Earlier this month Okta announced it was buying Auth0 in a deal worth somewhere north of six billion dollars. I've used Auth0 on three projects now, and my first reaction wasn't strategic. It was the small, selfish dread of "right, what happens to my login flow."
The official line is the reassuring one. Auth0 keeps operating as an independent unit, the products continue, nothing changes for customers. I've read that paragraph in enough acquisition announcements to know it's true on the day it's written and renegotiable forever after. Okta and Auth0 overlap in obvious places, identity for the workforce on one side and identity for the developer-built app on the other, and overlapping products tend to get rationalised eventually. Not maliciously, just gravitationally.
why this one lands
Auth0 was the tool I reached for precisely because I didn't want to own authentication. Storing passwords, handling OAuth dances, rotating tokens, surviving the next credential-stuffing wave: all of it is the kind of work where being slightly wrong is catastrophic and being completely right is invisible. Paying someone else to be right about it was an easy trade. The whole pitch was that I could treat login as a managed dependency and think about my actual product instead.
The acquisition doesn't change that today. What it changes is the risk profile of the bet. When Auth0 was an independent company, its incentive was to keep me, a small developer, happy enough to grow into a bigger one. Inside a much larger identity company, that incentive sits next to a lot of others, and the enterprise sales motion usually wins the argument about where pricing and attention go. I'm not predicting they'll burn me. I'm noting that the thing protecting me from being burned used to be Auth0's independence, and that protection just got sold.
what I'm actually going to do
Nothing dramatic, and that's the honest answer. I'm not ripping out a working integration on the strength of a press release. But I am going to do the thing I should have done at the start and didn't, because the free tier made it easy not to.
First, I'm checking how portable my setup really is. If I lean on standard OIDC and OAuth flows and keep the vendor-specific bits, the custom rules and the proprietary extensions, thin and well documented, then a future migration is a project rather than a rewrite. If I've quietly woven Auth0-isms through the codebase, that's debt I took on without noticing.
Second, I'm pricing the alternatives, not to switch, but to know the number. Keycloak if I want to self-host and accept the operational tax. One of the other hosted identity providers if I want to stay managed. Having that comparison in a document means the next pricing email doesn't catch me flat-footed.
Acquisitions are normal. Good companies get bought, and sometimes the product genuinely gets better for it. But every managed dependency is a bet on the vendor's incentives staying aligned with yours, and the day those incentives change ownership is the right day to re-read the terms and quietly check your exits. Not to leave. Just to remember the door is there.