How to migrate from Auth0 to WorkOS

Modern teams often start with Auth0 for authentication and identity. But as your product grows, especially if you need B2B SSO, fine-grained org management, or enterprise-grade identity features, you may find yourself looking elsewhere. WorkOS provides a developer-friendly, Enterprise Ready identity platform with built-in support for SSO (SAML, OAuth, or OIDC), user management, SCIM, MFA, access control, and organizations.

In this guide, we’ll walk you through the process of migrating from Auth0 to WorkOS, covering the Auth0 migration process, from exporting users to configuring enterprise features. If you’d like hands-on help with your migration, WorkOS Support can work with you before, during, and after your transition.

Why migrate?

As your product and user base grow, the constraints and trade-offs of an identity provider become more visible. Many teams begin evaluating alternatives to Auth0 when they hit real-world scaling, cost, or flexibility limits, not because Auth0 lacks features, but because those features come with costs and complexity that can inhibit growth.

Here are some of the most common issues that drive migrations away from Auth0:

• Escalating, unpredictable costs: Auth0’s pricing is heavily dependent on monthly active users (MAUs) and the number of enterprise (SSO / SCIM) connections. As usage grows, your bill can balloon or become harder to forecast.
• Capped free / low tiers and hidden limits: Some of Auth0’s plans impose limits (on MAUs, number of connections, organizations) that force teams into higher tiers prematurely or require sales negotiations.
• Vendor lock-in via custom logic and platform-specific features: Features like Rules, Actions, or pipeline logic often embed business logic tightly into Auth0's platform, making it hard to move or reuse logic elsewhere.
• Lack of transparent, usage-aligned pricing: Teams often prefer pricing models that align with growth (e.g. per enterprise connection) rather than per-user jumps. WorkOS positions itself with flat connection pricing and more generous free usage to align with B2B growth.
• Support & predictability for enterprise features: As you move into enterprise customers, you want features like SAML, SCIM, admin portals, audit logs, and directory sync to be robust, scalable, and easier to manage. Some teams feel Auth0’s enterprise add-ons require more maintenance or custom work.‍
• Desire for cleaner, modular domain logic: As teams mature, they often prefer fewer abstractions imposed by the identity provider, more control over flows, branding, extensibility, etc. Auth0 is powerful, but sometimes teams hit walls when they want custom flows or dev control beyond what Rules/Actions allow.

Step 1: Export users from Auth0

Auth0 provides a User Import/Export Extension, which is officially deprecated as of September 2025. Alternatively, you can use the Auth0 Management API to bulk export your user data as newline-delimited JSON.

You can export all users associated with a connection or all users in a tenant. For more information, see Bulk User Exports.

Make sure you export:

• Basic profile: email, first_name, last_name, email_verified
• Metadata: app- or user-specific attributes

Auth0 doesn’t let you export plaintext passwords. You can request password hashes via a support ticket. After opening a ticket with Auth0, it can take up to a week or more for your request to be processed. At the end, you’ll be given another newline-delimited JSON file, containing a subset of user data, such as ID, but more importantly, the password hash.

Auth0 uses the bcrypt password hashing algorithm, which is supported by WorkOS. If, for whatever reason, you can’t get hashes, plan a forced password reset for some users.

Step 2: Import users into WorkOS

Once you’ve obtained the necessary export files, you can import your user data into WorkOS using the WorkOS import tool.

If you’d rather write your own code, the same process can be completed using the public WorkOS APIs.

Create users

With the data from Auth0’s “Bulk User Export” job, you can use the WorkOS Create User API to import each of the users. Using the default fields from the Auth0 export, use the following mapping from Auth0 to parameters in your WorkOS Create User API calls:

If you also exported passwords from Auth0, you can import them during the user creation process, or later using the WorkOS Update User API.

Make sure to pass the following parameters to the WorkOS API when importing passwords:

• The password_hash_type set to 'bcrypt'
• The password_hash set to the passwordHash field from your Auth0 export

Migrate social auth users

If your users previously signed in through Auth0 using social login providers like Google or Microsoft, they’ll still be able to use those same providers once you’ve migrated to WorkOS.

To enable this, configure the provider’s client credentials in WorkOS. Check our integrations page for step-by-step guidance.

Once configured, users can authenticate with their existing provider credentials, and WorkOS will automatically match them to the correct user account based on their email address.

Some users may need to verify their email address through WorkOS if email verification is enabled in your environment’s authentication settings. This depends on whether the provider is known to verify emails. For example, users signing in with Google OAuth using a gmail.com address will not be prompted for extra verification, since Google already guarantees that email’s authenticity.

Step 3: Migrate organizations

Auth0’s concept of Organizations is directly comparable to WorkOS Organizations (both represent a B2B customer account).

To migrate organizations:

1. Export your organizations from Auth0 using the Auth0 Management API.
2. For every exported record, call the WorkOS Create Organization API to create its counterpart in WorkOS.
3. Next, export organization memberships from Auth0 using the Bulk User Export.

Use the WorkOS Organization Membership API to associate each user with their corresponding organization in WorkOS.

Step 4: Migrate SSO connections

One of the most challenging parts of switching identity providers is migrating your existing Single Sign-On (SSO) connections. Each connection typically represents a customer’s identity provider configuration, often using SAML or OIDC, and moving these configurations to a new system can be disruptive. In many cases, it requires asking customers to reconfigure their integrations, which means coordinating with IT teams, scheduling downtime, and potentially introducing friction into the customer experience.

At WorkOS, we have developed a proven process to make this easier. We recently migrated thousands of enterprise connections from Auth0 to WorkOS with minimal disruption, and for 96% of those connections the transition was completely seamless for end users. We captured our learnings in a step-by-step guide: Auth0 to WorkOS enterprise connections migration guide.

Here is a high-level overview of the migration steps:

1. Export enterprise connections from Auth0 using the Auth Management API.
2. Set up a custom domain with WorkOS (optional but highly recommended for continuity).
3. Import the exported connections into WorkOS.
4. Update your application to include the WorkOS callback URL.
5. Configure a proxy with your Auth0 custom domain so traffic flows seamlessly.
6. Opt in migrated connections by directing them to the WorkOS authorization URL.
7. Handle any edge cases with manual connection migration where needed.
8. Decommission your Auth0 setup once all connections are live in WorkOS.

By following these steps, you can move enterprise SSO connections at scale without forcing each of your customers through a disruptive reconfiguration process.

For details on how to complete each step, follow our Auth0 to WorkOS enterprise connections migration guide.

Step 5: Migrate MFA

There are some differences between the Multi-Factor Authentication (MFA) strategies in Auth0 and WorkOS.

Auth0 supports SMS-based second factors, but WorkOS has deprecated SMS due to well-known security risks with text messaging.

Instead, WorkOS supports TOTP authenticators (like Google Authenticator or Authy) and passwordless options such as Magic Auth via email.

!!For SSO users, rely on the MFA provided by the identity provider (Okta, Azure AD, etc.) instead of duplicating factors.!!

If your users currently rely on SMS MFA in Auth0, they’ll need to re-enroll in a supported factor after migration, either by setting up a TOTP authenticator or switching to Magic Auth.

Step 6: Migrate/configure additional features

Every migration looks a little different, depending on which Auth0 features your app relied on. Beyond users and organizations, you’ll likely need to configure other capabilities in WorkOS to fully match your existing setup.

Some areas you may need to review and migrate:

• Roles and permissions: Recreate any role-based access control logic your app depends on.
• Audit logs: Enable logging for authentication events to meet compliance or security needs, and stream them to your customers’ SIEM providers.
• Branding AuthKit: Apply your company’s brand to hosted login and AuthKit components.
• Email templates: Recreate or customize verification, invitation, and recovery email templates.
• Directory Sync (SCIM): Configure directory integrations so users are provisioned and deprovisioned automatically.

Because each migration is unique, your exact checklist will vary. The key is to map out which Auth0 features you used and identify their equivalents (or improved versions) in WorkOS.

Step 7: Plan your cutover strategy

Migrating identity systems is not just about moving data. It’s about deciding when and how to route live authentication traffic from Auth0 to WorkOS. The right approach depends on your risk tolerance and customer commitments.

Common strategies include:

• Phased rollout: Gradually move subsets of users or organizations to WorkOS. This minimizes risk and lets you validate flows in production, but adds complexity since both systems run in parallel for a period.
• Big bang cutover: Flip all users to WorkOS at once. This is simpler operationally but higher risk, since any missed configuration can cause widespread login issues.
• Dual-write / dual-auth: Temporarily authenticate users against both systems to smooth the transition. This requires extra engineering but ensures no user gets “stuck” during migration.

No matter which approach you choose, make sure you:

• Communicate clearly with internal stakeholders and customers.
• Instrument monitoring and alerts on login success/error rates.
• Have a rollback plan if things don’t go as expected.

Step 8: Post-migration checklist

After you switch over, there are several things that you might need to check, depending on your implementation. Here are some of them:

• Verify that all imported users can authenticate successfully.
• Ensure every user is mapped to the correct organization.
• Test TOTP and Magic Auth flows for users who require additional security.
• Confirm that Google, Microsoft, and other provider logins work correctly.
• Validate each enterprise SSO integration (SAML, OIDC) and confirm metadata is up-to-date.
• Check that role-based access controls are in place and enforced correctly.
• Make sure logging is enabled and capturing the right events for compliance.
• Review hosted login pages and AuthKit components to confirm your branding looks correct.
• Test verification, invitation, and password recovery templates to ensure they render and send properly.
• Confirm user provisioning and deprovisioning works as expected for directory integrations.
• Track login error rates, password resets, and support requests to catch issues early.
• Once stable, safely deprecate Auth0 in production and remove old integrations.

!!Every migration is unique. Reach out to WorkOS Support to collaborate on your specific use case. We can help before, during, and after migration to ensure a smooth transition.!!

Conclusion

Migrating from Auth0 to WorkOS isn’t just a lift-and-shift; it’s a chance to upgrade your identity system for enterprise readiness with predictable pricing. With careful planning, phased rollout, and close monitoring, your team can transition smoothly and unlock better B2B identity features.

If you’re considering an Auth0 migration, don’t do it alone; our team can partner with you through every stage of the process. Contact WorkOS Support to start planning your migration today.

Explore the full WorkOS migration guide for more details.