Keycloak vs Stytch: Comparison for Modern Auth

Guilliano Molaire Guilliano Molaire 10 min read

Last updated: June 2026

Stytch is a commercial, developer-first auth API that specializes in passwordless authentication — magic links, OTP, passkeys, and B2B auth — delivered as a hosted API and SDK with no infrastructure to manage. Keycloak is an open-source, self-hostable identity provider with full standards support (OIDC, SAML 2.0, OAuth 2.0), federation, identity brokering, and its own built-in WebAuthn/passkeys implementation. Choose Stytch for fast, API-driven passwordless with no ops overhead; choose Keycloak for open-source control, standards depth, enterprise federation, and a cost model that does not scale with your user count — and use managed Keycloak through a service like Skycloak to eliminate the infrastructure burden entirely.

What each product is

Stytch

Stytch is a proprietary authentication platform founded in 2020 and built specifically around modern, passwordless-first authentication patterns. It exposes a REST API and client SDKs (JavaScript, React, React Native, Python, Ruby, Go, and more) that let developers add magic links, email OTP, SMS OTP, WhatsApp OTP, TOTP, OAuth social login, passkeys, and session management without building or operating any identity server.

Stytch’s B2B product extends this to SaaS use cases: multi-tenant organizations, SAML SSO, OIDC SSO, SCIM provisioning, and role-based access control scoped per organization. The B2B layer positions Stytch directly against products like Clerk, WorkOS, and Auth0’s enterprise tier.

Stytch does not publish a self-hosted option. All authentication flows run on Stytch’s infrastructure. You integrate via API calls and webhooks; the user data lives in Stytch.

Keycloak

Keycloak is an open-source identity and access management platform maintained by Red Hat (now part of the Keycloak community under a vendor-neutral governance model). Released under the Apache 2.0 license, it supports OIDC, SAML 2.0, OAuth 2.0, LDAP/Active Directory federation, Kerberos, and identity brokering with any external OIDC or SAML provider.

Keycloak 26.x runs on Quarkus and is packaged as a single binary that can be deployed to bare metal, VMs, Docker, Kubernetes, or OpenShift. It includes a full admin console, a customizable login theme engine, an SPI (Service Provider Interface) system for extending almost any internal behavior, and built-in support for WebAuthn/passkeys.

You can self-host Keycloak for free, or use a managed service like Skycloak that handles provisioning, patching, scaling, and backups on your behalf.

Feature comparison

Feature Keycloak 26.x Stytch
License Open source (Apache 2.0) Proprietary SaaS
Hosting model Self-hosted or managed Hosted SaaS only
OIDC Full provider and client Partially (B2B tier)
SAML 2.0 Full SP and IdP B2B tier (IdP-initiated + SP-initiated)
OAuth 2.0 Full, including advanced grants API-level token exchange
Magic links Via SPI or email link auth Native, first-class feature
Email / SMS OTP Native Native, first-class feature
Passkeys / WebAuthn Native (WebAuthn authenticator) Native (Passkeys API)
TOTP Native Native
Social / OAuth login Any OIDC or SAML provider ~20 pre-built providers
LDAP / AD federation Native No
SCIM provisioning Native (B2B tier for Stytch) B2B tier only
Identity brokering Native (chain multiple IdPs) No
Multi-tenancy Realms + Organizations Organizations
RBAC Full RBAC + fine-grained authz Organization-scoped roles
Fraud / device signals Via SPI integration Built-in device fingerprinting
Session management Full admin control API-managed sessions
Custom login UI Full theme customization SDK components + custom styling
Audit logs Native event log + SPI Dashboard + webhook events
Per-MAU pricing No Yes
Data ownership Full (you own the DB) Stytch owns user data

Passwordless and passkeys

Passwordless is the core reason most teams evaluate Stytch. Stytch’s developer experience for magic links and passkeys is genuinely excellent: a single API call sends a magic link, another call authenticates the token, and the SDK handles browser-side WebAuthn ceremony for passkeys. The time-to-first-auth is measured in hours, not days.

Keycloak also supports passwordless natively. WebAuthn authenticators and passkeys are configured through the Authentication Flows section of the admin console. You can create a browser flow that skips the password field entirely and requires a WebAuthn assertion:

  1. In the Keycloak admin console, go to Authentication > Flows.
  2. Duplicate the Browser flow.
  3. Add a WebAuthn Authenticator execution and set it to Required.
  4. Remove or set the Password execution to Disabled.
  5. Bind the custom flow to the client or realm browser flow.

For magic links, Keycloak does not include a built-in magic-link flow in the same polished form Stytch provides. You would implement it via a custom authenticator SPI or use an extension like the magic-link authenticator available from the Keycloak community. This is a meaningful DX gap: Stytch wins on out-of-the-box passwordless ergonomics. For a deeper look at Keycloak’s WebAuthn support, see our guide on Keycloak WebAuthn and passwordless with passkeys.

If passwordless is the dominant concern for your project and you are not already running Keycloak, Stytch’s frictionless API is hard to beat. If you need passwordless alongside SAML federation, LDAP sync, or OIDC brokering, Keycloak’s built-in WebAuthn support means you do not need a second vendor.

To understand why passwordless adoption is accelerating, see why is everyone talking about passwordless authentication.

Protocols and standards

Capability Keycloak Stytch
OIDC IdP Full Partial (B2B, limited)
SAML 2.0 IdP Full (SP- and IdP-initiated) B2B tier
SAML 2.0 SP Full No
OAuth 2.0 authorization server Full No
LDAP/Kerberos Yes No
JWT signing (RS256, ES256, PS256) Yes Yes
PKCE Yes Yes
Token introspection Yes Yes
Device Authorization Grant Yes No

Keycloak is a full authorization server and identity provider in the OIDC/OAuth 2.0 sense. Applications can register as clients, receive ID tokens and access tokens, and interact with the token introspection and JWKS endpoints using standard libraries. Stytch issues its own session tokens and provides JWT verification utilities, but it is not a compliant OIDC authorization server that arbitrary OIDC relying parties can discover and connect to.

This distinction matters at enterprise scale. If your customers need to federate your application into their corporate SSO, Keycloak can act as an IdP they configure their downstream apps against. Stytch’s B2B tier handles the reverse — connecting your app to your customers’ IdPs — but the trust anchor is always Stytch’s infrastructure.

Federation and SSO

Keycloak’s identity brokering is one of its most powerful, and least-discussed, capabilities. A Keycloak realm can consume external IdPs (Google, Azure AD, Okta, ADFS, any OIDC/SAML provider) and re-issue its own tokens to downstream applications. This means your application stack talks only to Keycloak; Keycloak handles the upstream complexity.

Stytch’s B2B product connects each customer organization to their IdP (SAML or OIDC) on a per-org basis, which is the standard multi-tenant SSO pattern. This works well for SaaS apps offering enterprise SSO to customers. It does not offer the same depth for complex scenarios like chaining multiple upstream IdPs, mapping attributes across protocols, or acting as a SAML IdP for applications that don’t natively speak OIDC.

LDAP and Active Directory federation is Keycloak-only. If any part of your user base authenticates against an on-premises directory, Keycloak’s LDAP user federation with configurable sync, attribute mapping, and Kerberos pass-through is essential.

Customization and extensibility

Keycloak’s SPI system is a genuine differentiator. Nearly every internal behavior — authentication flows, user storage, token claim mapping, event listening, brute force protection, and more — can be overridden by deploying a JAR file to the Keycloak providers directory. This means teams with complex enterprise requirements (custom step-up auth, legacy user storage, proprietary MFA, audit sinks) can implement them without forking Keycloak.

Stytch’s customization surface is the API. If Stytch exposes an endpoint for it, you can do it; if it does not, you cannot. The device fingerprinting and fraud signals Stytch builds in are a good example of where a hosted product can offer more out-of-the-box value than an open-source platform that expects you to integrate a third-party fraud service.

Login UI customization follows the same divide. Keycloak uses FreeMarker templates for its login pages — full control over HTML, CSS, and JavaScript at the cost of understanding the theme system. Stytch provides SDK components that accept CSS overrides and headless flow support for fully custom UIs.

Cost model comparison

Dimension Keycloak Stytch
Pricing model Free (self-hosted) or flat-rate managed Per-MAU (tiers)
Scales with users No Yes
Infrastructure cost Your ops cost or managed fee None (included in SaaS)
No per-MAU ceiling Yes No
Open-source audit rights Full No

Stytch charges based on monthly active users. This is common in the auth SaaS market and works well at low volume. As your user base grows into the hundreds of thousands or millions, per-MAU costs become significant. Stytch does not publish a public per-MAU rate for all tiers; costs depend on plan and negotiation.

Keycloak has no per-MAU fee. The cost model is infrastructure (your servers or a managed service fee) plus operational overhead. With self-hosted Keycloak, you pay for compute and your team’s time. With managed Keycloak via Skycloak, you pay a predictable flat rate that does not increase as you add users.

For a detailed analysis of how these cost models diverge at scale, see self-hosted vs managed authentication cost.

Operational burden: the honest trade-off

Stytch’s biggest advantage over self-hosted Keycloak is zero infrastructure. You make API calls; Stytch handles availability, scaling, upgrades, and security patching. For teams without dedicated DevOps capacity, this is a meaningful trade-off.

Self-hosted Keycloak is a different story. Operating a production Keycloak cluster requires:

  • High-availability deployment (typically Kubernetes with multiple replicas)
  • A reliable, backed-up database (PostgreSQL is the recommended default)
  • Session clustering (JGroups/Infinispan distributed cache)
  • Certificate management and TLS termination
  • Monitoring and alerting (JVM metrics, Keycloak-specific health endpoints)
  • Upgrade planning (Keycloak has a migration path between major versions that must be followed carefully)

This is non-trivial. It is the honest reason many teams choose a hosted auth API over Keycloak, even when Keycloak would otherwise meet their requirements.

Managed Keycloak removes this burden. Skycloak runs production-grade Keycloak clusters on your behalf, handling upgrades to Keycloak 26.x, backups, scaling, and an SLA — so you get Keycloak’s open-source depth without the ops complexity.

When to choose Stytch

  • Your primary use case is passwordless authentication and you want it working in hours.
  • Your app is frontend-first and you want an SDK that handles the UI and ceremony for passkeys and magic links.
  • You need built-in device fingerprinting and fraud signals without integrating a third-party service.
  • Your team has no DevOps capacity and cannot operate infrastructure.
  • You are building a B2B SaaS app and need per-org SAML/OIDC SSO as your enterprise feature.
  • Your user base is at a scale where per-MAU fees remain within budget.
  • You do not need LDAP/AD federation or identity brokering.

When to choose Keycloak

  • You need a full OIDC/OAuth 2.0 authorization server with standards-compliant token endpoints.
  • Your enterprise customers require LDAP, Active Directory federation, or Kerberos.
  • You need identity brokering — Keycloak consuming multiple upstream IdPs and re-issuing tokens to downstream apps.
  • You need SAML 2.0 in both IdP and SP directions.
  • Cost predictability at scale matters: no per-MAU surprises as your user count grows.
  • Data ownership and residency are non-negotiable — your user database stays under your control.
  • You need deep customization via SPIs (custom auth flows, custom user storage, custom event listeners).
  • You want to avoid vendor lock-in: Keycloak is open source and can be migrated to any provider.

For a broader view of open-source auth alternatives, see our Keycloak vs Clerk comparison and the complete Keycloak guide.

Frequently asked questions

Is Keycloak a Stytch alternative?

Yes, for most use cases. Keycloak covers the core capabilities Stytch provides — passwordless auth via WebAuthn/passkeys, OTP, social login, multi-tenant organizations, SAML SSO, SCIM provisioning, and RBAC — plus adds LDAP/AD federation, identity brokering, and a fully open-source codebase. The key differences are the delivery model (self-hosted or managed vs. SaaS-only), the passwordless developer experience (Stytch is faster to implement for magic links), and the cost model (Keycloak has no per-MAU fee). Teams that want Keycloak’s capabilities without the infrastructure work can use a managed service like Skycloak.

Is Stytch open source?

No. Stytch is a proprietary, closed-source SaaS platform. The client-side SDKs (JavaScript, React, mobile) are published as open-source libraries on GitHub, but the authentication server, API infrastructure, and user data storage are Stytch’s proprietary systems. There is no self-hosted Stytch option. Keycloak, by contrast, is fully open source under the Apache 2.0 license — the complete server source code is available, auditable, and deployable on your own infrastructure.

Does Keycloak support passwordless and passkeys?

Yes. Keycloak 26.x includes native WebAuthn support for both hardware security keys and passkeys (device-bound or synced credentials). You configure passwordless flows through the admin console’s Authentication Flows section, building a browser flow that requires a WebAuthn assertion without a password step. Keycloak also supports email OTP and TOTP as passwordless-adjacent factors. For a full walkthrough, see our post on Keycloak WebAuthn passwordless with passkeys. Stytch’s passkey implementation has a shorter integration path, but Keycloak’s native WebAuthn support means you do not need a second vendor if you are already running Keycloak.

Does Stytch support LDAP or Active Directory?

No. Stytch does not support LDAP or Active Directory federation. If your user base authenticates against an on-premises directory — a common requirement in enterprise, healthcare, financial services, and government environments — Keycloak’s LDAP user federation is the appropriate choice. Keycloak can sync users from LDAP, map directory attributes to token claims, support Kerberos pass-through authentication, and keep the directory as the authoritative user store.

What is the cost difference between Keycloak and Stytch at scale?

The models diverge significantly at scale. Stytch charges per monthly active user; as your user base grows, so does your bill. Keycloak is free to use and distribute under the Apache 2.0 license — there is no per-MAU fee regardless of how many users authenticate. The cost of self-hosted Keycloak is infrastructure and operational time. Managed Keycloak (via Skycloak) replaces that with a predictable flat rate. For teams with large or fast-growing user bases, the per-MAU model can become the dominant auth cost driver within a year or two of growth.

Conclusion

Stytch and Keycloak are both strong products aimed at different buyers. Stytch wins on passwordless developer experience and time-to-production for teams that want an API with no infrastructure. Keycloak wins on standards depth, federation, data ownership, extensibility, and a cost model that does not penalize user growth.

The operational complexity of self-hosted Keycloak was a genuine trade-off — past tense. Managed Keycloak through Skycloak delivers production-grade Keycloak clusters with managed upgrades, backups, monitoring, and an SLA, so teams get Keycloak’s full capability without the infrastructure burden that historically pushed teams toward hosted auth APIs.

If you are evaluating auth infrastructure and want open-source control, standards compliance, and predictable pricing at scale, Skycloak is worth a look.

Tired of running Keycloak yourself?

Skycloak runs real upstream Keycloak for you with a 99.99% SLA. No fork, no lock-in, just managed Keycloak that stays patched and on call so you don't have to.

Guilliano Molaire
Written by
Founder

Guilliano is the founder of Skycloak and a cloud infrastructure specialist with deep expertise in product development and scaling SaaS products. He discovered Keycloak while consulting on enterprise IAM and built Skycloak to make managed Keycloak accessible to teams of every size.

Start Free Trial Talk to Sales
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman