AuthStack

Usage-based authentication. Drop-in OAuth, JWT & passkeys.

The Auth0, Clerk & Stytch alternative built for devs who hate per-seat pricing. OAuth 2.0, JWT, SSO, passwordless, and WebAuthn passkeys — first-class SDKs for Flutter, .NET & web. Pay only for active users.

v2.0 · vault Material 3 · dark-first primary #65CE65 1,000 MAU · free
The flow

One handshake, every Stack

Standard OAuth 2.0 with PKCE. No proprietary protocol, no client secret in your binary. Drop in the SDK or wire it by hand.

01

Client requests

Your app calls the AuthStack SDK or hits /authorize directly.

GET /oauth/authorize?
  client_id=as_live_•••
  redirect_uri=app://cb
02

AuthStack verifies

We handle sign-in, MFA, provider exchange — issue scoped tokens.

// 302 redirect back
?code="ax_oNc7…"
&state="<nonce>"
03

Your API trusts

Exchange the code, validate the JWT, you have a verified user.

Authorization:
Bearer eyJhbGciOi…
// signed by AuthStack
// Install

Drop in, ship today

First-party SDKs for the platforms VooStack ships on. Or skip the SDK — it's standard OAuth 2.0 + JWT, every step of the way.

$ flutter pub add voo_authstack_client
import 'package:voo_authstack_client/voo_authstack_client.dart';

final client = AuthStackClient(
  clientId: 'as_live_•••',
  baseUrl: 'https://app.authstack.voostack.com',
);

final session = await client.signInWithProvider(
  OAuthProvider.google,
);

context.go('/dashboard', extra: session.user);
Read the Flutter SDK guide →
$ dotnet add package AuthStack.Client
using AuthStack.Client;

var client = new AuthStackClient(new AuthStackOptions
{
    ClientId = "as_live_•••",
    BaseUrl = "https://app.authstack.voostack.com",
});

var session = await client.ExchangeCodeAsync(code, redirectUri);
HttpContext.User = session.Principal;
Read the .NET SDK guide →
$ # OAuth 2.0 — no SDK needed
# 1. send the user to /authorize
open "https://app.authstack.voostack.com/oauth/authorize?\
  client_id=as_live_•••&\
  response_type=code&\
  redirect_uri=https://your.app/callback"

# 2. exchange the code for a JWT
curl -X POST https://app.authstack.voostack.com/oauth/token \
  -d 'grant_type=authorization_code' \
  -d 'code=ax_oNc7…' \
  -d 'client_id=as_live_•••'
Read the REST API reference →
Identity providers

Five OAuth providers, one client

Configure provider credentials once at the org level. Scope which providers are enabled per application. No code changes to add or remove.

Google configured
GitHub configured
Microsoft configured
Apple configured
Discord configured
The vault set

Everything an auth layer should be

No half-features. Each piece is production-ready on day one, with the boring parts (rotation, replay protection, rate limits) handled.

OAuth 2.0 + PKCE

Standards-compliant authorization code flow with PKCE for public clients. No custom protocols, no SDK lock-in.

JWT tokens

Signed access and refresh tokens. Configurable expiry, scope-based claims, and key rotation handled for you.

Hosted sign-in

A polished login surface that adopts your brand colors and logo per application. Customers stay in your visual world.

Org & app model

Organizations own applications, applications own users. Role-based access for owners, admins, members, viewers.

Audit trail

Every sign-in, every secret rotation, every config change is logged with actor, target, and outcome.

Webhooks

Subscribe to user.created, session.revoked, application.* events. HMAC-signed payloads, retry with backoff.

Usage-based pricing

MAU-based authentication pricing — no seats, no tiers

The Auth0 / Clerk / Stytch alternative for teams tired of per-seat bills. 1,000 monthly active users free every month — after that, a flat per-MAU rate. Pay for actual sign-ins, not for sales reps you never hired.

FREE TIER 1,000 monthly active users no card · no expiry
AFTER THAT $0.005 per active user / month billed monthly · usage rolled up
AT 1M+ MAU talk to us volume + SLA support@authstack.voostack.com
Start free
no setup fee cancel anytime migrate off freely
Security model

Built like a vault, from day one

Every default is the cautious one. The boring, well-studied primitives — not a clever in-house cipher anywhere in sight.

PASSWORD

bcrypt @ cost 12, per-user salt, peppered server-side.

TOKEN

JWT RS256 with rotating 4096-bit keys, 15-min access TTL.

RATE

Per-IP and per-account throttles on /token and /authorize.

AUDIT

Every state change is logged with actor, target, outcome, ip.

TRANSPORT

TLS 1.3 only. HSTS preloaded. No HTTP fallback, ever.

REPLAY

Nonces on every code exchange. Authorization codes single-use.

Start in two minutes.

Sign up, create an application, drop a client ID into your SDK. That's the whole onboarding. No sales call required.

→ docs/getting-started/quick-start