brief.crastinating.pro
DecidedOne-way doorDecided 19 March 2026

Build auth in-house, adopt Clerk, or stay on Auth0 for our B2B SaaS?

Our Auth0 contract renews in 11 weeks at a 3.4× price increase. Build, swap to Clerk, or accept the renewal?

Ticket
SEC-099
Decider
Co-founder · CTO
Team
Seed-stage B2B SaaS, 9 engineers, ~120 paying tenants

The blocker

Why this stalled long enough to need a brief.

  • Auth0 quoted a 3.4× renewal driven by per-MAU pricing now that we crossed 100k MAU.
  • An eng (with strong opinions) had a working in-house prototype after a weekend; that prototype ate two weeks of engineering time arguing about it.
  • SOC 2 Type II audit is in 14 weeks. The auditor specifically asked about 'identity provider attestation.'

Options on the table

Each one was a real proposal, not a strawman.

  • (a) Stay on Auth0, negotiate the renewal, lock 24 months

    Boring is good for security infra. The price hurts but the audit is in 14 weeks; this is the wrong moment to swap providers.

  • (b) Migrate to Clerk on the Vercel Marketplace
    Picked

    ~40% cheaper at our MAU, native Vercel integration removes a class of env-var bugs, and Clerk has SOC 2 attestation we can hand to the auditor.

  • (c) Build in-house on Lucia + Postgres

    Full control, lowest run-rate. But the audit is real, the engineer who'd own this will not own it forever, and we'd be writing security-critical code on a deadline.

The memo

Why we picked Migrate to Clerk on the Vercel Marketplace.

We pick (b) — Clerk via the Vercel Marketplace. The decisive factor is not price; it's that Clerk gives the auditor a clean SOC 2 attestation and gives the platform team one fewer secret to rotate.

Build (c) is the seductive option and the wrong one at our stage. At 9 engineers, every hour spent on auth maintenance is an hour not spent on the product the customer pays for. We re-evaluate at 40 engineers if the price curve diverges further.

Migration plan: dual-run Clerk and Auth0 for 4 weeks, migrate tenants in cohorts of 20, sunset Auth0 by 2026-05-30. Cost guardrail: if the actual Clerk bill exceeds the Auth0 renewal price, we revisit.

What actually happened

Followed up roughly 30 days later.

Migration completed 2026-05-22, eight days ahead of plan. Three tenants needed manual SAML re-mapping; two of those uncovered a stale config we'd have shipped past anyway.

Audit completed 2026-05-30. The Clerk SOC 2 attestation cleared the identity provider question on the first pass.

Run-rate dropped 41% versus the Auth0 renewal quote. We routed the saved budget to two part-time security contractors — a better trade than lower OpEx.

The other doors

The arguments we didn't take, preserved.

  • (a) Stay on Auth0, negotiate the renewal, lock 24 months
    Boring is good for security infra. The price hurts but the audit is in 14 weeks; this is the wrong moment to swap providers.
  • (c) Build in-house on Lucia + Postgres
    Full control, lowest run-rate. But the audit is real, the engineer who'd own this will not own it forever, and we'd be writing security-critical code on a deadline.