diff --git a/content/workos-alternatives/Supertokens.png b/content/workos-alternatives/Supertokens.png
new file mode 100644
index 00000000..ee3f4140
Binary files /dev/null and b/content/workos-alternatives/Supertokens.png differ
diff --git a/content/workos-alternatives/index.md b/content/workos-alternatives/index.md
new file mode 100644
index 00000000..c10b590a
--- /dev/null
+++ b/content/workos-alternatives/index.md
@@ -0,0 +1,94 @@
+---
+title: "WorkOS Alternatives (2025): SSO, SCIM, and Pricing Compared"
+date: "2025-10-05"
+description: "Discover the best WorkOS alternatives for SSO, SCIM, and audit logs — open-source and managed options, pricing signals, and when SuperTokens fits."
+cover: "workos-alternatives.png"
+category: "programming"
+author: "Mostafa Ibrahim"
+---
+
+WorkOS gets you SSO and SCIM fast, but the pricing model and hosting choice often decide your real cost, control, and support load. If you’re running a multi-tenant SaaS or selling enterprise plans, those trade-offs matter more than the feature matrix. When that’s the case, it’s worth weighing alternatives to WorkOS.
+
+We’ll compare alternatives on three axes: pricing (how costs scale with tenants and usage), hosting (fully managed vs self-host/VPC for residency and extensibility), and admin UX (setup links/portal to reduce integration support). That lens keeps the evaluation practical and testable.
+
+By the end, you’ll have a metric to verify SSO/SCIM/audit parity, surface hidden costs like audit retention/streaming, and see where [SuperTokens](https://supertokens.com/) fits — especially if you want per-MAU pricing or an OSS/VPC path — with [Ory Polis](https://www.ory.sh/polis) as a bridge when you need SAML/OIDC setup-link parity.
+
+## When to Look Beyond WorkOS
+
+If any of the points below describe your situation, it’s a strong signal to compare alternatives.
+
+- **Cost Model Mismatch**: You want lower SSO/SCIM connection costs or a per-MAU/flat model because your tenant count is growing and per-connection fees are stacking up.
+- **Control and Extensibility Needs**: You need self-hosting/VPC, tighter data residency, or deeper extensibility than a point solution comfortably supports.
+- **Prefer an All-In CIAM Bundle**: You want users/sessions, SSO, SCIM, audit logs, and RBAC in one package — rather than piecemeal add-ons.
+
+**Context**: WorkOS typically bills SSO and Directory Sync per connection ($125/connection/month); Audit Logs are $125/month per SIEM connection for log streaming and $99/month per million events stored for retention; User Management is free up to 1M MAU.
+
+## What to Compare (Use This Checklist)
+
+Use this checklist to compare vendors consistently.
+
+|Category|What to Check|Pass Threshold|
+|---|---|---|
+|Pricing Model|Per-connection vs per-MAU vs flat|Matches your growth (tenants vs MAU)|
+|Hosting|SaaS vs self-host/VPC|Meets residency, latency, and ops requirements|
+|Feature Coverage|SSO, SCIM, Audit, admin setup links|All present and stable|
+|Multi-Tenant/RBAC and SDKs|Orgs/roles mapping; SDKs for your stack|Clean mapping + mature SDKs|
+|Migration/lock-In|JWKS, exports, contract terms|Keys and data portable; reasonable contract terms|
+
+Close the checklist by running a short bake-off against these items — cost unit, hosting fit, parity, depth/SDK fit, and portability — then decide.
+
+## Open-Source and Self-Hosted Alternatives
+
+![Supertokens](./Supertokens.png)
+
+If you want VPC/self-host control or to avoid per-connection fees, these OSS-first options are worth a close look.
+
+- **SuperTokens (OSS or Cloud)**
+
+    - **What It Is**: Dev-first authentication with modern SDKs, session management, and multi-tenant/organization primitives. Run it self-hosted or use the Cloud (per MAU).
+    - **Why It Fits Here**: No SSO/SCIM per-connection tax; clean path to VPC/OSS; good migration posture (portable keys/data).
+    - **How To Reach SAML/OIDC SSO**: Pair with a SAML/OIDC bridge (see Ory Polis) to deliver enterprise SSO plus setup links for admin self-serve.
+    - **What To Verify**: Org/tenant model maps to your app; SDK coverage for your stack; token/session flows meet your threat model.
+
+- **Ory Network / Ory Polis**
+
+    - **What It Is**: Composable IAM (Kratos/Hydra/Keto/Oathkeeper) with a managed Network offering; Polis adds a SAML/OIDC bridge and setup-link flows similar to an admin portal. Pricing starts at $70/mo (Production plan).
+    - **Why It Fits Here**: Lets you add standards-compliant SSO to an existing user system (e.g., SuperTokens) while keeping IdP setup self-service for customer admins.
+    - **What To Verify**: Required protocols (SAML/OIDC) and IdP catalog, setup-link UX, hosting mode (Network vs self-host), and how SCIM/user provisioning is handled in your architecture.
+
+**Bottom Line**: For OSS/VPC control with modern DX, use SuperTokens for sessions and tenant primitives, and add Ory Polis for SAML/OIDC and setup-link parity. Run a small bake-off to confirm SSO coverage, admin UX, and total cost.
+
+## Feature Parity vs WorkOS (What to Verify)
+
+Before price comparisons, confirm that any alternative matches the **capabilities and admin UX** your customers expect.
+
+- **SSO (SAML/OIDC)**
+
+    - **Verify**: Support for both SAML and OIDC, breadth of IdP catalog (Okta, Azure AD, Google, Ping, OneLogin, etc.), setup links/admin portal so customer admins can self-configure.
+    - **Pricing Anchor**: WorkOS SSO baseline is $125 per connection/month.
+
+- **Directory Sync (SCIM)**
+
+    - **Verify**: User and group provision/deprovision, group→role mapping in your app, sync status/error visibility, and whether SCIM is per-connection or included.
+    - **Pricing Anchor**: WorkOS Directory Sync is $125 per connection/month.
+
+- **Audit Logs**
+
+    - **Verify**: Event coverage (auth, org, admin actions), retention options, export/streaming to SIEM, searchability, and throughput limits.
+    - **Pricing Anchor**: WorkOS Audit Logs — $125/month per SIEM connection for log streaming, and $99/month per million events stored for retention.
+
+**Close The Loop**: Run a mini bake-off: configure SSO with two IdPs, sync a sample SCIM directory with groups→roles, and ship logs to your SIEM. If an alternative passes these with a clean admin UX, then compare the total cost.
+
+## Pricing Signals and Gotchas
+
+Use these patterns to predict total cost and avoid surprises.
+
+- **Per-Connection vs Per MAU**: WorkOS prices SSO/SCIM per connection; SuperTokens Cloud is per MAU. If you have many tenant orgs with modest usage, per-connection costs can add up quickly; with few orgs and large user counts, per-connection may be cheaper. Model both to find your break-even.
+- **Add-On Gates**: Watch for paid audit log retention/streaming, MFA, or organization features that sit behind higher tiers. For WorkOS, longer audit retention and SIEM streaming add cost; include them in your forecast from day one.
+- **Admin-Portal Parity**: Missing setup links / tenant self-service shifts work to your team and slows deals. Verify that admins can self-configure SSO/SCIM. Ory Polis supports setup-link flows.
+
+**Bottom Line**: Choose the pricing unit that matches your growth shape, account for paid add-ons upfront, and demand self-serve admin flows to keep support costs in check.
+
+## Conclusion
+
+WorkOS is great for fast enterprise readiness, but pricing and hosting modelS push some teams to look elsewhere. If you want no per-connection tax and OSS/VPC control, shortlist SuperTokens (OSS/Cloud) with Ory Polis for SAML. If you want a managed bundle, compare Stytch (included connections), Clerk (no SSO connection fees), Auth0/Frontegg (ecosystem depth), and FusionAuth (self-host path). Run a two-week bake-off focused on SSO/SCIM parity, admin UX, and total cost before you commit.
\ No newline at end of file
diff --git a/static/card_covers/workos-alternatives.png b/static/card_covers/workos-alternatives.png
new file mode 100644
index 00000000..7754a3a8
Binary files /dev/null and b/static/card_covers/workos-alternatives.png differ
diff --git a/static/covers/workos-alternatives.png b/static/covers/workos-alternatives.png
new file mode 100644
index 00000000..35571387
Binary files /dev/null and b/static/covers/workos-alternatives.png differ