SAASPOCALYPSEverdict #OKTA-8AD6
scanned 2026.05.02 · 04:58
subject of investigation

okta.com

enterprise identity & access management platform
verdictCONTESTED
wedge score
44
/100
tier · contested
wedge thesis

the door is the SMB/indie tier: Okta's pricing and sales motion are enterprise-first, leaving a wide gap for a self-serve, developer-friendly identity layer that doesn't require a procurement cycle.

real walls — pick your flank·ship in 3 months·run for $22.00 + usage
wedge map

where the walls are.

methodology →
the door

no proprietary corpus — they're running on off-the-shelf data.

watch out

their distribution is fortress-grade — they own their brand SERP end-to-end.

capital
4.0/10
investment the incumbent had to make
technical
5.6/10
depth of the underlying engineering
network
0.0/10
users compound users
switching
8.0/10
stickiness of customer data + workflow
datadoor
0.0/10
proprietary data accumulates over time
regulatory
4.0/10
real licenses, not SOC 2 theater
distribution
9.5/10
brand SERP grip, knowledge graph, news flow
take

the blunt take.

color around the thesis

Okta is genuinely good at what it does, and what it does is sell to enterprise procurement teams. The wedge isn't technical — it's that every small team paying $6–$8/user/mo for SSO is subsidizing a sales org that will never call them back.

The core primitives — OIDC/OAuth2, SAML, MFA, directory sync — are open standards with mature libraries. The moat is integrations (7,000+ in their network), compliance posture (FedRAMP, HIPAA, SOC 2), and enterprise trust. None of those are replicable fast, but none of them matter to a 10-person startup either.

cost

cost of competing.

their price ←→ your run-rate
what they charge
Workforce Identity (SSO + MFA)
6–8
/ user/mo
enterprise contracts negotiated; SMB pricing higher per seat; Auth0 starts at $23/mo for 1K MAU
annual:72–96 per user
what running yours costs
01 · Vercel Pro (dashboard + API routes)$20.00
02 · Supabase free (user directory, sessions)$0.00
03 · Resend (email MFA, magic links)$0.00
04 · Cloudflare R2 (audit log storage)$1.00
05 · Domain$1.00
06 · Redis via Upstash free (session store)$0.00
07 · SMS MFA via Twilio??? — per message
TOTAL / mo$22.00 + usage
▸ break-even:immediately at 3+ seats — $15–25/mo self-hosted vs $18–24/mo to Okta at the SMB tier
build

what you're up against.

est. total: 3 months
2 weeks auth core (OIDC/SAML) · 3 weeks admin UI + directory · 3 weeks MFA + social providers · 4 weeks integrations + SDKs · ongoing: compliance theater
easy
medium
hard
nightmare
01
easy
Social OAuth providers
Google, GitHub, Apple — passport.js or arctic library. A few hours each.
02
easy
Magic link + email OTP
Stateless token, Resend for delivery. Afternoon project.
03
medium
OIDC provider implementation
Authorization code flow, PKCE, token introspection. Use oidc-provider (Node) — don't roll your own crypto.
04
medium
SAML 2.0 SP + IdP
samlify or node-saml. XML signing is fiddly. Enterprise customers will test edge cases you haven't imagined.
05
hard
SCIM 2.0 directory sync
Provisioning/deprovisioning from HR systems (Workday, BambooHR). The spec is underspecified; every vendor implements it differently.
06
nightmare
Compliance posture (SOC 2, FedRAMP, HIPAA)
This is the actual moat. Not the code — the audit trail, the policies, the pen tests, the legal agreements. Okta has a decade of this. You have a weekend.
stack

their position.

inferred + measured stack
detected signals· measured
cdnCloudflarecdnFastly
recommended stack · inferred
Next.js 15 + API routesSupabase (Postgres for directory + sessions)oidc-provider + samlify (Node)Upstash Redis (session/token store)Resend + Twilio (email/SMS MFA)
rivals

who else has tried this.

indies + alternatives
option A
Keycloak (self-host)
Open source, full-featured IAM. Docker compose up. Handles SAML, OIDC, MFA, federation. The real answer for most teams.
option B
Clerk.com
Developer-friendly auth with a generous free tier. Already eating Okta's lunch at the indie/startup layer.
option C
Authentik (self-host)
Modern open-source Okta alternative. Python-based, actively maintained, covers SSO/SAML/SCIM without the enterprise sales call.
ready to wedge in?
Get the wedge plan. Cancel some plans.
▸ generated with love, by a heartless robotverdict v2.5 · saaspocalypse.dev