{ "assumption_density": 0.16666666666666666, "assumptions": [ "The startup has 2 senior backend engineers and no dedicated security/identity team, making build-vs-buy heavily favor buy", "SOC 2 compliance is a hard requirement, not aspirational, meaning the auth system must pass auditor scrutiny", "50K MAU is the 12-month target, not a floor—if growth significantly exceeds this, Auth0 pricing recalculation is needed", "Auth0 Professional plan pricing remains approximately $15,000/year for 50K MAU (verify against current pricing)", "The startup's core product is financial services, not identity/auth—auth is infrastructure, not competitive advantage" ], "confidence": 0.82, "id": "463a0e4e-37d2-41e2-ab94-bbeb9ff064a9", "next_action": "Create an Auth0 Professional plan trial environment, configure it with your SOC 2-required MFA and session policies, and build an internal abstraction layer (AuthService interface) that wraps Auth0 SDK calls so future provider switches require only adapter changes.", "question": "Should a 15-person startup build its own authentication system or use Auth0/Clerk? We handle financial data under SOC 2, have 2 senior backend\n engineers, and expect to reach 50K MAU within 12 months", "question_fit_score": 0, "rejected_alternatives": [ { "path": "Build custom authentication using Keycloak or Ory to avoid vendor lock-in and control costs", "rationale": "Branch b004 (confidence 0.40) correctly identified real risks (vendor lock-in, shared responsibility, outage history) but its recommendation—having 2 senior engineers build custom auth with Keycloak/Ory—is impractical for a 15-person startup under SOC 2. Custom auth systems require ongoing security maintenance, vulnerability patching, and compliance audit preparation that would consume a disproportionate share of the team's capacity. The cure is worse than the disease at this scale." }, { "path": "Use Auth0 (generic recommendation without failure modes)", "rationale": "Branch b001 (confidence 0.85) reached the same conclusion as b002 but provided no specifics on pricing, failure modes, or mitigations. b002 is strictly superior in actionability." } ], "reversal_conditions": [ { "condition": "MAU grows beyond 200K+ and Auth0 costs exceed $50K/year, while the engineering team grows to 30+ with dedicated security engineers", "flips_to": "Migrate to self-hosted Keycloak or Ory behind the AuthService abstraction layer built during initial implementation" }, { "condition": "Auth0 experiences repeated extended outages (3+ multi-hour incidents per year) affecting financial transaction authentication", "flips_to": "Evaluate Clerk or self-hosted alternatives, using the abstraction layer to minimize migration cost" }, { "condition": "The product pivots to identity/auth as a core feature (e.g., identity verification for financial services becomes the product)", "flips_to": "Build custom authentication as a core competency since auth IS the product" } ], "unresolved_uncertainty": [ "Auth0 Professional plan pricing at exactly 50K MAU may vary—the $15,000/year figure needs verification against current Auth0 pricing page, which changes periodically", "Shared responsibility boundaries for SOC 2 between Auth0 and the startup's integration layer need explicit mapping during implementation", "Whether Clerk (mentioned in the original question) would be a better fit than Auth0 was not substantively analyzed by any branch", "Fallback authentication during Auth0 outages (caching hashed credentials locally) introduces its own security surface that needs evaluation" ], "url": "https://vectorcourt.com/v/463a0e4e-37d2-41e2-ab94-bbeb9ff064a9", "verdict": "Use Auth0 as your authentication provider. For a 15-person startup with only 2 senior backend engineers handling financial data under SOC 2, building custom auth is a misallocation of scarce engineering capacity. Auth0 provides pre-certified SOC 2 compliance, scales to 50K MAU at approximately $15,000/year under the Professional plan, and eliminates months of security-critical development.\n\nKey failure mode: vendor lock-in. Auth0 pricing can escalate beyond $0.07/MAU at scale, and past outages (2021) have locked out enterprise customers. Mitigate by: (1) abstracting Auth0 behind an internal auth interface layer so switching providers doesn't require full rewrite, (2) caching hashed user credentials locally for degraded-mode fallback authentication during outages, (3) conducting annual vendor cost/feature audits, and (4) negotiating multi-year contracts upfront.\n\nCritical nuance from b004: Auth0's SOC 2 compliance is shared responsibility. Your team still owns integration-layer security and data handling. Do not assume Auth0's certification covers your entire auth surface.", "verdict_core": { "recommendation": "Use Auth0 as the third-party authentication provider for SOC 2-compliant financial data handling at a 15-person startup.", "mechanism": "Because Auth0 provides enterprise-grade, pre-certified SOC 2 compliance infrastructure that eliminates 3-6 months of custom auth development, freeing the two senior backend engineers to focus on core financial product features, while scaling to 50K MAU within a predictable cost envelope.", "tradeoffs": [ "Vendor lock-in: future switching costs if Auth0 pricing increases or features degrade", "Shared responsibility model: Auth0 handles auth infrastructure but your team still owns integration security and data handling compliance", "Dependency on third-party uptime: Auth0 outages (e.g., 2021 incidents) can lock out users with no immediate recourse" ], "failure_modes": [ "Vendor lock-in leading to escalating costs or forced migration when Auth0 changes pricing or deprecates features", "Third-party service outages or API rate limits disrupting authentication, causing user lockout during critical financial transactions", "Shared SOC 2 responsibility gap: assuming Auth0 compliance covers your integration layer when it does not" ], "thresholds": [ "50K MAU within 12 months", "~$15,000/year under Auth0 Professional plan", "$0.07/MAU beyond free tier on B2C pricing" ] }, "verdict_type": "" }