$HEADLESS SYSTEMS
03 / Scorecard / Auth & Identity

Stytch

C
Headless Index
52/100
JAIRF
91.6/100
Agent-Optimized
Verified
MAY 21, 2026
Methodology v1 · JAIRF v1.0.0

Powered by JAIRF v1.0.0 by Jentic · open methodology at /the-headless-index/methodology

Editorial verdict
Stytch is partially headless and partly UI-led. The Headless Index thesis-fit score of 52/100 puts it mid-table on the index, and JAIRF v1.0.0 puts it at 91.6/100 (Level 4, Agent-Optimized). In practice, vendors at this tier are partly machine-consumable: the core flows are reachable through code but several adjacent surfaces still expect a human at a dashboard, and the rest of this verdict explains where Stytch lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. Stytch is an API-first identity product with a Management API and SDKs in Node, Python, Java, Go, Ruby, .NET, and Vanilla JS. The API covers passwordless flows (magic link, SMS, OTP, biometrics), B2C and B2B identity primitives, fraud detection, and consumer identity. Auth-as-an-API is the explicit positioning.[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? REST documentation is detailed and the SDK ecosystem is broad enough that schema introspection through generated clients is straightforward. A canonical OpenAPI URL is not prominently exposed.[2] An agent can drive parts of this product, but not all of it: integrators should plan for human-in-the-loop checkpoints where the headless surface stops short. On headless operability: User CRUD, organisation and member management (in the B2B SKU), passwordless flow configuration, MFA, session management, and fraud rule tuning are all programmable. The product avoids hosted UI as much as possible, which makes it among the more headless-friendly identity vendors.[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: Stytch has not published a first-party MCP server. The API surface is shaped for direct integration into auth flows rather than for agent consumption, but the underlying primitives would adapt easily.[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. Stytch webhooks deliver authentication events (login, signup, password change, MFA challenge) with HMAC signing. The B2B SKU adds organisation and member lifecycle events. The catalog is competitive with the rest of the modern-identity sub-category. Net assessment: integrators can build agent flows against Stytch, but the rough edge to plan around is schema observability[5]. Expect to wrap missing pieces in bespoke glue or accept human-in-the-loop checkpoints. Workable but requires scaffolding.
Verdict by Headless Index pipeline (auto)
// AI-drafted from the evidence layer. Editorial review pending.
Scores

Scorecard detail

Headless Index · 5 sub-criteria
API-first design intent12/20
scored

Stytch is an API-first identity product with a Management API and SDKs in Node, Python, Java, Go, Ruby, .NET, and Vanilla JS. The API covers passwordless flows (magic link, SMS, OTP, biometrics), B2C and B2B identity primitives, fraud detection, and consumer identity. Auth-as-an-API is the explicit positioning.

signals (6)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • +OpenAPI specPublished, 0 operations
  • GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
  • +SDKs maintained12 (dotnet, go, java, javascript, python, ruby, swift, typescript); top by stars: stytchauth/stytch-node (115 stars)
  • +SDK recency8 of 12 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-12)
  • +npm weekly downloads25.3M across published packages; top: npm @ 12.6M/week
cite (1)
  • ai_review_browser.auth@2026-05-20
Headless operation12/20
scored

User CRUD, organisation and member management (in the B2B SKU), passwordless flow configuration, MFA, session management, and fraud rule tuning are all programmable. The product avoids hosted UI as much as possible, which makes it among the more headless-friendly identity vendors.

signals (9)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • API operations exposedOpenAPI present but operations could not be counted
  • ·Docs pages crawled0 pages (crawler: none)
  • ·Auth schemes documentedAuth documentation page not reached by crawler
  • ·Setup / quickstart docsNot reached by crawler
  • ·Billing docsNot reached by crawler
  • ·Teams / org docsNot reached by crawler
  • ·CLI docsNot reached by crawler
  • ·Schema / data model docsNot reached by crawler
cite (1)
  • ai_review_browser.topics_found@2026-05-20
MCP & agent posture20/20
scored

Stytch has not published a first-party MCP server. The API surface is shaped for direct integration into auth flows rather than for agent consumption, but the underlying primitives would adapt easily.

signals (4)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • +Official MCP serverhttps://github.com/stytchauth/mcp-stytch-consumer-todo-list (27 stars, last commit 69 days ago)
  • ·Community MCP servers5 community MCP repos; top by stars: https://github.com/stytchauth/mcp-stytch-b2b-okr-manager (7 stars)
  • +Agent-friendly SDKs6 TS/JS SDKs available; top: stytch (184.1k/week downloads)
cite (1)
  • ai_review_browser.mcp@2026-05-20
Schema observability4/20
scored

REST documentation is detailed and the SDK ecosystem is broad enough that schema introspection through generated clients is straightforward. A canonical OpenAPI URL is not prominently exposed.

signals (3)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • +OpenAPIPublished at https://raw.githubusercontent.com/stytchauth/stytch-openapi/main/openapi.yml (OpenAPI undefined, 0 operations)
  • GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)
cite (1)
  • ai_review_browser.pages_fetched@2026-05-20
Webhooks & events4/20
scored

Stytch webhooks deliver authentication events (login, signup, password change, MFA challenge) with HMAC signing. The B2B SKU adds organisation and member lifecycle events. The catalog is competitive with the rest of the modern-identity sub-category.

signals (2)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • ·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.
cite (1)
  • ai_review_browser.pages_fetched@2026-05-20
JAIRF · 6 dimensions
FCFoundational Compliance
100/100

Structural validity, standards conformance, and parsability of the OpenAPI specification.

DXJDeveloper Experience & Tooling Compatibility
86.9/100

Documentation clarity, example coverage, response completeness, and ingestion health.

ARAXAI-Readiness & Agent Experience
95.3/100

Semantic clarity, intent expression, datatype specificity, and error standardization.

AUAgent Usability
100/100

Operational composability, complexity comfort, navigation affordances, and safety patterns.

SECSecurity
80/100

Authentication strength, transport security, secret hygiene, and OWASP risk posture.

AIDAI Discoverability
75/100

Descriptive richness, intent phrasing, workflow context, and registry signals.

Band rationale:C band: scores 40-75 range

04 / Embed

Show Stytch's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

Stytch mini badge preview
Get embed code
Peers in Auth & Identity
DescopeC
Headless Index 52/100
CasdoorC
Headless Index 52/100
FusionAuthC
Headless Index 51/100
See full Auth & Identity ranking →