Sacra × Stytch: predictable auth for an agent‑ready future

Sacra publishes deep research on growth & pre-IPO technology companies. Their audience spans individual operators and investors to venture funds and asset managers. The product started as “read it in your inbox,” then grew into a platform where free readers, paid members, firm accounts, and developers all need the right access at the right moment.

As that surface area expanded, Sacra needed to do three things at once: introduce a metered paywall, unify sign‑up and login, and prepare for agents (like Claude) to safely plug into Sacra’s data via MCP. They chose Stytch to make those changes reliable, so the team could focus on content and conversion, not auth plumbing.

What Sacra was building

One door, many states. Logging in would have different experiences for someone who only entered an email (free reader), a paying user (member), and users tied to a firm, without juggling different systems or UI forks.

Start simple, leave headroom. Begin with magic links and Google OAuth. Keep options open for SSO, MFA, and tenant‑level rules if specific cohorts ask for them.

Agent‑ready connectors. Ship MCP connectors (e.g., Claude, ChatGPT) using dynamic client registration. When credentials rotate or an endpoint changes, resets should be predictable—no mystery box behavior.

Stack and constraints

• App: Django (Python) with vanilla JavaScript
• Auth experience: unified magic‑link flow; Google sign‑in; option for Google One Tap
• User model: consolidate “subscriber” and “member” into one user with clear verification state (pending → verified)
• Paywall: metered access for free users; room to add device signals to reduce circumvention
• Agents: MCP endpoints registered as Standalone Connected Apps via OAuth/DCR, with clean recovery paths

Why Stytch

Most flexible integration options. Stytch’s Python SDK and headless methods work cleanly with Django and custom UI—no hosted pages required, REST everywhere if you want it.

Scale without rewrites. Stytch’s model supports both consumer flows and tenant‑specific requirements when they arrive. If a fund later mandates enterprise features like SSO, MFA, and per seat billing, Sacra can scope those rules to that cohort without rewriting everything.

Predictable, transparent costs. Sacra can bulk‑create users from their subscriber list. Those users start in a pending state until they verify via magic link or Google. Billing is based on who authenticates in the month, not who exists in the table,so backfilling doesn’t spike costs.

MCP‑ready flows out of the box. Dynamic client registration, reversible connections, and actionable errors make connector development repeatable. When you reset, you can re‑register the same MCP server URL and move on.

MCP auth for consumer and B2B apps. Start with auth for a consumer use case and easily extend to enterprise customers without complex changes and friction to MCP flows. No logic conversions needed to keep your app agent ready.

What they implemented

One flow, multiple outcomes. A visitor enters an email. Stytch sends a magic link and creates a pending user; Sacra can start a low‑permission session to meter free reads. When the user clicks the link, Stytch flips verification flags and the account becomes fully active.

Quick OAuth implementation. For media sites, keeping people in context matters. Stytch support for methods including Google OAuth reduces signup friction and pairs cleanly with the magic‑link path for those who prefer email.

Metered access with room to grow. Early on, cookies and account state were enough to test conversion. As patterns emerged, Sacra is exploring fingerprint‑based limits (e.g., “five free articles per device per month”), nudging free users toward signup without heavy‑handed blocks.

MCP and agent auth made easy. During early ChatGPT tests, Sacra ran into a familiar dev reality: some tools cache client credentials per MCP server URL. With Stytch’s Connected Apps, dynamic registration and predictable resets keep iteration moving.

Results

• Unified identity: subscribers and members now live in a single user model with clear states (pending ↔ verified).
• Less friction, more signal: email magic links + Google reduce drop‑offs; One Tap offers an even faster route where appropriate.
• Quick migration: swapped from a Consumer instance to a B2B one, without needing to rewrite any code for their MCP server.
• Smarter metering: fingerprint‑based limits raise the effort required to evade the paywall—reducing abuse without punishing honest readers.
• Agent‑ready posture: MCP connectors register and reset predictably, so experiments with Claude are practical instead of fragile.

Why Standalone Connected Apps now, and multi‑tenant later

Sacra primarily sells to individuals today, with a growing slice of small firms. Standalone Connected Apps let them standardize connectors to agents and services without one‑off glue. If a cohort later needs stricter controls, Stytch’s tenant‑aware architecture makes it straightforward to enforce SSO or MFA for just that group—without shifting everyone to an enterprise‑only model.

The takeaway

Auth should disappear into the background. With Stytch, Sacra unified login and signup, consolidated subscribers and members, shipped a metered paywall that can harden over time, made the migration from Consumer to B2B orgs simple and secure, and stood up agent‑ready connections for agents like Claude and ChatGPT via MCP. The common thread: fewer surprises—in billing, in connector behavior, and in the path from free reader to paid member.