✨ EPIC: Switch Authentication Provider: Research, Selection, and Migration

[victor-enogwe]

Context

SwitchbackTech/compass currently relies on SuperTokens for authentication. However, we have encountered a persistent bug where idle session refresh stops working after prolonged inactivity (24+ hours), leading to an unreliable user experience due to forced logouts. Additionally, proactive support responsiveness have become priorities as the user base grows, neccesitating a provider review and migration.

Requirements & Goals

• Eliminate the idle session refresh issue experienced with SuperTokens
• Choose a provider with configurable idle session timeout & reliable session management
• Ensure the provider offers responsive, proactive support and clear SLAs
• Compare providers based on pricing, SDK ecosystem, support responsiveness, and migration path
• Conduct a migration plan and roadmap post-selection

Provider Comparison

Criterion	Frontegg	Clerk	Stytch
Configurable Idle Session Timeout & Management	Full controls: idle timeout, concurrent session limits, role-based policies, API-driven revocation, multi-tenant, and rolling/silent refresh.	Dual policy: inactivity + absolute lifetime, multi-device, JWT tokens, APIs for automated management, strong dashboard UI.	Highly flexible timeout (session_duration_minutes, idle/rolling sessions, unlimited range), powerful API-level management, JWT+stateful session support.
Support Responsiveness & Channels	Multi-channel (email, live chat, shared Slack for enterprise), 24/7 live support for upper tiers, white glove onboarding, prioritized integration requests, clear enterprise SLAs.	Live chat, ticket/email, docs, Discord; AI assist. Enterprise support with tailored responsiveness, but check explicit SLA terms with sales.	Email, forum, Slack; Premium/Enterprise: direct Slack, priority SLAs, dedicated contacts; 24/7 for P1s in enterprise plans.
Pricing	Free up to 7,500 MAU, 50 tenants, 5 SSO. Scale: ~$250/mo. SSO add-ons, enterprise custom.	Free: 10,000 MAU + 100 org. Pro $25/mo + $0.02/MAU overage, $1/org, add-ons. Enterprise custom.	Free: 10,000 MAU, unlimited orgs, 5 SSO/SCIM. Usage-based after, $125/SSO, optional custom branding. Enterprise custom.
SDKs/Developer Experience	Multi-language SDKs, admin portal/embed, rich RBAC & API-first.	Prebuilt React/Next.js/Expo, APIs, simple dashboard config, customizable tokens.	Broad SDKs (browser/server), B2C+SaaS, flexible model, generous free tier for advanced flows.

---

Narrative Analysis

• Frontegg: Strong for complex, multi-tenant, B2B SaaS with concurrent session logic and robust Slack-based support. Generous admin portal & session governance out-of-box, higher paid base.
• Clerk: Fastest route to drop-in UI, simple guardrails (inactivity + absolute), low-cost starter plan, dev-friendly for React-centric teams.
• Stytch: Most configurable (raw session policy window, feature-rich free tier, broad protocol & SDK support, no feature gating at low scale).

Migration Recommendations

• Run POC for session refresh/expiry and idle semantics on finalists.
• Prepare migration for users (passwords, orgs, MFA, SSO connections).
• Validate per-browser and cross-device idle session detection.
• Export all user/session/org data. Alpha test migration on small cohort.
• Set up incident & support escalation runbook with the chosen provider.
• Model projected monthly cost and compliance (SLA, BAA for HIPAA if needed).

References

• 🎯 Full side-by-side comparison (session, support, pricing, SDK): see above table and consult Frontegg Session Management, Clerk session options, Stytch session guide, and their respective pricing/support pages (linked in prior analysis).
• Internal context: [Compass SuperTokens bug history], dev notes.
• #1152 - Idle Session Refresh Failure

---

If you want a projected cost model or phased migration plan for the selected provider, let’s create a sub-issue next.

[tyler-dane]

Deprioritized, now that Victor was able to get things working in #1227