Migrating core infrastructure like authentication can feel daunting, especially when your product is celebrated for its UX and millions of users rely on it every single day.
This was the challenge facing Tome, an AI-powered storytelling platform that makes it easy and fast to create, collaborate on, and share engaging and customized presentations. Less than two years after launch, Tome had amassed more than 10 million users, ranging from individuals to large enterprises.
But Tome had a problem: their legacy auth provider, Auth0 was slowing them down.
Issues with Auth0’s documentation, unresponsive support, and unexpected product behavior had caused headaches – and even a production outage – for Tome's engineering team. Determined to find a more reliable and developer-friendly auth solution, Tome ran a comprehensive evaluation and ultimately decided to migrate to Stytch.
Decision criteria for modernizing authentication at Tome
The Tome team found themselves constantly struggling to work around Auth0’s one-size-fits-all product.
While they they needed parity with the core auth methods and features Auth0 provided, they had critical requirements for their next generation auth platform:
- Proven infrastructure reliability, with a history of minimal downtime
- Architectural alignment with Tome’s multi-tenant customer model
- A DX-friendly way to integrate new, passwordless options
- Improved customization of the Tome login page for better brand consistency
- Address user account linking, which was causing support requests
- Address the increasing problem of bots creating new accounts
Selecting Stytch
Stytch not only met all of Tome’s requirements, but was in a unique position to offer:
- A zero downtime migration that would result in no user disruption
- A developer- first approach with improved DX, documentation and, developer support
- A native purpose-built multi-tenant architecture that matched Tome’s own data model
- Visibility into changes and more intuitive troubleshooting
- UX control that came from Stytch’s fully composable implementation model that offered pre-build UI, frontend headless and backend API and SDKs
- Built-in support for secure user account linking
- Integrated device fingerprinting to easily prevent spam account creation by bots.
“We migrated tens of millions of users to Stytch’s auth solution in about a month with no major issues. It was far and away the easiest migration I’ve ever worked on.”
— Keith Peiris, CEO
Zero downtime migration
A top priority for Tome during the migration was to minimize user impact. To make that possible, the Tome and Stytch teams collaborated to “dark launch” Stytch sessions into production.
Here’s the concept:
- Users login to the product using the existing Auth0 login flow
- In the background, create a Stytch session for that user
- Verify that downstream traffic to Stytch is working correctly without issues
- Flip over to Stytch login flow
With this process, Tome was able to verify that their Stytch implementation was working smoothly, first with 1% of sessions, then 5%, and then have the confidence to scale to 100%, knowing it was all running smoothly. This meaningfully de-risked the migration process and allowed Tome to migrate millions of users in less than a month, with no downtime.
Developer-first approach
Auth0’s documentation and approach to development was often out of date, and delayed responses from Auth0 support was consistently slowing Tome down.
When Tome was launching internationalization support, Auth0 took so long to respond to a question about internationalizing Tome’s login pages that the launch almost had to be delayed. And on another occasion, an Auth0 API that didn’t work as documented caused a production outage. The Tome team was able to put a bandaid fix in place, but they quickly realized that it might be time for a new auth partner.
“From an Auth0 point of view, they claim they support this, they make it seem pretty easy. But there were some questions we needed answered, and it took so long to get answers that we almost had to delay the launch. It felt like we were pulling teeth to get help.”
— Drew MacNeil, Senior Software Engineer
In contrast, with Stytch, Tome found both up-to-date documentation, and a responsive thought partner. Not only was it quick to get answers to ad-hoc questions in Slack, the Stytch solutions engineering team partnered closely with Tome on solution design and migration planning to ensure everything went smoothly from the start.
“What stood out to me was the APIs did exactly what the docs said they would do. Coming from Auth0, I had very little faith in stuff like that where the doc says, "You pass these parameters this way, you get back.” With Stytch, it actually just worked. And if we did have questions, we fired those off to the Stytch team, and got back quick answers.”
— Drew MacNeil, Senior Software Engineer
Purpose-built multi-tenant architecture
Many of Tome’s users are companies and large enterprises, who need to have shared workspaces to collaborate, with custom roles and permissions.
As a result, Tome constructed their project with a native understanding of organizations – but quickly found that Auth0’s Organizations feature wasn’t engineered to support the org-specific flexibility that the Tome engineering team had in mind.
In partnering with Stytch, Tome was excited to find a company with a similar multi-tenant native approach. This allowed them to streamline their code and eliminate their previous workarounds.
Secure user account linking
Prior to Stytch, Tome offered both Google OAuth (‘log in with Google’) and email/password as options for users. If a user forgot they had logged in with a password previously, then tried to use Google OAuth to log into Tome, they would hit an error page - even if they already had a Tome account with the same email. Users found this confusing and frustrating, but the fix with Auth0 wasn’t an easy one:
“People would write in constantly to support, confused about which sign-in method they used originally and how they can log in. And so we wanted to start linking accounts automatically, but that turned out to be pretty painful to implement that in Auth0. If you try to go beyond the most straightforward integration of Auth0, it gets challenging quickly.”
— Drew MacNeil, Senior Software Engineer
By switching to Stytch, Tome not only was able to ditch passwords for good, moving toward a more modern passwordless auth flow, but they also were able to use Stytch’s built-in account deduplication to securely link user accounts - for less user confusion and fewer support tickets, without any additional code.
Intuitive troubleshooting
The Tome team often struggled to understand what was happening under the hood when challenges arose with Auth0. In fact, they often avoided making changes or even adding new features involving auth because they would never know what the downstream effects might be.
“We wanted something that was a lot easier to work with. It just felt like every time we were trying to touch something in Auth0 land, it was like, "Who knows how long this thing's gonna take? Who knows how hard it's gonna be to do?" They don't give you very much control from a product point of view.”
— Drew MacNeil, Senior Software Engineer
With Stytch, it was very different: the docs were up to date, it was easy to ask questions, and Tome's backend integration approach made it easy to isolate outbound requests to Stytch in their observability platform, unlike the 'black box' created by the Auth0 redirect.
UX Control
They also wished they had more control over the login page’s look and feel. With Auth0’s Universal Login, their customization options were more limited.
With Stytch’s API-first approach, Tome had a range of integration options to choose from - all of which provided greater control and visibility.
Tome ultimately decided to use Stytch’s Node backend SDK with a custom front-end. The backend integration, as opposed to their hosted Auth0 modal, improved observability and made it easier for their team to isolate auth-related requests. And they were able to customize the login page to feel consistent with the Tome brand story - complete with their Privacy Policy and Terms of Service. This also allowed Tome to have full control over internationalization, both of their login UI and email templates – the same requirement that had previously delayed a launch when using Auth0.
Integrated device fingerprinting
Tome had growing concerns about the risks of account abuse prevention from bots creating fraudulent spam accounts. Stytch was the only vendor to offer a completely integrated fraud prevention product using advanced device fingerprinting, meaning that Tome would not have to integrate yet another platform.
The future of auth at Tome
Now that Tome has fully migrated to Stytch, they’ve already freed up engineering resources to accelerate their product roadmap.
“At Tome, we care deeply about delivering a great UX across the board, and auth is no exception. By leveraging Stytch's B2B product, we have successfully reallocated 2-3 engineers to core product development and new features.”
— Archana Sankaranarayanan, Director, Platform Engineering
From new auth methods to user and organization management configurations, it’s all just an API call away for Tome. They have an auth platform in Stytch that will innovate at the same pace as their product and support any future requirements.
And Stytch’s team is busy using Tome to share product features, share internal updates, and provide custom Sales pitches. Reach out to the Stytch team if you’re interested in a personalized Tome presentation on how Stytch can help your company offer flexible & scalable B2B auth.