Clerk pricing is a growth tax
Your bill grows. Your features don't.
Clerk's pricing scales with users, not features. Growth becomes a cost center.
Compare
The moment a B2B deal requires SSO, SCIM, and an IT security review, engineering teams choose WorkOS. Built for enterprise from day one.
Both products handle authentication. Only one was built around the enterprise primitives that B2B deals require.
Clerk
Built for consumers. Enterprise was bolted on top.
Core primitives
Consumer Login
Social, MFA, Passkeys, Email/Password
Bolted on later
WorkOS
Built enterprise-first. Use the primitives modularly via API, or bundled all-in-one with AuthKit.
Core primitives
AuthKit adds hosted sign-in, social login, MFA, and passkeys. No UI to build.
Why teams switch
Clerk pricing is a growth tax
Clerk's pricing scales with users, not features. Growth becomes a cost center.
We're building around Clerk, not with it.
When your requirements don't fit Clerk's model, auth becomes a maintenance project instead of a solved problem.
Clerk keeps going down.
Enterprise procurement expects 99.99% uptime SLA.
Reliability
Auth is critical-path infrastructure. When your auth provider goes down, your application is down with it. That moment is what an enterprise customer remembers.
99.99%
historical uptime
Enterprise SLA. 99.999% available on special contractual terms.

We did not want to keep optimizing our business around avoiding auth fees. It was counterproductive. Cursor now completely runs on WorkOS. Login times are much faster, the signup page looks much better.
WorkOS exclusive
Fine-grained authorization for any resource in your app.
Encryption key management for tenant-isolated data and PII.
Real-time fraud, bot, and abuse detection beyond CAPTCHA.
App integrations to 100+ providers, without building OAuth.
Capture notable actions and give enterprise customers a self-serve way to view, export, and stream logs to a SIEM.
Migration
Most teams migrate from Clerk to WorkOS in days using our guide and open-source CLI: users, password hashes, and social logins carry over without disruption.
Use the Clerk SDK to export users, orgs, memberships, and metadata. Password hashes are exportable and carry over.
Run the open-source migration CLI. It maps Clerk schema to WorkOS, handles deduplication, and verifies counts.
Flip your auth provider in code. Existing social logins and active sessions keep working. Most teams cut over in a single deploy.
We migrated from Clerk to WorkOS with zero downtime for our enterprise customers. Clear documentation, flexible APIs, and a responsive team made the migration seamless.
Pricing
Transparent, usage-based pricing with automatic volume discounts — so growth doesn't turn into a cost center.
Your bill depends on plans, usage, and add-ons.
Predict your usage
Figure out which plan covers your features
Add the add-ons
What about SAML?
What about company admins?
Individual product selection. Pay only for what you use, with automatic volume discounts.
AuthKit
User management + auth
Single Sign-On
SAML + OIDC
Directory Sync
SCIM
Audit Logs
SIEM streaming
RBAC
Role-based access
MCP Auth
Agent authentication
Admin Portal
IT onboarding
* Volume discounts apply automatically to SSO and Directory Sync: $100/conn (16–30), $80 (31–50), $65 (51–100), $50 (101–200). Custom at 201+.
See full pricingProvider coverage
Provider coverage
Pre-built SSO providers
3 pre-built SAML providers: Okta, Entra ID, Google Workspace. OIDC via EASIE for Entra ID and Google Workspace only. Custom SAML/OIDC for all others
20+ providers with dedicated setup guides for Okta, Entra ID, Google Workspace, PingFederate, SailPoint, CyberArk, and more
Pre-built SCIM providers
2 providers (Okta, Microsoft Entra ID)
12+ providers including Okta, Entra ID, Google Workspace, JumpCloud, OneLogin, and more.
Google Workspace Directory Sync
Custom SCIM config only — not natively supported
Native, dedicated integration
HRIS integrations (Workday, BambooHR, Rippling)
Not available — lifecycle is IdP-only
Available — lifecycle from your customer's HR system, not just their IdP
Multi-tenancy
Organizations included free
100 MROs (Monthly Retained Orgs) included on every plan.
Unlimited
Members per organization
20 per org without the B2B add-on. Unlimited with B2B Authentication ($100/mo).
Unlimited
Organization overage
$1/MRO (101–1K), $0.90 (1K–10K), $0.75 (10K–100K), $0.60 (100K+). Requires B2B Authentication add-on.
No per-org fees
Org-scoped auth policies
Limited support. Some features require the B2B Authentication add-on
Each organization gets its own SSO connection, MFA requirements, and session policies, enforced independently across tenants.
Enterprise features
Enterprise SSO (SAML)
1 connection included on Pro. Connections 2–15: $75/mo each. Then $60 (16–100), $30 (101–500), $15 (500+).
$125/connection (1–15), dropping to $100 (16–30), $80 (31–50), $65 (51–100), $50 (101–200).
Enterprise SSO (OIDC)
EASIE only - multi-tenant OIDC. No dedicated single-tenant OIDC connections
Single-tenant OIDC connections. Same dedicated setup guides, support, and volume pricing as SAML
Directory Sync (SCIM)
Real-time provisioning and deprovisioning. Role mapping via IdP groups available for Okta and Microsoft Entra ID only.
Real-time provisioning and deprovisioning with automatic role mapping across all supported providers.
Audit Logs
Internal Application Logs for your engineering team only, visible in the Clerk Dashboard (30-day retention on Business, SIEM streaming on Enterprise only). No self-serve audit trail for your enterprise customers.
Customer-facing audit trail embedded in the B2B SaaS product. End users can export and stream their own activity to a SIEM without involving engineering
Admin Portal (self-serve IT)
Self-serve SSO configuration available (June 2026). SCIM still requires developer involvement. Developer must enable per organization
Included on all paid plans. Enterprise IT teams configure and manage SSO and SCIM independently, no engineering involvement required.
Login page branding
“Secured by Clerk” shown by default on all tiers. Removable on Pro ($25/mo) and above.
No WorkOS branding at any tier. Your login page, your brand — on every plan.
MCP Auth
OAuth authorization server with Dynamic Client Registration and consent screens for scoped agent access tokens
OAuth 2.1 (AuthKit) with tool-level permissions and PKCE. Pipes MCP gives agents session-scoped, auto-expiring access to 100+ integrations
Agent Auth
Agent Tasks (beta) — isolated sessions for agents acting on behalf of a user. No access revocation on offboarding
auth.md for agent identity discovery and registration. Directory Sync ensures agent access is revoked when the authorizing user is deprovisioned
Bot and fraud protection
Basic bot protection: signup-level CAPTCHA only. No post-authentication fraud detection, behavioral analysis, or runtime signals.
Radar: real-time bot scoring, fraud detection, and abuse prevention across the entire auth funnel — signup, login, and post-authentication runtime signals.
SOC 2 / HIPAA artifacts
SOC 2 Type II on Business ($250/mo annually) and above. HIPAA included on Business. HIPAA BAA on Enterprise only
SOC 2 Type II and HIPAA BAA available as standard across all plans.
User management & security
Custom roles
Requires the B2B Authentication add-on ($100/mo)
Included
User impersonation
5/month free on all plans. Unlimited with the Administration add-on ($100/mo).
Included
Auto-join / domain restrictions
Requires the B2B Authentication add-on (same $100/mo as Custom roles)
Included with AuthKit
Last verified June 23, 2026
Sources: clerk.com/pricingworkos.com/pricing
Whether you're ahead of your first enterprise deal or already in a security review — we'll get you there.