kb://research/competitor-dossier-auth-identity-2026-06-21stable2026-06-21

Competitor Dossier — Auth / Identity Platforms (WorkOS/Clerk/Auth0/Stytch/Keycloak/Ory/Zitadel/…)

researchcompetitiveauthidentitysovereigntymarket-intel

Competitor Dossier — Auth / Identity Platforms

Purpose. A durable, honest, source-cited reference on the auth/identity market so OpenAlice never re-researches it. Covers 12 platforms in depth + FrontEgg/Descope as shorter notes. Verified against official docs/pricing/security pages, June 2026. Where a vendor over-claims or hides pricing, it is flagged inline.

>

Our stack (for grounding). OpenAlice auth = self-hosted Rust (openalice-auth + openalice-tenants + gateway + passport). We already ship SAML 2.0 SSO + SCIM 2.0, HS256 JWT (Bearer + tid tenant claim) + X-Internal-Secret M2M, RBAC (owner/admin/member/viewer), and we are EU-sovereign (self-hosted on EU infra, zero CLOUD Act exposure). Known gaps: FGA/ReBAC, passkeys/WebAuthn, SOC2/ISO27001 certs.

>

The sovereignty thesis (read this first). The single axis that splits this market cleanly is self-host + EU data sovereignty. Every pure-SaaS vendor here is headquartered in the US (or US-owned, or Israel-linked) and is therefore subject to the US CLOUD Act — US authorities can compel data disclosure even when bytes are physically stored in an EU region. "EU data residency" (where data rests) is not the same as "EU data sovereignty" (whose jurisdiction can compel it). Only self-hosting on your own EU infrastructure removes CLOUD Act exposure entirely. This is OpenAlice's structural moat against WorkOS / Clerk / Auth0 / Stytch / FrontEgg / Descope, and it puts us in the same sovereignty class as Keycloak / Ory / Zitadel / FusionAuth / Logto / Supabase-self-hosted.

Table of Contents

  1. WorkOS
  2. Clerk
  3. Auth0 (Okta)
  4. Stytch
  5. Supabase Auth
  6. Keycloak
  7. Ory (Kratos / Hydra / Keto / Oathkeeper)FGA/ReBAC deep-dive + Keto adoption plan
  8. FusionAuth
  9. Logto
  10. Zitadel
  11. FrontEgg (short note)
  12. Descope (short note)
  13. Master comparison table
  14. FGA / ReBAC focus: Auth0 FGA (OpenFGA) vs Ory Keto
  15. Where OpenAlice wins / must catch up
  16. Ory Keto adoption plan — concrete integration notes

1. WorkOS

Positioning + model. Pure cloud SaaS, API-first, aimed squarely at B2B SaaS companies selling up-market to enterprise. Pitch: "make your app Enterprise Ready" — drop-in Enterprise SSO, Directory Sync, Audit Logs, and an Admin Portal where the customer's IT admin self-configures SSO without your engineers. Expanded down-market with AuthKit (full auth/user-management) to compete with Clerk/Auth0 for greenfield, then funnel them into the paid enterprise modules. No OSS, no self-host. docs

Pricing. Signature per-connection SSO model — "one connection = one enterprise customer," billed identically regardless of IdP, directory type, or seat count. pricing, analysis

Connections$/connection/mo (SSO **and** Directory Sync each)
1–15$125
16–30$100
31–50$80
51–100$65
101–200$50
201+Custom
  • No free *production* SSO connection — $125 from the first live connection (staging is free). The oft-repeated "N connections free" line is only true in staging — an over-claim for production.
  • AuthKit: genuinely generous — first 1M MAU free, then $2,500/mo per additional 1M MAU.
  • Audit Logs $125/mo per SIEM + $99/mo per 1M events; Custom domain $99/mo; Radar (bot/fraud) 1,000 free then $100/50K.
  • Honest flag: per-connection is great for few large enterprise customers (a 50k-seat customer is still one $125 connection) but punishes many small tenants (100 tiny SSO customers ≈ $6,500/mo). Directory Sync bills separately at the same rate, so SSO+SCIM for one customer = two connections.

Feature inventory.

#DimensionWorkOS
1Core authNAuthKit: email/password, magic link, social (Google/Microsoft/GitHub named, any OIDC configurable). Curated social list, smaller than Clerk
2Passkeys/WebAuthnYes (AuthKit)
3Enterprise SSOOfficial SSO page says "20+" IdPs (Okta, Entra, Google, OneLogin, ADFS, JumpCloud, PingFederate, Auth0, CyberArk, Shibboleth, VMware, Duo + any SAML/OIDC). The "60+" figure is not on the page — an over-claim. sso
4Directory Sync / SCIM~"over a dozen": Okta, Entra, Google Workspace, OneLogin, PingFederate, JumpCloud, Rippling, Workday, BambooHR + SFTP/CSV + any SCIM 2.0 dir-sync
5MFA/2FATOTP, SMS, passkeys
6Orgs / multi-tenancyOrganization-centric, purpose-built for B2B; org-scoped connections + roles
7RBACRoles→permissions, org-scoped custom roles, IdP-group sync, perms in JWT
8FGA / ReBACYes — explicit Zanzibar implementation. "Warrants" (resource/relation/subject + optional policy); supports check, reverse ("which resources can X access"), and "who can access Z" fga
9Sessions/tokens/M2MJWT sessions w/ perms in claims; dedicated M2M / MCP-auth + Vault products
10ComplianceSOC 2 Type II, GDPR, CCPA; HIPAA BAA enterprise-only; annual pen tests. No ISO 27001 / FedRAMP / FIPS advertised security
11Self-host + EU residencyNo self-host. US cloud-only, no EMEA region. WorkOS argues around this with a "auth doesn't need to be local" blog. CLOUD Act applies. A real disqualifier for sovereignty-sensitive EU buyers data-residency
12Hosted UI / SDKAuthKit hosted login (or headless API); broad SDK coverage

Differentiators: best-in-class enterprise-readiness bundle (SSO+SCIM+self-serve Admin Portal — category leader); real Zanzibar FGA; 1M-free-MAU AuthKit. Gaps: no EU residency / no self-host; per-connection SSO scales badly for many-small-tenant apps; over-claims IdP count; no ISO 27001/FedRAMP.

2. Clerk

Positioning + model. Cloud SaaS, frontend-developer-first, best DX of the SaaS pack. Famous for drop-in React/Next.js components (<SignIn/>, <UserButton/>, <OrganizationSwitcher/>). Started consumer-auth for indie devs, pushed up into B2B/organizations. Cloud-only, no self-host. user-auth

Pricing. Per MRU (Monthly Retained User) — broader than strict 30-day-active MAU, so can bill more than expected. pricing

  • Free (Hobby): 50,000 MRU + 100 monthly-retained orgs (raised from 10k in Feb 2026).
  • Pro: $25/mo ($20 annual). 50k MRU included, then $0.02/MRU (50k–100k), tapering to $0.012 at 10M+.
  • Organizations: 100 free, then $1/mo each, → $0.60 at scale.
  • Enterprise SSO (SAML/OIDC): 1 included on Pro, $75/mo each additional → $15 at 500+.
  • Add-ons: B2B Authentication Enhanced $100/mo (unlocks custom roles/permissions); Administration Enhanced $100/mo.
  • M2M tokens: $0.001 per token creation (verification free in JWT mode); billing from Mar 16 2026 m2m.
  • Honest flag: "MRU not MAU" is a subtle cost trap; custom roles behind a $100/mo add-on is a frequent surprise. ~$825/mo at 50k, ~$1,825/mo at 100k once past free analysis.

Feature inventory.

#DimensionClerk
1Core authNEmail/password (+HaveIBeenPwned leaked-pw check), magic link, email/SMS OTP, 28–30+ social/OAuth + custom OIDC providers
2Passkeys/WebAuthnYes, mature. Caveat: passkeys not usable as a standalone MFA second factor security
3Enterprise SSOSAML + OIDC (Okta/Entra/Google etc.), metered per connection
4Directory sync / SCIMAvailable, but weaker/newer than WorkOS — not a headline product
5MFA/2FASMS, TOTP, hardware security keys, backup codes
6Orgs / multi-tenancyStrong 3-tier (orgs → members → roles); user in multiple orgs; <OrganizationSwitcher/> UI
7RBACDefault + custom roles — custom roles require the $100/mo B2B add-on; "role sets"
8FGA / ReBACMarkets "RBAC and FGA," but no standalone Zanzibar engine comparable to WorkOS FGA — it's org-scoped RBAC. Treat the FGA claim skeptically
9Sessions/tokens/M2MFull managed session lifecycle, JWT, brute-force blocking; M2M tokens (opaque/JWT) now GA-paid
10ComplianceSOC 2 Type II, HIPAA (BAA on Enterprise), GDPR, CCPA; 3rd-party audits. Doesn't advertise its own ISO 27001 (infra only) security
11Self-host + EU residencyNo self-host. BUT — GDPR notice states EU data stored in Germany w/ Ireland backup, EU subprocessors keep data in-EEA. Strongest EU-residency posture of the SaaS pack. Still US-HQ → CLOUD Act exposure remains gdpr
12Hosted UI / SDKBest-in-class pre-built React components; React/Next/Remix/iOS/Android/Expo SDKs

Differentiators: unmatched frontend DX (the reason most teams pick it); EU residency in Germany/Ireland (quietly best EU story of the SaaS pack); clean orgs/B2B model + hosted org-switcher. Gaps: no real Zanzibar FGA despite marketing it; custom roles + enhanced B2B behind $100/mo add-ons stack with per-connection SSO; MRU billing can exceed true active usage; no self-host.

3. Auth0 (Okta)

Positioning + model. Closed-source CIAM SaaS, acquired by Okta in 2021, marketed as Okta's developer-facing identity arm. Targets B2C consumer + increasingly B2B multi-tenant SaaS. No first-class OSS self-host. auth0.com

Pricing. MAU = unique user authenticating ≥1× per 30-day window. Split into B2C/B2B lines — the single most-criticized thing about Auth0. pricing

PlanStartMAU scalingNotes
Free$0up to 25,000 MAUpasskeys, unlimited social, SCIM, 1 enterprise connection, 5 orgs
B2C Essentials$35/mo (500)$3,500 (50k)Pro MFA, RBAC; no enterprise connections
B2C Professional$240/mo (500)up to $3,200 (20k)enterprise MFA, custom DB; enterprise connections still unavailable
B2B Essentials$150/mo (500)up to $3,800 (20k)3 SSO connections, unlimited orgs
B2B Professional$800/mo (500)up to $2,400 (10k)5 SSO connections, enterprise MFA
EnterpriseSalescustom99.99% SLA
  • Honest flags: (1) brutal B2C→B2B jump — same 500 MAU costs $35 vs $150–$800 because SSO/orgs are a B2B upsell. (2) Enterprise SSO hard-gated — B2C plans list "Enterprise Connections: unavailable"; B2B gives 3–5 then $100/mo per extra connection. (3) per-MAU overage ~$0.07 cited by third parties (not on Auth0's page — treat as indicative) ssojet. (4) Adaptive MFA = Enterprise + add-on; "Auth0 for AI Agents" adds 50% to base.

Feature inventory.

#DimensionAuth0
1Core authNPassword, passwordless (email/SMS magic link + OTP), social — 74 pre-built connections + custom OAuth2 universal-login
2Passkeys/WebAuthnYes, mature — native in Universal Login, on all tiers incl. Free
3Enterprise SSOSAML + OIDC + WS-Fed; gated (1 free, none in B2C paid, 3–5 in B2B then $100/connection)
4SCIMNative inbound SCIM, per enterprise connection; on all tiers
5MFATOTP/SMS/email/push (Guardian)/WebAuthn/Duo; Adaptive MFA (ML risk) Enterprise+add-on; Attack Protection (brute-force, breached-pw, bot)
6Orgs / multi-tenancyAuth0 Organizations — first-class B2B tenants, per-org branding/roles, home-realm discovery
7RBACBuilt-in roles + permissions, per-org roles (Essentials+)
8FGA / ReBACAuth0 FGA (managed) on OpenFGA — see deep-dive
9Sessions/tokens/M2MJWT access+refresh w/ rotation/revocation; M2M client-credentials metered (5,000 on Pro; overage $10–$1,200/mo)
10ComplianceSOC 2 Type II, ISO 27001/27017/27018, HIPAA BAA (on request), PCI DSS, CSA STAR Gold compliance. FedRAMP is on the Okta Workforce/Gov side, NOT the standard Auth0 commercial cloud — don't assume Auth0 commercial is FedRAMP-authorized
11Self-host + EU residencyNo self-host. Public cloud in US, EU, AU; private-cloud in any 3-AZ AWS region. Sovereignty caveat: Auth0 = Okta = US-HQ → EU residency ≠ EU sovereignty; remains subject to US CLOUD Act regardless of region residency
12Hosted UI / SDKUniversal Login (hosted, passkey-native) + legacy Lock; broad SDKs

Differentiators: best hosted Universal Login + widest SDK/connection ecosystem (74); first-class B2B Organizations + SSO/SCIM; ships the leading open ReBAC engine (OpenFGA) and a managed FGA. Gaps: opaque/steep pricing (B2C/B2B split + per-connection SSO + per-MAU overage + add-on multipliers → unpredictable TCO); no self-host = full lock-in; US CLOUD Act exposure undercuts EU-sovereignty even with EU residency.

4. Stytch

Positioning + model. Cloud SaaS, API-first / backend-first, "primitives, not opinions." Separate Consumer (B2C) and B2B product lines, each with its own data model. Owned by Twilio (compliance docs in Twilio Trust Center). Strong recent push into fraud/device-fingerprinting + AI-agent / MCP auth (Connected Apps). Cloud-only, no self-host. stytch.com

Pricing. Pay-as-you-go per MAU (unique user authenticating in a 30-day window), no hard caps. pricing

  • Free: 10,000 MAU + unlimited orgs + 5 SSO or SCIM connections + 1,000 M2M tokens + 10k device fingerprints. Broadest free feature set (MFA/SSO/RBAC/SCIM all free).
  • Overage: per-MAU at volume tiers (~$0.05–$0.10 reported by third parties; exact rate opaque on page); additional SSO/SCIM connections $125 each; fingerprints $0.005 each.
  • Enterprise/annual: custom — a quoted example $25,000/yr for 10k MAU + 5 connections (steep jump) supertokens.
  • Honest flag: per-MAU overage not clearly published; SMS/WhatsApp OTP is carrier passthrough and can exceed $1/message in some regions — the classic hidden cost.

Feature inventory.

#DimensionStytch
1Core authNEmail/SMS/WhatsApp OTP, magic links, passwords, OAuth social, embedded/headless primitives — most flexible API surface
2Passkeys/WebAuthnYes, mature (consumer + B2B, biometric, shipped 2023)
3Enterprise SSOSAML + OIDC, B2B-optimized; 5 connections free then $125 each
4Directory sync / SCIMSCIM (GA 2025) — shares the 5-free-then-$125 connection pool with SSO
5MFA/2FATOTP, SMS, email OTP, passkeys; org-management MFA controls in base
6Orgs / multi-tenancyB2B org-centric; unlimited orgs even free — strong multi-tenant
7RBACYes (GA Dec 2023) — custom roles, predefined perms, multi-role, multi-tenant-aware
8FGA / ReBACNo dedicated Zanzibar engine. RBAC + scopes/perms; device-fingerprint "fine-grained enforcement" is fraud gating, not relationship-graph FGA
9Sessions/tokens/M2MStrong M2M (scopes/perms), JWKS/JWT, and Connected Apps (OAuth tokens for agents/MCP) — best AI-agent-auth story of the SaaS pack connected-apps
10ComplianceSOC 2 Type II, ISO 27001, PCI-DSS, HIPAA (business associate), GDPR, CCPA/CPRA, CAIQstrongest cert breadth of the SaaS pack (only one with ISO 27001 + PCI) compliance
11Self-host + EU residencyNo self-host. No current EU data residency (per-org in-region storage is roadmap, not shipped). US-HQ + Twilio-owned → CLOUD Act exposure. Weakest residency story of the SaaS pack today
12Hosted UI / SDKPre-built UI + headless SDKs (web/mobile/backend); more API/primitive-oriented than Clerk

Differentiators: best compliance cert breadth (only one with ISO 27001 + PCI); best AI-agent/M2M/MCP auth (Connected Apps + fingerprinting); broadest free feature tier. Gaps: no EU residency yet (roadmap) + no self-host (+ Twilio ownership layer); no true Zanzibar FGA; opaque per-MAU overage + steep enterprise jump + SMS passthrough.

5. Supabase Auth

Positioning + model. Identity layer of the OSS Supabase BaaS (Postgres + auth + storage + realtime). The auth service is GoTrue / `supabase/auth` — a Go JWT API, Apache-2.0, fully self-hostable — but usually consumed bundled with the platform. B2C-first: one Supabase project ≈ one tenant; no first-class Organizations primitive. github

Pricing. Auth is bundled in every plan. pricing

PlanPriceIncluded MAUNotes
Free$050,000 MAUhard caps; projects pause after 1wk idle; max 2 projects
Pro$25/mo100,000 MAU, then $0.00325/MAUadvanced phone MFA add-on $75/mo
Team$599/mo100k MAUadds SOC 2 + ISO 27001, 14-day backups
EnterpriseCustomnegotiatedHIPAA add-on, BYO-cloud
  • Dramatically cheaper MAU economics than Auth0 (50k free; $0.00325/MAU vs ~$0.07) — but you're buying a database platform, not a dedicated IdP, and DB/storage/egress overages hide under the headline. SAML SSO is Pro+ ("50 included, then $0.015/MAU").

Feature inventory.

#DimensionSupabase Auth
1Core authNEmail/password, magic link, phone/SMS OTP, passwordless, ~20+ social (GOTRUE_EXTERNAL_*)
2Passkeys/WebAuthnYes (newer; less battle-tested than Auth0/Keycloak)
3Enterprise SSOSAML 2.0 consumer, Pro+ only; weaker than a full broker; no WS-Fed
4SCIMNone. No native SCIM — a real enterprise-B2B blocker
5MFATOTP, phone (advanced = $75/mo), WebAuthn/passkeys; no adaptive/risk MFA
6Orgs / multi-tenancyNo first-class Organizations. One project = one tenant; multi-tenancy hand-rolled in schema
7RBACPostgres RLS — JWT claims drive RLS policies; powerful but you write SQL, no managed RBAC UI
8FGA / ReBACNone native — RLS only. No Zanzibar engine; bolt on OpenFGA/Cerbos yourself
9Sessions/tokens/M2MJWT access+refresh w/ rotation, RLS-integrated claims; weak first-class M2M story
10ComplianceSOC 2 + ISO 27001 (Team+), HIPAA (Enterprise add-on); Free/Pro not in compliance scope
11Self-host + EU residencyFully self-hostable (Apache-2.0 GoTrue + Postgres) = total sovereignty, OR managed cloud w/ region choice. Self-host = no CLOUD Act exposure; managed cloud is US infra → US-jurisdiction caveat for the hosted tier self-host
12Hosted UI / SDKAuth UI + `supabase-js` (+ Flutter/Python); tightly DB-integrated, less of a standalone hosted-login product

Differentiators: auth is free + deeply integrated with Postgres (JWT→RLS is uniquely tight); most generous MAU economics; OSS + self-hostable for sovereignty. Gaps: no SCIM, no Organizations, weak SSO → not enterprise-B2B-ready without heavy custom work; authz is RLS-only (no ReBAC/FGA); it's a BaaS not a dedicated IdP (thin M2M/adaptive-MFA/federation).

6. Keycloak

Positioning + model. 100% OSS (Apache-2.0), self-hosted IdP + identity broker, originally Red Hat/WildFly, donated to CNCF (Incubating, Apr 2023). Red Hat ships supported RHBK downstream; upstream is vendor-neutral. Cost = ops/hosting/HA/upgrades (or RHBK subscription / managed vendors like Cloud-IAM/Skycloak). cncf

Pricing. $0 license. TCO = infra + operational labor (clustering, DB, TLS, upgrades, patching). No per-MAU charge → cheapest at very high user counts.

Feature inventory.

#DimensionKeycloak
1Core authNPassword, OTP (TOTP/HOTP), recovery codes, magic-link/passwordless (flows/extensions); social via configured IdPs
2Passkeys/WebAuthnYes, mature — passkeys in login forms (conditional + modal), WebAuthn register/login 26.6.3
3Enterprise SSOStrongest free — full IdP + broker. Native OIDC + SAML 2.0 as both provider and consumer; brokering to any external OIDC/SAML IdP; FAPI 2.0 Final
4SCIMHistorically extension-only (community plugins). 26.6 (Apr 2026) added a native experimental SCIM Realm API (Entra-validated, off by default) scim
5MFATOTP/HOTP, WebAuthn/passkeys, recovery codes; conditional/step-up; no built-in ML adaptive (custom authenticators)
6Orgs / multi-tenancyRealms = strong per-tenant isolation; newer Organizations feature for in-realm B2B grouping
7RBACRealm + client roles, composite roles, groups w/ inherited roles — full UI + REST API
8FGA / ReBACAuthorization Services = UMA 2.0 + policy-based, NOT Zanzibar. Resource/scope/permission + pluggable policies (RBAC, ABAC, context, time, JS, aggregated). Policy/PDP-style, not relationship-tuple ReBAC authz
9Sessions/tokens/M2MOAuth2/OIDC access+refresh, rotation/revocation, offline tokens; client-credentials M2M + new federated client auth
10ComplianceDepends entirely on your hosting — Keycloak carries no SOC2/ISO/HIPAA cert; you inherit certs from your infra/ops
11Self-host + EU residencyTotal sovereignty — 100% self-host, you choose jurisdiction. EU/on-prem/air-gapped, zero CLOUD Act exposure by design. Cleanest EU-sovereignty answer of the OSS pack
12Hosted UI / SDKLogin themes (FreeMarker), account + admin consoles; standards-based clients but leaner first-party SDKs → rougher DX than Auth0/Supabase

Differentiators: full-fat IdP + broker for free (richest SSO/federation/realm story, no per-MAU cost); complete data sovereignty; standards depth (OIDC, SAML, UMA 2.0, FAPI 2.0). Gaps: ops burden is the real price (HA, upgrades, DB, patching, compliance all on you); authz is UMA/policy-based not Zanzibar (SCIM only just went experimental in 26.6); DX/SDK + hosted-login polish lag.

7. Ory (Kratos / Hydra / Keto / Oathkeeper)

The one we care about most — both as a competitor and as the source of our intended FGA side-car (Keto).

Positioning + model. A modular, API-first, headless OSS auth ecosystem of four independent Go services, all Apache-2.0 self-hostable, also sold as managed Ory Network (and Ory Enterprise License / OEL for supported self-host). The philosophy is "compose the auth stack you need, no monolith, no vendor lock-in." github.com/ory, review

ComponentRole
KratosHeadless identity/user management — login, registration, MFA, recovery, verification, profile, sessions. "Replace Auth0/Okta/Firebase." kratos
HydraOpenID-Certified OAuth 2.1 + OIDC provider (issues access/ID tokens). Used by OpenAI and others at scale. hydra
KetoGoogle-Zanzibar implementation — relationship-based permission server (ReBAC/RBAC/ACL). keto
OathkeeperIdentity-&-access reverse-proxy / decision API — centralized authN+authZ enforcement for microservices.

Origin + sovereignty nuance (important). Ory's OSS project was founded in Munich, Germany (2015, Aeneas Rekkas + Thomas Aidan Curran); the corp later established HQ in Doylestown, Pennsylvania (US) with a Munich office insight. Implication: self-hosting Ory (Apache-2.0) = fully sovereign (your infra, your jurisdiction, zero CLOUD Act exposure); the managed Ory Network is a US-corp SaaS → CLOUD Act applies to the hosted tier. For OpenAlice, the relevant mode is self-hosted Keto as a side-car, which is sovereign by construction.

Pricing (Ory Network managed). Production from $70/mo (incl. $21/mo usage credits): 1 prod app + 3 staging + 5 dev. Billed on aDAU (Average Daily Active Users — total active users/day ÷ days in month, smoother than MAU) at $0.12/aDAU flat (no stepped pricing), plus M2M tokens and Permission Checks. Free tier exists. pricing, aDAU. Self-host = $0 (Apache-2.0); enterprise features (SCIM, SAML import, org-login) need OEL or Ory Network for the identity layer (Kratos) — but Keto self-host is fully featured under Apache-2.0, no enterprise gate on the permission engine.

Feature inventory (whole stack).

#DimensionOry
1Core authN (Kratos)Password, magic link, SMS, social/OIDC, TOTP, lookup codes; headless (you own the UI). kratos
2Passkeys/WebAuthn (Kratos)Yes, mature — passkey passwordless + WebAuthn, with authenticator_selection.attachment, resident_key, user_verification config passkeys
3Enterprise SSOOIDC anywhere (Hydra = OIDC provider; Kratos = OIDC consumer). SAML import + organization-login ("SSO") are Enterprise/Network-only for Kratos (historically Kratos lacked native SAML; it's gated) kratos
4SCIMEnterprise/Network only (OEL) — provision enterprise user attributes via SCIM; not in OSS Kratos
5MFATOTP, WebAuthn/passkey, SMS, lookup/recovery codes; step-up
6Orgs / multi-tenancy"Organizations"/projects on Network; self-host multi-tenancy via your own modeling + Keto namespaces
7RBACVia Keto (roles = groups; see below) — not a separate product
8FGA / ReBAC (Keto)★ The reference open-source Zanzibar implementation. See deep-dive below
9Sessions/tokens/M2MHydra = OAuth2.1 client-credentials M2M, token rotation/revocation, JWKS; Kratos sessions; (new Talos API-key server for M2M/agent capability tokens)
10ComplianceOry Network is ISO 27001 certified + SOC 2 Type II certified; GDPR. Keto "audit-ready for GDPR/SOC2/PCI-DSS/PSD2." (Self-host inherits your compliance, like Keycloak.) iso, compliance
11Self-host + EU residencySelf-host = full sovereignty (Apache-2.0, your EU infra, zero CLOUD Act). Managed Ory Network = US-corp SaaS → CLOUD Act on the hosted tier. German-rooted project (sovereignty-friendly narrative)
12Hosted UI / SDKHeadless-first — you build the UI (or use Ory Elements/Account Experience on Network). SDKs across major langs. DX is powerful but more assembly-required than Clerk/Auth0

Ory Keto — the FGA engine (deep technical)

  • What it is. "The first and most popular open-source implementation of Zanzibar: Google's Consistent, Global Authorization System" — the permission system behind Google Drive/YouTube. keto-page, keto-repo
  • Data model. Permissions are stored as datarelation tuples linking a subject (user/service/device, or a subject-set like "members of group X") to an object via a relation, scoped to a namespace. Checks traverse that graph transitively. Tuple shape: namespace:object#relation@subject (e.g. File:private#view@User:vinckr). relation-tuples
  • Ory Permission Language (OPL). Namespaces + permission logic are authored in a TypeScript-syntax DSL (classes with typed relation arrays + boolean permit functions). OPL is intentionally NOT Turing-complete → prevents infinite loops / resource exhaustion. Supports computed/implied relations (e.g. "editors are also viewers").
  • APIs (REST + gRPC). - Check — "does subject S have relation R on object O?" (the hot path). - Expand — recursively expand a subject-set into an access tree (pass max depth). - List — query relationships by partial tuple (e.g. "list all readers of doc X"). - Batch check — many checks in one request. - Write/relationship API — create/delete tuples (separate write vs read API surface for CQRS-style scaling).
  • Models supported in one engine: ReBAC (core), RBAC (roles = groups via membership tuples), ACL (direct tuples), ABAC (conditional logic via OPL).
  • Performance. Targets <10 ms p95, "trillions of relationships, millions of checks/sec," horizontally scalable — designed to sit synchronously in the API request path.
  • Storage. PostgreSQL / MySQL / CockroachDB (prod); SQLite (dev only).
  • License. Apache-2.0 — unrestricted commercial use, fully self-hostable as a side-car. No enterprise gate on the permission engine itself.

Differentiators: the most modular OSS auth stack (pick exactly what you need); Keto is the de-facto reference open Zanzibar engine — production-grade, sub-10ms, REST+gRPC; certified managed option (ISO 27001 + SOC 2 II); self-host = sovereign. Gaps: highest assembly cost of any option (4 services, steep learning curve, you build the UI); SAML/SCIM/org-login gated behind Enterprise/Network for the identity layer; headless-first DX is not for teams wanting drop-in components.

8. FusionAuth

Positioning + model. US-based (Denver) dev-first CIAM. Free unlimited self-host (Community) + paid licensed editions that unlock premium features as a flat-rate license (no per-MAU tax) — positioned against "unpredictable per-MAU SaaS costs." Same feature set self-hosted or on FusionAuth Cloud. pricing

Pricing (two axes — license tier + hosting).

EditionPrice (directional)Key unlocks
Community$0, unlimited MAU, self-hostOAuth2/OIDC, SAML v2 SP, tenants, basic WebAuthn/passkeys
Starter~$162/mo (annual)Advanced MFA (SMS/email/voice), themes, breached-pw, LDAP, entity mgmt (M2M), SAML IdP-initiated
Essentials~$790/moCustom OAuth scopes, advanced user mgmt
Enterprise~$2,970/moSCIM server, cross-platform WebAuthn, app MFA policies, advanced threat detection, HIPAA BAA
  • FusionAuth Cloud hosting is priced SEPARATELY by instance class (~$75/mo Basic → ~$850/mo Premium-HA) — managed Enterprise = license + hosting stacked. Honest flag: exact tier prices partly gated/inconsistent across aggregators — confirm with sales.

Feature inventory.

#DimensionFusionAuth
1Core authNPassword, passwordless/magic-link, OTP, social — ~17+ connectors incl. gaming (Discord/Steam/Twitch/Xbox/PSN/Epic/Nintendo) + enterprise (Azure AD/Okta/ADFS/HYPR) + generic OIDC
2Passkeys/WebAuthnBuilt-in WebAuthn + passkeys; cross-platform authenticators gated to Enterprise
3Enterprise SSOFull IdP + SP; SAML v2 SP in Community; SAML IdP-initiated = Starter+
4SCIMEnterprise-only (~$3k/mo) ⚠️ highest paywall
5MFA/2FATOTP (Community); SMS/email/voice = Starter+
6Orgs / multi-tenancyTenants + applications (multi-tenant in Community)
7RBACRoles/permissions/scopes per app; custom OAuth scopes = Essentials+
8FGA / ReBACNone — RBAC + scopes only
9Sessions/tokens/M2MRefresh rotation, revocation; M2M (entity mgmt) = Starter+
10ComplianceSOC 2 Type 2 certified; HIPAA BAA at Enterprise soc2
11Self-host + residencySelf-host free + unlimited = full sovereignty (you pick region). US company; Cloud regions less prominent than EU-native rivals
12Hosted UI / SDKThemeable hosted pages (themes = Starter+); broad SDK breadth

Differentiators: free unlimited-MAU self-host with real CIAM depth; flat predictable license (no MAU tax); broadest social/gaming connectors + early SOC 2. Gaps: SCIM locked to ~$3k/mo Enterprise; no ReBAC/FGA; opaque tier pricing + license-plus-hosting double-cost on Cloud.

9. Logto

Positioning + model. Built by Silverhand (OSS-first), Auth0-alternative for developers; cloud + self-host. License: MPL-2.0 (Mozilla — copyleft-lite, not MIT as often mislabeled). Self-host free; Cloud is the commercial layer with token-based billing. github

Pricing (Cloud).

PlanPriceIncludes
Free$0up to 50,000 MAU, 50k tokens, 3 apps, 1 M2M app, 1 API
Pro$24/mo baseUnlimited MAU, 50k tokens then $0.08/100 extra tokens, unlimited apps
EnterpriseSalesCustom, SLA, Private Cloud

Add-ons (Pro) — where the real cost lives: MFA $48, RBAC $32, Organizations $48, Enterprise SSO $48/connector, SAML app $96 each, 3rd-party OIDC app $8, custom domains $48, extra M2M/member $8. pricing

  • Honest flag: the $24 base is a teaser — RBAC, MFA, Organizations, and each SSO connector are separate line items; SAML apps are the priciest single add-on at $96. Token-based billing scales with token issuance (harder to forecast than flat per-MAU).

Feature inventory.

#DimensionLogto
1Core authNPassword, passwordless, social, Google One Tap; "30+ framework SDKs"; full OIDC + OAuth 2.1
2Passkeys/WebAuthnSupported for both MFA and passkey sign-in — mature
3Enterprise SSOSAML + OIDC; SSO connectors + SAML apps are paid add-ons
4SCIM⚠️ Weakest of the OSS-challenger tier — recently shipping; verify current status
5MFA/2FATOTP, WebAuthn, backup codes — MFA is a $48 paid add-on on Cloud
6Orgs / multi-tenancyOrganizations (org-RBAC, invites, JIT) — paid add-on $48
7RBACRoles/perms + org-RBAC; paid add-on $32
8FGA / ReBACNone — RBAC + org-RBAC only
9Sessions/tokens/M2MM2M apps (1 free, $8 each); token rotation; markets MCP/agent-auth
10Compliance"SOC2-ready," NOT certified — no public SOC2/ISO cert found; verify trust page
11Self-host + residencyFree MPL-2.0 self-host = full sovereignty. Cloud regions: EU, US, AU, JP
12Hosted UI / SDKPrebuilt sign-in experience + Console; 30+ SDKs — strongest embed DX of this tier

Differentiators: cleanest modern DX + prebuilt sign-in + 30+ SDKs; generous 50k-MAU free + low $24 base; explicit MCP/agentic-auth posture (most "2026-native"). Gaps: à-la-carte add-ons make real Cloud cost opaque/high (SAML $96/app); SCIM least mature; compliance is "ready," not certified.

10. Zitadel

Positioning + model. Built by CAOS AG, founded 2019 in St. Gallen, Switzerland. Go-based, single-binary, event-sourced on Postgres/CockroachDB (every state change = immutable event → built-in audit trail). Strong B2B/multi-tenancy. Standout angle: Swiss/EU data sovereignty. trust

License change (important). Moved Apache 2.0 → AGPL-3.0 with v3.0 on Mar 31, 2025. Pure end-users unaffected; anyone modifying Zitadel to offer a service must open-source changes (AGPL reciprocity) or buy a commercial license. Docs/Helm/Terraform/proto stay Apache 2.0. apache-to-agpl

Pricing — DAU-based, NOT MAU. pricing

TierPriceDAUNotes
Free$0100 DAUall security features, unlimited users/orgs, 3 IdPs, community support
Pro$100/mo base25,000 DAU+DAU overage, custom domains $50 each, SLA 99.5%, adds SOC2/ISO/CCPA scope
EnterpriseCustomUnlimitedDedicated infra, commercial license, 99.99% SLA, custom region
  • Honest flag: 100-DAU free tier looks small (DAU ≠ MAU — they provide a converter), least generous free tier of the challenger trio. Self-host remains free (AGPL).

Feature inventory.

#DimensionZitadel
1Core authNPassword, passwordless, OTP, social/enterprise IdPs (OIDC/SAML/JWT); 3 IdPs free
2Passkeys/WebAuthnPasskey-first / passwordless-by-design — passkey-only auth, FIDO2/WebAuthn, autofill. Strongest passkey story of this tier
3Enterprise SSOFull IdP + SP; SAML + OIDC; B2B delegation
4SCIMSCIM v2.0 — Preview (inbound, PAT auth, Okta-tested). Not yet GA
5MFA/2FATOTP, WebAuthn/passkey, OTP email/SMS — all tiers
6Orgs / multi-tenancyStrongest model — Organizations + Projects + Grants, native B2B, delegated admin
7RBACRoles/perms/scopes per project; metadata-ABAC-ish
8FGA / ReBACNo native Zanzibar. RBAC + delegated access + metadata; explicitly recommends external OpenFGA for true ReBAC fga
9Sessions/tokens/M2MService Accounts via JWT-profile or PAT; rotation/revocation; Actions V2
10ComplianceSOC 2 Type II (Jan 2026) + ISO 27001:2022 (Jun 2024) — strongest certified posture of the challenger trio iso
11Self-host + residencySwiss-made, Swiss-hosted; EU adequacy. Cloud regions: EU, US, Switzerland, AU. Only Swiss/European IAM-as-a-Service of this set; GDPR-native. Self-host = full sovereignty
12Hosted UI / SDKNew MIT-licensed, self-hostable Next.js/TS login; @zitadel/client + @zitadel/proto SDKs

Differentiators: Swiss/EU data sovereignty + Switzerland/EU cloud regions (standout for residency-sensitive buyers); event-sourced immutable audit by default + best-in-class B2B multi-tenancy; passkey-first + dual SOC2-II/ISO27001. Gaps: Apache→AGPL change narrows permissive self-host freedom (commercial license for modified-SaaS use); DAU pricing + tiny 100-DAU free tier; SCIM still Preview; no native ReBAC (must bolt on OpenFGA).

11. FrontEgg (short note)

Positioning. Cloud/SaaS-only B2B user-management platform: hosted login box + a self-service admin portal the customer's own end-users use to manage SSO/users/roles/API-keys/audit. Israel-HQ. pricing

Pricing. Pay-As-You-Go (free): $0, 7,500 MAU, includes hosted login, unlimited orgs, SSO + SCIM (5 connections), MFA, RBAC, entitlements, M2M, admin portal — most "enterprise" features are NOT gated on free; the paywall is MAU volume, environments, fraud, SLA, HIPAA. Enterprise (custom) adds multi-env, advanced fraud, 99.99% SLA, HIPAA/BAA. Per-MAU/M2M overage exists but unpublished. (Third-party "$49/mo mid-tier" is not on the official page — unverified.)

Feature snapshot. Password + passwordless + social; passkeys/WebAuthn yes; SAML+OIDC + SCIM (in 5-connection pool); MFA (TOTP/SMS/WebAuthn); unlimited orgs/tenants even free; RBAC; FGA/ReBAC = ❌ no Zanzibar — authorization is RBAC + ABAC wrapped in an Entitlements engine (roles + feature-flags + subscription Plans), not relationship-tuple FGA; M2M tokens; SOC 2 Type II, ISO 27001, HIPAA, GDPR (no FedRAMP/PCI); cloud-only, no self-host, offers EU region (residency yes, full sovereignty no — Israel-HQ); standout embeddable self-service admin portal. entitlements, compliance

Differentiator: embeddable self-service admin portal + unlimited tenants. Gap: no ReBAC/FGA, no self-host/FedRAMP.

12. Descope (short note)

Positioning. Cloud/SaaS-only, B2B + CIAM, passwordless-first, built around a no-code drag-drop visual flow builder ("Flows"). Founded 2022 by ex-Imperva/Microsoft security veterans. pricing

Pricing. Free Forever: $0, 7,500 MAU, 10 tenants, 3 SSO, 1 federated app (all auth methods + bot protection + passkeys); Pro $249/mo (10k MAU, 35 tenants, 5 SSO); Growth $799/mo (25k MAU, 100 tenants, 10 SSO) — unlocks SCIM, FGA, and multi-region (EU) data residency; Enterprise custom. Overage: $0.05/MAU, $1/tenant, $50/SSO connection, $250/federated app. FedRAMP High available Growth/Enterprise (paid).

Feature snapshot. Passwordless-first (magic link, OTP, TOTP) + social; passkeys = flagship, all tiers; SAML+OIDC (connection-capped per tier, $50 overage); SCIM gated to Growth+; step-up MFA via Flows; tenants (capped per tier); RBAC + ABAC; FGA/ReBAC = ✅ genuine Zanzibar-style (schema DSL, relation tuples, computed/implied relations) — gated to Growth+ rebac; session/JWT + agentic/M2M focus; SOC 2 Type 2, ISO 27001, GDPR, HIPAA, FedRAMP High (paid); cloud-only, no self-host, EU residency gated to Growth+ (US/Israel-linked → sovereignty exposure remains); standout drag-drop Flows + embeddable widgets + 15+ SDKs. security

Differentiator: no-code Flows builder + passkey depth + real Zanzibar ReBAC. Gap: heavy tier-gating — SCIM, FGA, and EU residency all require $799/mo Growth; per-connection SSO caps; no self-host.

Master comparison table

Legend: ✅ yes/strong · ◑ partial/gated/immature · ❌ no · "$" = paid add-on/tier.

PlatformModelSSO pricingPasskeysSSO IdPsSCIMTrue ReBAC/FGASOC2ISO27001**Self-host****EU residency****EU SOVEREIGN** (no CLOUD Act)Hosted UI/DX
WorkOSSaaS (US)$125→$50/conn20+ (claims 60+)✅ ~12+✅ Zanzibar❌ (US-only)AuthKit (good)
ClerkSaaS (US)$75/conn (1 free)◑ weak❌ (RBAC)◑ infra✅ DE/IE❌ (US-HQ)best React
Auth0/OktaSaaS (US)$100/conn, gated74 conns✅ Auth0 FGA (OpenFGA)✅ EU/AU❌ (US-HQ)✅ Universal Login
StytchSaaS (US, Twilio)$125/conn (5 free)✅ (2025)❌ (RBAC)◑ roadmap❌ (US-HQ)◑ headless
SupabaseOSS BaaS / cloudPro+ SAML◑ SAML only❌ (RLS only)$ Team+$ Team+✅ (GoTrue)✅ region pickif self-host◑ Auth UI
KeycloakOSS self-hostfreefull broker◑ exp 26.6❌ (UMA/policy)inheritinheritfullfull◑ themes
OryOSS modular / cloudOIDC free; SAML $◑ SAML=Ent◑ Ent onlyKeto Zanzibar✅ Network✅ Networkfullif self-host◑ headless
FusionAuthOSS-core / editionsflat license$ Enterprisefullif self-host◑ themes
LogtoOSS (MPL) / cloud$48/conn, $96 SAML◑ newest◑ "ready"full✅ EU regionif self-host✅ good
ZitadelOSS (AGPL) / cloudper tierfirst◑ Preview❌ (→OpenFGA)fullCH/EUif self-host✅ MIT login
FrontEggSaaS (IL)in 5-conn pool✅ (free)❌ (entitlements)✅ EU region❌ (IL-HQ)✅ admin portal
DescopeSaaS (US/IL)$50/conn, capped✅ flagship$ Growth✅ Zanzibar ($)$ Growth EU❌ (US/IL)✅ Flows
OpenAlice (us)OSS self-host (EU)includedgap◑ SAML 2.0 ✅SCIM 2.0gapgapgapfullfull moat(own UI)

FGA / ReBAC focus: Auth0 FGA (OpenFGA) vs Ory Keto

These are the two production-grade open Zanzibar engines. Both are Apache-2.0 and self-hostable — the difference is ecosystem and DSL ergonomics.

**OpenFGA** (Auth0/Okta FGA's engine)**Ory Keto**
OriginOpen-sourced by Auth0/Okta; CNCF Incubating (voted Oct 28, announced Nov 11, 2025)Ory (Munich-rooted); first + most popular OSS Zanzibar
LicenseApache-2.0 (engine). Managed Auth0/Okta FGA = closed, enterprise-contract, sales-only pricing (no public per-check/MAU number)Apache-2.0, no enterprise gate on the engine; managed = Ory Network (per Permission-Check billing)
Data modelRelationship tuples + authorization model in a declarative DSLRelationship tuples + namespaces; Ory Permission Language (OPL) in TypeScript syntax (not Turing-complete)
Core APIsCheck, List-Objects, Write/Read tuples; streamed listCheck, Expand, List, Batch-check; Write/Read split (CQRS)
InterfacesgRPC + REST (HTTP)REST + gRPC
StoragePostgres 14+, MySQL 8+, SQLite(beta)Postgres, MySQL, CockroachDB; SQLite(dev)
EmbeddableGo library optionStandalone service (side-car)
PerfHigh-scale Zanzibar<10ms p95, "trillions of relationships, millions checks/sec"
Maturity signalCNCF Incubating, big-vendor backing, broad communityBattle-tested OSS Zanzibar since 2021, Ory-network production

Recommendation for OpenAlice: adopt Ory Keto. Both are valid, but Keto wins for us on: (1) clean side-car deployment (one Go binary, REST+gRPC, no enterprise gate); (2) OPL is TypeScript-flavored — readable for the team, deliberately non-Turing-complete (safe); (3) Ory is German-rooted — aligns with our EU-sovereignty narrative when self-hosted; (4) <10ms p95 is fast enough to sit synchronously in our gateway's authz path. OpenFGA is the safe alternative (CNCF governance), and the data models are close enough that a later migration is low-risk if we change our minds. Critical caveat: neither managed offering (Auth0 FGA / Ory Network) is sovereign — only the self-hosted Apache-2.0 engine is — so we run Keto on our own EU infra, never the SaaS.

Where OpenAlice wins / must catch up

Where we WIN today

  1. SAML 2.0 SSO + SCIM 2.0 already shipped. This is genuinely ahead of several "modern" competitors: Logto's SCIM is the newest/least-mature; Zitadel's SCIM is still Preview; Supabase has no SCIM at all; Keycloak's native SCIM only went experimental in 26.6 (Apr 2026); Stytch only GA'd SCIM in 2025. We are not behind the OSS field on enterprise provisioning — we're ahead of most of it.
  2. EU sovereignty is a structural moat. Every pure-SaaS competitor (WorkOS, Clerk, Auth0/Okta, Stytch, FrontEgg, Descope) is US- or Israel-headquartered → US CLOUD Act / foreign-disclosure exposure even with an "EU region." WorkOS has no EU region at all; Stytch's EU residency is roadmap-only. We are self-hosted on EU infra = zero CLOUD Act exposure — a claim only Keycloak/self-hosted-Ory/Zitadel/FusionAuth/Logto/self-hosted-Supabase can also make, and none of them are EU-native + already-SAML+SCIM + Rust-performance the way we are. This is our sharpest differentiator — lead with it.
  3. Clean RBAC + tenant-scoped JWT (`tid`) + X-Internal-Secret M2M. Solid, standards-shaped foundation; the multi-tenant claim model is in line with the B2B leaders.

Where we MUST catch up

  1. FGA / ReBAC — the biggest gap. WorkOS, Auth0 FGA, and Descope ship real Zanzibar; we ship only RBAC. Plan: self-host Ory Keto as a side-car (see below). This closes the gap with the leaders and stays sovereign (Apache-2.0 on our infra). Highest-leverage catch-up item.
  2. Passkeys / WebAuthn. Now table stakes — every platform in this dossier ships it (Auth0/Clerk/Stytch/Zitadel-passkey-first/Keycloak/Ory-Kratos all mature). We have none. Add WebAuthn registration + assertion to openalice-auth (passkey as primary passwordless + as MFA factor). Reference Kratos's config surface (authenticator_selection.attachment, resident_key, user_verification) for a sane default set.
  3. SOC 2 Type II + ISO 27001. The SaaS leaders and the serious OSS-managed options (Auth0, Stytch, Zitadel, Ory Network, FusionAuth, Clerk) hold these; enterprise buyers gate on them. Self-hosting means we carry the cert burden (like Keycloak/self-hosted-Ory). Start the SOC 2 Type II readiness track now (it's a 6–12 month clock); ISO 27001 next. These unlock up-market deals the sovereignty story alone can't.

Net positioning line for sales/marketing: "EU-sovereign, self-hosted identity with SAML + SCIM already shipped — the enterprise-readiness of WorkOS without the US CLOUD Act exposure." Then close the passkeys + Keto-FGA + SOC2 gaps to remove every remaining objection.

Ory Keto adoption plan — concrete integration notes

Goal: add Zanzibar-style fine-grained authorization to OpenAlice without surrendering sovereignty, by running self-hosted Ory Keto (Apache-2.0) as a permission side-car alongside our Rust gateway. We keep authN + identity in our own openalice-auth/passport; Keto owns only the relationship-graph authZ decisions.

Why a side-car (not a rewrite): Keto is a single Go binary exposing REST + gRPC, backed by Postgres — it slots in next to our gateway with no change to our existing JWT/RBAC. Our gateway calls Keto's Check API on the request path (<10ms p95 target) to answer "can subject S do relation R on object O?"; RBAC stays as the coarse gate, Keto adds the fine-grained graph.

Deployment (per our org conventions — Docker, Traefik, per-project network):

  1. Add a keto service to the openalice compose stack (read API + write API; Keto splits them for CQRS scaling). Use our own Postgres in the openalice network — no shared DB (per infra rules). SQLite is dev-only; use Postgres for dev/staging/prod.
  2. Keep Keto internal-only — no Traefik subdomain, no public port. The gateway reaches it over the private openalice network. (Matches our "zero exposed ports" rule.)
  3. Seed the namespace / OPL model as code (TypeScript-syntax OPL, version-controlled in the repo) and apply via the Ory CLI in a migration step. Start with one namespace mirroring our tenant/resource model.

Model design (first cut):

  • Subjects: User:<id>, plus subject-sets for groups/roles (Tenant:<tid>#member). Reuse our tid claim as the tenant scoping key so Keto tuples and our JWT stay aligned.
  • Roles as groups: map our existing owner/admin/member/viewer to membership tuples so RBAC is expressible inside Keto (Keto natively supports RBAC-as-groups) — gives us one engine for both coarse and fine-grained.
  • Relations: model resource-level relations (Document:<id>#editor@User:<id>, computed viewer from editor) using OPL's implied-relation functions.

Request-path integration:

  • Gateway flow: validate JWT (existing) → coarse RBAC gate (existing) → Keto Check for resource-level decisions (new). Use batch-check where a request touches multiple objects; use Expand/List for "what can this user see" listing endpoints.
  • Tuple writes (grant/revoke share, add to group) go through Keto's write API, triggered by our app on permission-change events — keep them transactional with our own state.

Sovereignty + ops notes:

  • Run only the self-hosted Apache-2.0 Ketonever Ory Network for this (managed = US-corp = CLOUD Act). Self-hosted on our EU infra = zero exposure, consistent with our moat.
  • Keto carries no SOC2/ISO cert itself (like Keycloak) — compliance is inherited from our operations, which folds into the SOC 2 / ISO 27001 track recommended above.
  • Migration safety: OpenFGA is the fallback if we ever want CNCF governance — the tuple data models are close, so this is a hedge, not a lock-in.

Sequencing: (1) stand up Keto side-car + Postgres in dev; (2) port owner/admin/member/viewer RBAC into Keto groups (parity check against current behavior); (3) add the first resource-level ReBAC relation on a low-risk surface; (4) wire gateway Check on that surface behind a feature flag; (5) lab-test (per our canary discipline) → mvp. This delivers real FGA while keeping every byte on EU infra.

Sources (primary, by platform)

WorkOS: pricing · sso · fga · security · data-residency Clerk: pricing · security · gdpr · m2m Auth0: pricing · universal-login · compliance · residency Stytch: pricing · compliance · connected-apps Supabase: pricing · self-host · github Keycloak: cncf · authz · scim-26.6 Ory: keto · relation-tuples · pricing · iso27001 · kratos FusionAuth: pricing · soc2 Logto: pricing · github Zitadel: pricing · apache-to-agpl · iso · fga FrontEgg: pricing · entitlements Descope: pricing · rebac · security OpenFGA/CNCF: openfga.dev · cncf-incubating