# authentik

Generated on 13 Mar 2026 from [the authentik catalog page](https://marketplace.digitalocean.com/apps/authentik)

## What is authentik?

**authentik** is a self‑hosted, open‑source Identity Provider (IdP) and Single Sign‑On (SSO) platform designed with security, flexibility, and customization at its core. It lets developers and admins delegate **user management, authentication flows, MFA, password recovery, session control, policy enforcement**, and more—so you can focus on building your application instead of reinventing auth.

* * *

### 🔧 Key Capabilities

- **Multi‑Protocol Support**: Native compatibility with OAuth2/OIDC, SAML2, LDAP, RADIUS, and SCIM ensures seamless integration with both modern and legacy systems.
- **Flexible Authentication Flows**: Define custom user journeys (“Flows”) assembled from modular “Stages” for login, MFA, registration, recovery, or approval—configurable via visual editor, APIs, or YAML blueprints.
- **Multi‑Factor &amp; Passwordless**: Supports TOTP, hardware WebAuthn/passkeys, delivering phishing‑resistant and advanced authentication options.
- **Conditional Access &amp; Zero‑Trust**: Apply attribute-based or context-aware policies (e.g. time-of-day, device, IP/location) to align with zero‑trust security models.
- **GeoIP &amp; Impossible‑Travel Detection**: Enhance protection with location verification, threat detection, session binding, and audit logging.
- **Self‑Service Admin &amp; User UI**: Admin dashboard for managing users, logs, flows, and integrations; User portal for profile management, password resets, and app access overview.

* * *

### 📦 Deployment &amp; Integration

- **Self‑Hosted Anywhere**: Deploy via Docker Compose, Kubernetes (Helm), Terraform, or traditional VMs—retaining full control over your identity infrastructure.
- **Pre‑Built Integrations**: Out-of-the-box connectors for applications like Nextcloud, WordPress, \*arr suite, Jitsi, and more—using OAuth2, SAML, or proxy providers.
- **Extensible with API &amp; IaC**: Automate flows, policies, provisioning, apps, and more through REST APIs, Terraform provider, and YAML blueprints.

* * *

### 💡 Why Choose authentik?

- **Transparent &amp; Secure**: Open source with community audits and support for enterprise-grade standards like FIPS.
- **Simplicity Over Keycloak**: Lightweight, developer-friendly UI and modular approach with fewer resource demands.
- **Avoid Vendor Lock‑In**: Gives you independence from proprietary IdPs like Okta or Azure AD.
- **Cost‑Effective**: No per-user fees—open-core licensing means full functionality is available without hidden costs.

* * *

### 🧩 Common Use Cases

- Employee or enterprise SSO
- Customer identity management for SaaS
- Zero‑trust gateways and conditional access
- Modernizing legacy apps with proxy/LDAP support
- Remote access gateways (SSH/RDP/VNC)
- API protection with token and policy enforcement
- Self‑service user administration

* * *

With a thriving community, over one million deployments, and enterprise backing, **authentik** provides a powerful, secure, and adaptable identity platform—empowering you to stop rebuilding authentication and focus on product innovation.

## Software Included

| Package | Version | License |
|---|---|---|
| authentik | 2026.2.1 | MIT |
| docker | latest | |
| docker-compose | latest | |

## Creating an App using the Control Panel

Click the **Deploy to DigitalOcean** button to create a Droplet based on this 1-Click App. If you aren’t logged in, this link will prompt you to log in with your DigitalOcean account.

[![Deploy to DO](https://www.deploytodo.com/do-btn-blue.svg)](https://cloud.digitalocean.com/droplets/new?image=goauthentikio-authentik)

## Creating an App using the API

In addition to creating a Droplet from the authentik 1-Click App using the control panel, you can also use the [DigitalOcean API](https://docs.digitalocean.com/reference/api). As an example, to create a 4GB authentik Droplet in the SFO2 region, you can use the following `curl` command. You need to either save your [API access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) to an environment variable or substitute it in the command below.

```shell
curl -X POST -H 'Content-Type: application/json' \
         -H 'Authorization: Bearer '$TOKEN'' -d \
        '{"name":"choose_a_name","region":"sfo2","size":"s-2vcpu-4gb","image":"goauthentikio-authentik"}' \
        "https://api.digitalocean.com/v2/droplets"
```

## Getting Started After Deploying authentik

Open https://your\_droplet\_public\_ipv4/if/flow/initial-setup/ to configure the initial admin account.

Error reporting is enabled by default. To change this, ssh root@ your\_droplet\_public\_ipv4, edit `/srv/authentik/.env` and set `AUTHENTIK_ERROR_REPORTING__ENABLED` to false. Afterwards, run `ak appliance start` to apply the new setting.