Comparison

Sentroy vs Firebase Auth

Firebase Auth is the long-time default for end-user authentication in mobile and web apps. Sentroy Auth Projects is an open alternative — per-app user pools, JWT/JWKS, MFA, social login — bundled with the rest of the Sentroy platform. This page is an honest comparison and migration snippet.

Quick comparison#

The five questions most teams care about when picking an auth provider.

 SentroyFirebase Auth
Pricing modelFlat platform tier — MAU not meteredFree up to 50k MAU, then per-MAU + per-SMS
Self-hostableYes — Docker stack, your DB, your keysNo — Google-hosted only
Open formatsStandard JWT (RS256) + JWKS, OIDC-compliantStandard JWT + JWKS, OIDC-style claims
Lock-inLow — export users (incl. password hashes), portable JWTHigh — GCP ecosystem; hash export possible but friction-heavy
Bundled with other productsMail + storage + env vault, same tenantFirestore + Cloud Functions + Storage (Google ecosystem)

What is the same#

The places these two products meaningfully overlap.

  • Both ship per-app end-user pools with email/password, social, and magic-link login.
  • Both issue JWT access tokens with refresh-token rotation.
  • Both publish JWKS endpoints for token verification on your backend.
  • Both support TOTP / SMS MFA (Sentroy supports TOTP today; SMS via integration).
  • Both expose a self-service /me account-management surface.
  • Both ship React, React Native, and web SDKs.

What is different#

Honest differences in both directions.

Where Sentroy is different

  • No per-MAU pricing — you don't pay more as your user base grows.
  • Self-hostable — keep user PII, password hashes, and session data on infrastructure you control.
  • Bundled with mail (verification + reset emails go through the same platform) and storage (avatar uploads).
  • Per-project RS256 keypair stored in your DB, published on a per-project JWKS endpoint — no shared Google signing keys.
  • Webhook delivery on auth lifecycle events (signup, login, MFA enrollment, password reset) — same shape as the rest of the platform.

Where Firebase Auth is different

  • Deep integration with Firestore security rules, Cloud Functions triggers, and Realtime Database.
  • Phone-number login with carrier-grade SMS delivery infrastructure built in.
  • Pre-built mobile UI (FirebaseUI) for iOS, Android, and web — battle-tested.
  • App Check for client-attestation, useful for abuse mitigation on mobile.
  • Google's identity ecosystem on day one — Workspace SSO, Identity Platform upgrade path.

When to pick Sentroy#

Concrete situations where Sentroy is the better call.

  • You expect to cross 50k MAU within a year and the Firebase per-MAU bill becomes a planning concern.
  • You need to keep user data on EU infrastructure (or any specific jurisdiction) without ceremony.
  • You want auth verification / password-reset emails to ship through your own verified domain on the same platform.
  • You already use Sentroy for mail or storage — sharing one access token and one company tenant is cleaner than wiring two SDKs.

When to stick with Firebase Auth#

Cases where staying on Firebase is the right call.

  • Your app is deeply tied to Firestore security rules or Cloud Functions auth triggers — re-wiring those costs more than the migration saves.
  • You rely on phone-number login at high volume and need Google's SMS routing.
  • You're below 50k MAU and Firebase is effectively free; the bundle isn't a draw yet.

Migration#

One operation, both SDKs side by side.

Email/password signup on the client:

before.ts — Firebase Authts
import { initializeApp } from "firebase/app"
import {
  getAuth,
  createUserWithEmailAndPassword,
} from "firebase/auth"

const app = initializeApp({
  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY!,
  authDomain: "acme.firebaseapp.com",
  projectId: "acme",
})

const auth = getAuth(app)
const cred = await createUserWithEmailAndPassword(
  auth,
  "user@example.com",
  "correct horse battery staple",
)
console.log(await cred.user.getIdToken())
after.ts — Sentroyts
import { SentroyAuth } from "@sentroy-co/auth-sdk"

const auth = new SentroyAuth({
  baseUrl: "https://auth.sentroy.com",
  projectSlug: "acme",
  publishableKey: process.env.NEXT_PUBLIC_SENTROY_AUTH_PUB_KEY!,
})

const { user, accessToken } = await auth.signup({
  email: "user@example.com",
  password: "correct horse battery staple",
})
console.log(accessToken)

The returned accessToken is a standard RS256 JWT — verify it on your backend with the per-project JWKS endpoint at /api/v1/auth/<slug>/jwks.json. No vendor SDK required on the server.

Previousvs MailgunNext vs AWS S3