authentik

authentik is an open-source identity provider that lets you replace Okta, Auth0 or Entra ID with software you fully control — one binary, one PostgreSQL, one Redis, and a visual flow editor that handles SAML, OIDC, LDAP and RADIUS in the same admin UI. We rate it 83/100 — outstanding for self-hosting homelabs and growing startups that want serious SSO without the Keycloak learning curve, but the initial setup will absolutely punish anyone who skips the documentation.

What is authentik?

authentik is a modern Identity Provider (IdP) built around a concept the project calls flows — configurable, branching sequences of stages (identification, password, MFA, consent, captcha, denial) that you wire up in a graphical editor instead of YAML. The result is a single open-source binary that can act as a full SAML/OIDC IdP, an LDAP server, a RADIUS server and a forward-auth proxy, all from one admin console at the same time.

The project was started in 2018 by German engineer Jens Langhammer as an open-source hobby project (originally called Supervisr) and was formally incorporated as Authentik Security, Inc. in 2022 with backing from Open Core Ventures. The GitHub repo at goauthentik/authentik now sits at 21,200+ stars and pushes daily; the project is widely cited in r/selfhosted as the default recommendation for anyone who wants centralized login across Jellyfin, Nextcloud, Proxmox, pfSense and the rest of their homelab.

Key Features of authentik

• Protocol coverage in one binary: SAML 2.0, OAuth 2.0, OIDC, LDAP, SCIM, RADIUS and proxy/forward-auth providers ship in the same image — no separate microservices to glue together.
• Visual flow editor: Drag-and-drop authentication journeys with stages for password, MFA (TOTP, WebAuthn, Duo, mobile app), captcha, consent, dynamic prompts and policies. Conditional branches let you require WebAuthn for admins but allow OTP for everyone else.
• Outposts: Lightweight Docker workers that act as forward-auth or LDAP gateways — drop one in front of any legacy app (Sonarr, Grafana, Portainer, internal tools) to retrofit SSO without touching the upstream code.
• Identity sources and federation: Built-in connectors for Google Workspace, Microsoft Entra ID, GitHub, Apple, Plex, Twitch, generic OAuth/SAML/OIDC, and LDAP/AD — users can sign in via any of them and authentik mints unified tokens downstream.
• Self-service portal: End users see a tile-based application launcher, manage their own MFA devices, and reset passwords without filing a ticket.
• Enterprise add-ons: Google Workspace and Entra ID provisioning, Device Trust, Shared Signals Framework (CAEP), mTLS client-cert auth, advanced audit logging and FIPS-compliant builds for FedRAMP environments.

What Users Say About authentik

Sentiment in self-hosted communities is overwhelmingly positive but heavily caveated by the setup curve. On r/selfhosted, threads recommending authentik routinely hit hundreds of upvotes; XDA Developers published a piece in 2024 titled “Authentik was one of the most difficult services I ever set up, but now I can’t live without it” that captures the consensus exactly — flows and stages feel intimidating until they click, and then they become the reason people stay.

The recurring complaints are real. Users on Reddit and the GitHub issue tracker flag breaking changes between major versions (downgrades are explicitly unsupported, so a database backup before every upgrade is mandatory), the resource footprint when you add PostgreSQL and Redis to a small VPS, and the fact that the visual editor — while powerful — surfaces “too many options” on first run. The Cerbos and Elest.io comparison posts both flag the same trade-off: more flexibility than Authelia, less enterprise polish than Zitadel, dramatically friendlier than Keycloak.

authentik Pricing

The core project is MIT-licensed and free forever — no seat caps, no feature gating on the open-source edition. Paid tiers only unlock enterprise integrations and support.

Plan	Price	Key Limits
Open Source / Community	$0	Unlimited users and applications. Community support via Discord and GitHub. MIT license.
Enterprise	$5 / user / month + $0.02 / external user / month	Billed annually. Adds Google Workspace + Entra ID provisioning, Device Trust, mTLS, advanced audit, ticket-based support over $1k.
Enterprise Plus	From $20,000 / year	Custom contracts, dedicated support and SLAs, FIPS compliance for FedRAMP, volume discounts for thousands of users.

Who Should Use authentik?

Best for: Self-hosters consolidating logins across a homelab; small-to-mid startups (5–500 employees) that want a single SSO surface for SaaS apps and internal tools without paying Okta’s $6–$15/user; platform teams that need an LDAP server, OIDC IdP and forward-auth proxy in the same daemon; and any organization required to keep identity data on-prem.

Not ideal for: Teams that need a managed cloud IdP with no operational burden — pick Clerk, Better Auth or Auth0 instead. Also a poor fit if your workload is purely a B2C SaaS where developer-first APIs and embeddable UI components matter more than enterprise SSO protocols.

Pros and Cons

Pros:

• One binary covers SAML, OIDC, LDAP, RADIUS and forward-auth — no separate processes to maintain.
• Flow editor genuinely simplifies common scenarios once you stop fighting it; conditional MFA, step-up auth and captcha gates take minutes to wire up.
• MIT-licensed core with no seat cap; you can run thousands of users on the free tier indefinitely.
• Active maintenance: 21,000+ GitHub stars, daily commits, official Helm chart and AWS CloudFormation templates.
• Outposts let you bolt SSO onto legacy apps that don’t natively speak OIDC or SAML.

Cons:

• The first install is genuinely hard — reverse proxy, certs, PostgreSQL, Redis and outposts all have to line up before you see a login page.
• Major version upgrades sometimes break flows; downgrades are not supported and a DB backup before every upgrade is mandatory.
• Resource footprint is heavier than Authelia for tiny homelabs (1–2 users, 3–4 services).
• Enterprise features (Entra/Workspace provisioning, Device Trust) are paid-only and pricing is opaque above $1k contracts.

Alternatives to authentik

Authelia is lighter and YAML-configured — better for two-user homelabs with Traefik, but no SAML or LDAP server. Keycloak is the enterprise heavyweight with deeper realm and federation features but a notoriously steep admin console. Zitadel is the cloud-native, Go-based newcomer with multi-tenant architecture and event sourcing — pick it if you’re building B2B SaaS with strict tenant isolation and don’t mind AGPL.

Verdict: Is authentik Worth It?

Yes — if you are willing to invest a weekend in the docs. authentik hits a sweet spot the rest of the open-source IdP space hasn’t: enough protocol coverage and policy expressiveness to replace Okta in a small company, but a UX modern enough that a single platform engineer can run it without becoming a full-time identity admin. Once your flows are configured the daily operational burden is minimal, and the MIT license means you can scale to thousands of users without a single invoice. 83/100 reflects that — almost a 90 if not for the upgrade fragility and the very real ramp time.

Frequently Asked Questions

Is authentik free?

Yes. The core authentik project is MIT-licensed and free for unlimited users and applications. Paid Enterprise plans start at $5 per user per month and only add Google Workspace / Entra ID provisioning, Device Trust, advanced audit and ticket support.

What protocols does authentik support?

SAML 2.0, OAuth 2.0, OpenID Connect (OIDC), LDAP (as both source and provider), SCIM, RADIUS, and forward/proxy authentication via outposts. Federation sources include Google, Microsoft Entra ID, GitHub, Apple, Plex and any generic OAuth/SAML/OIDC IdP.

How does authentik compare to Keycloak?

authentik is dramatically easier to learn — the visual flow editor replaces Keycloak’s realm/client/mapper hierarchy — but Keycloak still wins on extreme-scale enterprise deployments and depth of federation features. For self-hosters and startups, authentik is the more practical choice in 2026.

Is authentik open source?

Yes. The core is MIT-licensed at github.com/goauthentik/authentik. A separate Enterprise Edition (under a commercial EE license) layers paid integrations on top of the same codebase.

Can authentik replace Okta or Auth0?

For most use cases, yes. authentik provides the SAML, OIDC and SCIM features needed to act as a primary IdP for SaaS applications. The main gaps versus Okta are managed uptime, the breadth of pre-built SaaS connectors, and the polished admin tooling that Okta charges for.

What are the system requirements?

authentik requires PostgreSQL 12+ and Redis. The official Docker Compose stack runs comfortably on a 2 GB / 2 vCPU VPS for small deployments. For Kubernetes, the official Helm chart at github.com/goauthentik/helm is the recommended path.