// guide
Amazon Cognito alternatives for B2B SaaS, when the AWS config tax stops paying off.
Cognito is cheap per-MAU and integrates cleanly with the rest of AWS — but B2B SaaS hits a wall fast: organizations, invites, SAML, SCIM, and admin impersonation all become custom Lambda triggers, pool-per-tenant gymnastics, or a parallel auth service. Here is how Kinde, Stytch, Clerk, and WorkOS compare when your buyers are teams, not individuals. Pricing checked June 2026.
Why teams leave Cognito
Cognito's per-MAU price is hard to beat, but the engineering bill catches up. The common triggers for migration:
- Multi-tenancy requires pool-per-tenant or custom-attribute hacks
- No first-class orgs, invites, or member roles
- SAML/SSO works, but configuration is per-identity-provider and painful
- Hosted UI is dated; most teams rebuild it
- Lambda triggers for every non-trivial flow
- Support is AWS-tier, not auth-specialist
Pricing and B2B feature comparison
| Tool | Pricing | B2B multi-tenancy | Best for |
|---|---|---|---|
| Amazon Cognito | Free up to 10k MAU · $0.0055/MAU after · Advanced security +$0.05/MAU | Roll-your-own (groups + custom attrs, or pool-per-tenant) | Teams already deep in AWS that can absorb the configuration overhead. |
| Kinde | Free up to 10.5k MAU · Plus $25/mo · Scale $199/mo | Yes — orgs + roles + policies + SAML | Cognito refugees who want B2B primitives without writing Lambda triggers. |
| Stytch | Free tier (up to 10k MAU) · B2B from ~$249/mo | Yes — full B2B authentication product | Engineering teams that want flexible APIs and passwordless or magic-link first flows. |
| Clerk | Free up to 10k MAU · Pro $25/mo · Enhanced auth add-ons billed separately | Yes — orgs + roles + invitations | Teams that want pre-built UI and the fastest possible time-to-market. |
| WorkOS | Free up to 1M MAU for AuthKit · SSO $125/connection/mo | Yes — enterprise-grade by default | B2B SaaS that needs to close enterprise deals with SAML and SCIM today. |
Amazon Cognito
User pools support groups and custom attributes, but multi-tenant orgs, invites, and SAML require heavy custom code, Lambda triggers, and separate user pools per tenant.
Kinde
Organizations, roles, feature flags, and SAML/SSO are first-class. Drop-in UI components and an SDK that mirrors Clerk's DX without the consumer-first defaults.
Stytch
API-first, passwordless-first, with a dedicated B2B product line that ships organizations, SSO, SCIM, JIT provisioning, and discovery flows out of the box.
Clerk
Organizations, invites, and roles ship on Pro; SAML, RBAC, and impersonation move to Enterprise. Best-in-class pre-built UI and session management.
WorkOS
Built specifically for selling to enterprise. SSO, SCIM, audit logs, and Directory Sync are the core product. AuthKit covers the rest of auth on a generous free tier.
Who should switch from Cognito
- ✓You need orgs, invites, and roles — and you don't want to build them on Lambda triggers.
- ✓Enterprise buyers are asking for SAML and SCIM and you need to ship them this quarter.
- ✓You're rebuilding the hosted UI anyway — you'd rather use components than templates.
- ✓You want auth-specialist support, not a generic AWS support tier.
Who should stay on Cognito
- ·You're deep in AWS (IAM, API Gateway authorizers, AppSync) and the integration is doing real work.
- ·Your auth needs are consumer-style: signup, login, password reset, social.
- ·You operate at millions of MAU where per-MAU cost dominates the TCO.
- ·Compliance requires data and auth to live in a specific AWS region you control.
Savings math at 25,000 MAU
- Cognito: ~$82/mo at 25k MAU + ~$750/mo if Advanced Security is on, plus engineering time for orgs/SAML.
- Kinde Scale: ~$199/mo flat with orgs, SAML, and roles included — no Lambda glue.
- WorkOS: AuthKit free up to 1M MAU; pay only per SSO connection (~$125/mo each) when an enterprise customer turns it on.
- Stytch B2B: From ~$249/mo with orgs, SSO, and SCIM bundled; cheaper than negotiating Cognito + a separate SSO vendor.
- Clerk: ~$25/mo Pro + add-ons; Enterprise required for SAML and impersonation.
The honest number is engineering: building Cognito multi-tenancy plus SAML connectors plus an admin UI is typically 4–8 sprints. Every alternative on this list ships that out of the box.
Migration trade-offs
- !Password hashes leave Cognito only via a custom export flow (Lambda + just-in-time migration on first login). Plan for a long tail of dormant users.
- !JWT shape changes. Anything verifying Cognito-issued tokens (API Gateway authorizers, downstream services) needs to switch verifiers.
- !If you used Cognito Identity Pools for AWS resource access, you'll need to keep that piece or replace it with STS + your own token exchange.
- !Run both providers in parallel during the cutover window. A hard flip on a B2B customer base usually goes badly.
Final verdict
For most B2B SaaS teams leaving Cognito, Kinde is the cleanest swap — orgs, SAML, and roles ship without Lambda glue, and the DX is close to Clerk's. Pick WorkOS if your near-term blocker is closing enterprise deals on SSO and SCIM — its free AuthKit plus per-connection SSO pricing is hard to beat. Pick Stytch if you want a passwordless-first B2B product with discovery flows built in. Pick Clerk if pre-built UI matters more than enterprise feature breadth. Stay on Cognito only if you're deeply AWS-native and your auth needs are still consumer-shaped.
Sources
Related guides
Prices change often — verify on the vendor's site before switching.