The Build vs. Buy Debate: Why Prefect Chose WorkOS for Enterprise Auth

Back in the summer of 2022 when you could buy a dozen eggs for less than $8.00, the Prefect team was deeply entrenched in re-platforming our SaaS product, Prefect Cloud. With nearly every other architecture and tooling decision made, one crucial choice remained: what to do for enterprise auth. Fast forward to summer of 2025 in the midst of Claude Code’s blistering ascent (before Codex CLI), another team at Prefect needed to make a similar decision: which Auth and SSO solution to implement for our latest innovation, FastMCP Cloud.

I’ll save you the suspense: we chose WorkOS both times. But this isn't a story about a product; it's a story about a decision that continues to pay dividends in both engineering velocity and the value we deliver to our enterprise customers. Let's take a closer look at our build-vs-buy framework and how it led us to a key partner.

The Authentication Complexity We Refused to Own

Enterprise authentication isn't just "add a login form." When you're signing enterprise contracts, customers rightfully expect to bring their existing identity providers (IdPs) into your platform. That means supporting:

• SSO across different providers: Each identity provider from Okta to Azure AD (now Entra) requires custom SAML and SCIM implementations with varying connection patterns and idiosyncrasies
• User provisioning with SCIM: Automatically syncing user accounts between your customer's systems and yours
• Compliance and security standards: SOC 2, audit trails, session management, and all the enterprise security expectations that come with handling enterprise data

In the early days of Prefect, we were patching together Okta for social logins and Auth0 for email-based authentication. Every enterprise SSO setup meant scheduling calls with customer IT teams, walking through configuration screens, and debugging connection issues. One of our engineers, Nicholas, put it bluntly: "Every contract that we used to sign, I would have a thirty minute to four hour meeting with IT teams to get SSO set up."

That's not sustainable when you're trying to scale a data orchestration platform. We recognized this as a problem we should not own, and we went looking for a partner that had already solved it.

Why We Chose WorkOS

The standout factor in our evaluation wasn't just a partner’s technical chops—it was that they had already solved the user experience problem we had prioritized not owning. We chose a partner whose product philosophy aligned with our own, prioritizing developer experience and team velocity.

With WorkOS, we could:

• Offer self-service enterprise onboarding: We now generate five-minute, single-use dashboard links for our customer's IT departments. No more synchronous meetings or sharing secrets over email.
• Streamline internal processes: Our engineers rely on a unified dashboard, regardless of the underlying IdP, which creates a consistent process every time.
• Normalize data: We chose WorkOS because they handle that normalization, ensuring our application logic works consistently regardless of the underlying identity provider.

The first time Nicholas was able to send a customer an SSO setup link and have it completed without any engineering involvement was, in his words, "incredible." This was the moment we knew we'd made the right build-vs-buy decision. Our staff engineer, Chris Pickett, later estimated that the WorkOS Admin Portal alone saved our team hours of developer time across hundreds of SSO connections. Time we could reinvest into our core product.

The MCP Era

Our initial decision to partner with WorkOS years ago gave us a running start with the launch of FastMCP Cloud in August. While the original Prefect Cloud platform predates WorkOS's modern user management capabilities, our more recent endeavor with FastMCP Cloud gave us the opportunity to leverage AuthKit from day one.

As you’ve probably heard or experienced directly, dealing with authorization and authentication in the Model Context Protocol is really frustrating.

Our FastMCP Cloud development team describes the integration as "fairly plug and play." A phrase you rarely hear when discussing authentication implementations. AuthKit handled everything from customizable sign-up flows to automatic spam detection, letting our team focus entirely on building MCP-specific features.

A Final Reflection and Appreciation

This is the real business impact: creating the right partnership freed up roughly 10% of our engineering time every week. Instead of debugging SAML configurations, our team focuses on the data orchestration challenges that actually differentiate Prefect.

At Prefect, we believe in building what differentiates us and buying what doesn't. Enterprise authentication is table stakes. Customers expect it to work seamlessly, but it doesn't differentiate our data orchestration platform. The time we saved has allowed us to ship features like improved workflow observability, enhanced Kubernetes support, and better error handling—the kinds of capabilities that directly impact our users' data pipeline reliability.

Interested in how Prefect approaches other infrastructure decisions? Check out our engineering blog for deep dives into our Kubernetes deployment patterns, observability stack, and data pipeline reliability techniques.

Want to build your own authenticated MCP server? See how simple it is by visiting the FastMCP documentation at gofastmcp.com. You can also try FastMCP Cloud and experience the simplicity of secure, one-click deployments for yourself.