authentik

Generated on 17 Jun 2025 from the authentik catalog page

What is authentik?

authentik is a self‑hosted, open‑source Identity Provider (IdP) and Single Sign‑On (SSO) platform designed with security, flexibility, and customization at its core. It lets developers and admins delegate user management, authentication flows, MFA, password recovery, session control, policy enforcement, and more—so you can focus on building your application instead of reinventing auth.


🔧 Key Capabilities

  • Multi‑Protocol Support: Native compatibility with OAuth2/OIDC, SAML2, LDAP, RADIUS, and SCIM ensures seamless integration with both modern and legacy systems.
  • Flexible Authentication Flows: Define custom user journeys (“Flows”) assembled from modular “Stages” for login, MFA, registration, recovery, or approval—configurable via visual editor, APIs, or YAML blueprints.
  • Multi‑Factor & Passwordless: Supports TOTP, hardware WebAuthn/passkeys, delivering phishing‑resistant and advanced authentication options.
  • Conditional Access & Zero‑Trust: Apply attribute-based or context-aware policies (e.g. time-of-day, device, IP/location) to align with zero‑trust security models.
  • GeoIP & Impossible‑Travel Detection: Enhance protection with location verification, threat detection, session binding, and audit logging.
  • Self‑Service Admin & User UI: Admin dashboard for managing users, logs, flows, and integrations; User portal for profile management, password resets, and app access overview.

📦 Deployment & Integration

  • Self‑Hosted Anywhere: Deploy via Docker Compose, Kubernetes (Helm), Terraform, or traditional VMs—retaining full control over your identity infrastructure.
  • Pre‑Built Integrations: Out-of-the-box connectors for applications like Nextcloud, WordPress, *arr suite, Jitsi, and more—using OAuth2, SAML, or proxy providers.
  • Extensible with API & IaC: Automate flows, policies, provisioning, apps, and more through REST APIs, Terraform provider, and YAML blueprints.

💡 Why Choose authentik?

  • Transparent & Secure: Open source with community audits and support for enterprise-grade standards like FIPS.
  • Simplicity Over Keycloak: Lightweight, developer-friendly UI and modular approach with fewer resource demands.
  • Avoid Vendor Lock‑In: Gives you independence from proprietary IdPs like Okta or Azure AD.
  • Cost‑Effective: No per-user fees—open-core licensing means full functionality is available without hidden costs.

🧩 Common Use Cases

  • Employee or enterprise SSO
  • Customer identity management for SaaS
  • Zero‑trust gateways and conditional access
  • Modernizing legacy apps with proxy/LDAP support
  • Remote access gateways (SSH/RDP/VNC)
  • API protection with token and policy enforcement
  • Self‑service user administration

With a thriving community, over one million deployments, and enterprise backing, authentik provides a powerful, secure, and adaptable identity platform—empowering you to stop rebuilding authentication and focus on product innovation.

Software Included

Package Version License
authentik 2025.6.2 MIT
docker latest
docker-compose latest

Creating an App using the Control Panel

Click the Deploy to DigitalOcean button to create a Droplet based on this 1-Click App. If you aren’t logged in, this link will prompt you to log in with your DigitalOcean account.

Deploy to DO

Creating an App using the API

In addition to creating a Droplet from the authentik 1-Click App using the control panel, you can also use the DigitalOcean API. As an example, to create a 4GB authentik Droplet in the SFO2 region, you can use the following curl command. You need to either save your API access token) to an environment variable or substitute it in the command below.

curl -X POST -H 'Content-Type: application/json' \
         -H 'Authorization: Bearer '$TOKEN'' -d \
        '{"name":"choose_a_name","region":"sfo2","size":"s-2vcpu-4gb","image": "goauthentikio-authentik"}' \
        "https://api.digitalocean.com/v2/droplets"

Getting Started After Deploying authentik

Open https://your_droplet_public_ipv4/if/flow/initial-setup/ to configure the initial admin account.

Error reporting is enabled by default. To change this, ssh root@ your_droplet_public_ipv4, edit /srv/authentik/.env and set AUTHENTIK_ERROR_REPORTING__ENABLED to false. Afterwards, run ak appliance start to apply the new setting.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.