers when a paying customer requests them (Team plan for OIDC-compatible providers, Growth plan for everything else, including SAML). Once we've implemented them, though, everyone benefits.
To our surprise, as of right now we haven't received any requests for SAML from our customers.