authentik
Generated on 17 Jun 2025 from the authentik catalog page
What is authentik?
authentik is a self‑hosted, open‑source Identity Provider (IdP) and Single Sign‑On (SSO) platform designed with security, flexibility, and customization at its core. It lets developers and admins delegate user management, authentication flows, MFA, password recovery, session control, policy enforcement, and more—so you can focus on building your application instead of reinventing auth.
🔧 Key Capabilities
- Multi‑Protocol Support: Native compatibility with OAuth2/OIDC, SAML2, LDAP, RADIUS, and SCIM ensures seamless integration with both modern and legacy systems.
- Flexible Authentication Flows: Define custom user journeys (“Flows”) assembled from modular “Stages” for login, MFA, registration, recovery, or approval—configurable via visual editor, APIs, or YAML blueprints.
- Multi‑Factor & Passwordless: Supports TOTP, hardware WebAuthn/passkeys, delivering phishing‑resistant and advanced authentication options.
- Conditional Access & Zero‑Trust: Apply attribute-based or context-aware policies (e.g. time-of-day, device, IP/location) to align with zero‑trust security models.
- GeoIP & Impossible‑Travel Detection: Enhance protection with location verification, threat detection, session binding, and audit logging.
- Self‑Service Admin & User UI: Admin dashboard for managing users, logs, flows, and integrations; User portal for profile management, password resets, and app access overview.
📦 Deployment & Integration
- Self‑Hosted Anywhere: Deploy via Docker Compose, Kubernetes (Helm), Terraform, or traditional VMs—retaining full control over your identity infrastructure.
- Pre‑Built Integrations: Out-of-the-box connectors for applications like Nextcloud, WordPress, *arr suite, Jitsi, and more—using OAuth2, SAML, or proxy providers.
- Extensible with API & IaC: Automate flows, policies, provisioning, apps, and more through REST APIs, Terraform provider, and YAML blueprints.
💡 Why Choose authentik?
- Transparent & Secure: Open source with community audits and support for enterprise-grade standards like FIPS.
- Simplicity Over Keycloak: Lightweight, developer-friendly UI and modular approach with fewer resource demands.
- Avoid Vendor Lock‑In: Gives you independence from proprietary IdPs like Okta or Azure AD.
- Cost‑Effective: No per-user fees—open-core licensing means full functionality is available without hidden costs.
🧩 Common Use Cases
- Employee or enterprise SSO
- Customer identity management for SaaS
- Zero‑trust gateways and conditional access
- Modernizing legacy apps with proxy/LDAP support
- Remote access gateways (SSH/RDP/VNC)
- API protection with token and policy enforcement
- Self‑service user administration
With a thriving community, over one million deployments, and enterprise backing, authentik provides a powerful, secure, and adaptable identity platform—empowering you to stop rebuilding authentication and focus on product innovation.
Software Included
Package | Version | License |
---|---|---|
authentik | 2025.6.2 | MIT |
docker | latest | |
docker-compose | latest |
Creating an App using the Control Panel
Click the Deploy to DigitalOcean button to create a Droplet based on this 1-Click App. If you aren’t logged in, this link will prompt you to log in with your DigitalOcean account.
Creating an App using the API
In addition to creating a Droplet from the authentik 1-Click App using the control panel, you can also use the DigitalOcean API. As an example, to create a 4GB authentik Droplet in the SFO2 region, you can use the following curl
command. You need to either save your API access token) to an environment variable or substitute it in the command below.
curl -X POST -H 'Content-Type: application/json' \
-H 'Authorization: Bearer '$TOKEN'' -d \
'{"name":"choose_a_name","region":"sfo2","size":"s-2vcpu-4gb","image": "goauthentikio-authentik"}' \
"https://api.digitalocean.com/v2/droplets"
Getting Started After Deploying authentik
Open https://your_droplet_public_ipv4/if/flow/initial-setup/ to configure the initial admin account.
Error reporting is enabled by default. To change this, ssh root@ your_droplet_public_ipv4, edit /srv/authentik/.env
and set AUTHENTIK_ERROR_REPORTING__ENABLED
to false. Afterwards, run ak appliance start
to apply the new setting.