Should you build your own auth?

Auth seems simple until you need SSO, MFA, passwordless, and enterprise features. Here's when to roll your own.

🔑 The landscape changed

Open source auth has gotten really good. Supabase Auth, Lucia, and NextAuth give you 80% of what you need for free. The "build vs buy" here is more nuanced than other categories.

The spectrum of auth needs

Authentication exists on a spectrum. Where you fall determines your answer:

Level 1: Basic login. Email/password, maybe Google OAuth. Any framework's built-in auth or Supabase handles this fine.

Level 2: Consumer app. Social logins, passwordless, phone auth. Still doable with open source, but getting complex.

Level 3: B2B SaaS. SSO, SAML, SCIM provisioning, organization management. This is where you should probably buy.

Level 4: Enterprise. Custom SSO integrations, compliance requirements, audit logs. Definitely buy.

Build / vibe when...

Basic email + OAuth only
Consumer app, no enterprise
Using a framework with good auth
Under 10K users
Cost-sensitive early stage

Buy when...

Enterprise customers need SSO
SAML/SCIM required
MFA is mandatory
You sell to regulated industries
Auth can't be a distraction

The open source middle ground

Before spending $25K/year on Auth0, consider the open source options:

Supabase Auth: Free tier is generous. JWT-based, works great with Supabase or standalone.
NextAuth.js / Auth.js: Perfect for Next.js apps. Multiple providers, database adapters.
Lucia: Lightweight, no vendor. You own the session management.
Keycloak: Self-hosted, enterprise-grade. Has SSO/SAML. Complex to operate.

These handle Level 1-2 needs excellently. Level 3+ is where Clerk, Auth0, or WorkOS earn their money.

When vibe coding auth makes sense

Hot take: basic auth is a reasonable vibe coding project in 2026. The libraries are mature, the patterns are well-documented, and Claude/Cursor can scaffold it correctly.

What you can vibe: email/password login, OAuth integration, JWT sessions, basic password reset.

What you can't vibe: SSO/SAML integration (spec is a nightmare), MFA (security-critical), rate limiting/brute force protection (easy to mess up).

Real cost comparison

For a B2B SaaS with 5,000 monthly active users over 3 years:

	Build (OSS)	Auth0	Clerk
Initial cost	$10K – $30K	$0	$0
Annual cost	$5K – $15K (maintenance)	$10K – $28K	$3K – $12K
Enterprise SSO	$30K+ to add	Included (higher tier)	Included (higher tier)
3-year total	$25K – $75K	$30K – $84K	$9K – $36K

What people underestimate

SSO is a sales requirement. Enterprise deals often require SAML SSO. Telling a $100K/year customer "we don't have SSO" loses the deal.

Security incidents are expensive. A breached auth system destroys trust. Managed providers have security teams; you probably don't.

The long tail is annoying. Password reset edge cases, session management across devices, account recovery — boring but necessary work.

MFA is table stakes. Regulators and enterprise customers increasingly require it. Building MFA correctly is hard.

Compare tools

Auth0

Market leader. Feature-complete, pricey at scale.

Build vs Auth0 →

Clerk

Developer-focused. Great DX, modern pricing.

Build vs Clerk →

WorkOS

Enterprise SSO specialist. If you just need SAML.

Build vs WorkOS →

Our take

Start with open source. Buy when enterprise customers arrive.

Use Supabase Auth or NextAuth for your MVP — they're free and good enough. When you land your first enterprise customer asking for SSO, that's the signal to buy. Clerk is the sweet spot for most B2B SaaS: affordable, great DX, includes SSO. Auth0 if you need maximum features and have budget.