authentik
The self-hosted Identity Provider that replaces Okta, Auth0, and Entra ID with a unified SSO platform supporting SAML, OAuth2/OIDC, LDAP, RADIUS, and WebAuthn.
authentik is a comprehensive open-source Identity Provider (IdP) built for organizations that want full control over their authentication infrastructure. It unifies SAML, OAuth2/OIDC, LDAP, RADIUS, SCIM, and WebAuthn into a single self-hosted platform, enabling secure single sign-on across every application in your stack without depending on a third-party cloud service.
At its core, authentik is built around a visual flow engine that lets administrators design authentication journeys as directed graphs of stages — from enrollment and login to MFA setup and account recovery. Every step is configurable through a policy engine that evaluates rules in real time, allowing fine-grained access control based on attributes, group membership, geolocation, or custom Python expressions.
The platform ships with outposts — lightweight proxy agents deployed close to your applications — that handle forward authentication for services that don’t natively support modern identity protocols. Whether you’re running a small homelab on Docker Compose or a production Kubernetes cluster with hundreds of applications, authentik scales horizontally and integrates seamlessly with your existing infrastructure.
authentik is actively maintained by a dedicated team with a track record of frequent releases, comprehensive documentation, and a growing enterprise tier that adds advanced RBAC, audit reporting, and commercially supported SLA guarantees for organizations that need them.
What You Get
- A visual flow engine for designing multi-stage authentication journeys including login, enrollment, MFA setup, and account recovery
- Multi-protocol support covering SAML 2.0, OAuth2/OIDC, LDAP, RADIUS, SCIM, and WebAuthn from a single installation
- Outpost proxy agents that add forward authentication to applications without native SSO support, deployed via Docker or Kubernetes
- A full policy engine supporting Python expression policies, reputation-based policies, geolocation rules, and attribute-based access control
- Built-in MFA with TOTP, WebAuthn (hardware keys/passkeys), Duo, SMS, static tokens, and email OTP stages
- Identity source federation from LDAP, Active Directory, OAuth social providers (Google, GitHub, Apple), SAML IdPs, and Kerberos
- Blueprint-based configuration-as-code for declarative provisioning and reproducible environments
- SCIM 2.0 outbound provisioning to synchronize users and groups to downstream SaaS applications automatically
Common Use Cases
- Homelab SSO hub — A self-hosting enthusiast uses authentik as the single login point for Proxmox, Nextcloud, Grafana, and Jellyfin, enabling one-click access from a branded portal page
- Replacing Okta in a startup — An engineering team migrates 50 internal applications off Okta by configuring SAML and OIDC providers in authentik, eliminating a five-figure annual SaaS bill
- Zero Trust proxy enforcement — A platform team deploys authentik outposts in front of internal dashboards, requiring valid SSO sessions and group membership before any request reaches the upstream service
- Employee enrollment automation — HR triggers an authentik invitation flow on hire that walks new employees through account creation, email verification, MFA registration, and welcome group assignment without IT involvement
- Multi-tenant SaaS identity — A B2B software company uses authentik’s multi-tenancy support to give each enterprise customer an isolated identity namespace with their own SAML or LDAP source
- Regulated compliance environment — A healthcare organization uses authentik’s audit event stream and RBAC to satisfy HIPAA access-control and logging requirements without a commercial IdP
Under The Hood
Architecture authentik is organized as a layered monolith with well-separated concerns: a Django-based API and policy engine at the core, a reactive flow planner that builds stage sequences at request time, and stateless outpost processes that handle protocol-specific traffic at the edge. The flow engine is the central abstraction — every authentication journey is a directed graph of stage bindings evaluated against a policy engine in real time, meaning authorization decisions are recomputed per-request rather than baked in at session creation. This event-driven evaluation model extends cleanly to multi-tenancy through django-tenants, separating namespaces at the database schema level without requiring separate deployments.
Tech Stack The server is Python 3.14 on Django 5.2 with Django REST Framework and drf-spectacular for API generation, Channels for WebSocket support, and PostgreSQL as the sole supported database with heavy reliance on pg-specific features including pgtrigger, pglock, and postgres-extra for materialized views. The proxy outpost layer is written in Go, using gorilla/mux and the go-oidc library, providing a lightweight compiled binary for edge deployments. The web frontend is built in TypeScript using Lit (web components), bundled with Vite, and shipped as a standalone SPA. A Rust workspace handles a new axum-based service and client bindings. Deployment targets include Docker Compose with official images and a first-class Helm chart for Kubernetes.
Code Quality authentik has extensive automated test coverage with over 323 Python test files spanning unit, integration, and end-to-end Playwright tests. The codebase is enforced with ruff for linting and formatting, mypy with Django and DRF stubs for static type checking, and ESLint plus stylelint on the frontend. CI runs on GitHub Actions with separate pipelines for the core backend, outpost binaries, and web build, with Codecov integration for coverage tracking. Error handling is structured and explicit throughout — custom exception classes propagate policy failures, flow non-applicability, and protocol errors as typed objects rather than generic exceptions.
What Makes It Unique authentik’s visual flow engine is its most distinctive technical contribution: rather than hard-coding authentication sequences, every login, enrollment, recovery, or device-registration journey is a composable graph of reusable stage bindings evaluated against a real-time policy engine. This means administrators can inject a captcha stage conditionally based on reputation score, redirect to an invitation-enrollment flow based on email domain, or require WebAuthn only for admin-role users — all without writing application code. The Blueprint system extends this to configuration-as-code, enabling reproducible IdP environments via YAML declarations that are version-controlled and applied idempotently on startup.
Self-Hosting
The main codebase is released under the MIT license for all content outside the authentik/enterprise/ directory and the website, which means you can use it commercially, modify it freely, and redistribute it without source-disclosure obligations. The enterprise features in the authentik/enterprise/ directory are governed by the authentik Enterprise Edition license, which requires a paid subscription for production use but permits development and testing use for free. The practical distinction for self-hosters is clear: the full feature set needed for most self-hosting scenarios — all protocols, all MFA methods, the flow engine, outposts, blueprints, and SCIM — is MIT-licensed and freely available with no license checks at runtime.
Running authentik yourself requires a PostgreSQL database, a Redis-compatible cache, and at least two containers: the server and a worker. The official Docker Compose setup is well-documented and recommended for small deployments. For production, the Helm chart is the supported path to Kubernetes, where authentik can scale horizontally across multiple server replicas. You are responsible for database backups, PostgreSQL version upgrades, TLS termination, monitoring, and applying security patches when new releases ship roughly every two months. The outpost agents must be deployed separately, either in the same cluster or alongside your protected applications, adding operational surface area proportional to the number of protected services.
Compared to the enterprise cloud tier, self-hosted deployments exchange operational simplicity for data sovereignty and cost control. The paid Enterprise tier adds advanced RBAC with per-object permissions, compliance reporting, SLA-backed support, and managed upgrades — none of which are available in the community edition. There is no fully managed SaaS version of authentik that handles infrastructure for you; the cloud tier is a licensing and support layer on top of your own deployment, not a hosted service.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.