Platform authentication

Last updated: Apr 13, 2026

Rationale

Authentication flows for Fluid Attacks' platform are handled by Auth0, a third-party identity platform. Auth0 acts as the identity layer, while the platform issues its own JWT tokens for API authorization.

The platform currently supports the following identity providers via Auth0:

Google
Microsoft Azure AD
Bitbucket

The main reasons why we chose Auth0 are:

It federates authentication for all users, so we do not store passwords or any other sensitive user information in our database.
It allows our clients to easily control employee access via their enterprise Microsoft Azure or Google user directories. Once a client removes one of their employees from their user directory, access to the platform is automatically blocked for that user.
Its Terraform provider allows us to manage the entire configuration as code.
It has a >99% availability SLA.
It supports a wide number of enterprise identity providers, allowing us to support protocols like SAML, OIDC, LDAP, Azure Active Directory, and Google Workspace, among others.
It implements protections against bot attacks, brute force attacks, etc.
It supports many MFA factors, including push notifications, SMS notifications, one-time passwords, email notifications, and recovery codes, among others.

Alternatives

Below are the other authentication providers we reviewed before choosing Auth0, ordered from most to least interesting based on our specific needs.

Stytch

Stytch focuses on providing a centralized authentication platform for applications.
It does not provide any extra features outside of its main focus.
Its Python library is open source and supports asynchronous environments.
It has a Terraform provider, but it is still in beta phase.
It has a >99% availability SLA, but only for enterprise plans.
It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0.
It supports many popular compliance frameworks and certifications.
It supports the most popular public identity providers
It lacks support for protocols like SAML, OIDC and LDAP.
It implements protections against bot attacks, brute force attacks, etc.
It only supports SMS notifications and one-time passwords as MFA factors.

Stytch was last reviewed on Jan 22, 2025.

AWS Cognito

AWS is one of the most popular cloud solution providers.
AWS provides many services, among which are cloud storage and cloud computing. In this article, we focus on AWS Cognito, an authentication solution for applications.
Its Python library is open source, but does not support asynchronous environments. Luckily, the community has been maintaining an asynchronous fork that we currently use.
It has a Terraform provider.
It has a >99% availability SLA.
It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0 and Stytch.
It supports many popular compliance frameworks and certifications.
It only supports Amazon, Google, Facebook and Apple as public identity providers.
It supports SAML and OIDC.
Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
It only supports SMS notifications, email notifications, and one-time passwords as MFA factors.

AWS Cognito was last reviewed on Jan 24, 2025.

Descope

Descope focuses on providing a centralized authentication platform for applications.
It does not provide any extra features outside of its main focus.
Its Python library is open source, but does not seem to support asynchronous environments, making it not usable for us.
It has a Terraform provider, but it is still in beta phase.
It has a >99% availability SLA.
It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0, but more expensive than Stytch.
It supports many popular compliance frameworks and certifications.
It supports the most popular public identity providers.
It supports SAML and OIDC.
Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
It only supports WhatsApp notifications and one-time passwords as MFA factors.

Descope was last reviewed on Jan 22, 2025.

Kinde

Kinde focuses on providing a centralized authentication platform for applications.
It also provides services for user management, lead generation and machine-to-machine connections.
Its Python library is open source, but is barely supported and does not seem to support asynchronous environments, making it not usable for us.
It does not have a Terraform provider.
It does not provide information about SLAs.
It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0 and Stytch.
It supports many popular compliance frameworks and certifications.
It supports the most popular public identity providers.
It supports SAML and Azure OIDC.
Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
It only supports SMS notifications, one-time passwords and email notifications as MFA factors.

Kinde was last reviewed on Jan 22, 2025.

WorkOS

WorkOS provides SaaS solutions to requirements usually needed by enterprise applications.
Due to its broad focus, it provides services for user management, administrative portals, authentication, and authorization, among others.
It does not provide a Python library. Instead, it offers either an external GUI or a way to build it using an API. More information can be found in its GitHub repo.
It does not have a Terraform provider.
It has a >99% availability SLA.
Its pricing model makes it free for up to 1 million users, making it the cheapest option.
It supports many popular compliance frameworks and certifications.
It supports the most popular public identity providers.
It supports SAML and OIDC.
It implements protections against bot attacks, brute force attacks, etc.
It only supports one-time passwords as an MFA factor.

WorkOS was last reviewed on Jan 22, 2025.

Usage

We use Auth0 for all authentication flows at Fluid Attacks' platform. The tenant configuration is managed as code via Terraform in the integrates/infra directory.