authentik
Self-hosted identity provider with flexible workflows, comprehensive APIs, and enterprise-grade security. Over 1 million installations trusted worldwide.
Take control of your identity infrastructure with a secure, self-hosted authentication platform that puts you in charge of your most sensitive data. With over 1 million installations worldwide, authentik delivers enterprise-grade identity management without vendor lock-in.
Key advantages:
- Self-hosted security - No reliance on third-party services for critical infrastructure
- Complete flexibility - Use pre-built workflows or customize every authentication step through configurable templates
- Open source transparency - Continuously reviewed code with security prioritized from design to deployment
- Unified pricing - No feature guessing or extra costs for core functionality
Comprehensive protocol support including OAuth2/OIDC, SAML2, SCIM, LDAP, and RADIUS. Deploy anywhere with Kubernetes, Terraform, and Docker Compose support.
Enterprise features include multi-factor authentication, conditional access, application proxy, WebAuthn passkeys, and GeoIP protection. Perfect for both B2B and B2C use cases with APIs and fully customizable policies for workflow automation.
Manage users page shows a Session tab where active sessions can be listed and revoked
Client credentials flow is available for machine‑to‑machine authentication using service‑accounts
Brands let you customize the login page’s title, logo, favicon, background image, custom CSS and default flows
Each brand can apply to a specific domain or wildcard domain, enabling different login pages per domain
Event notifications can be delivered to generic HTTP webhooks or Slack/Discord using transport rules
authentik integrates with enterprise services like Google Workspace and Microsoft Entra ID
GeoIP policy includes an impossible travel check that blocks logins from far‑apart locations within a short time window
Password policy checks hashed passwords against the Have I Been Pwned database and uses zxcvbn to enforce password complexity
Conditional access policies and expression policies allow MFA to be required only when certain conditions (location, risk, device) are met
Admin console includes dashboards showing system status, recent logins, authentication events and application usage
User can be imported via API
Enterprise multi‑tenancy enables creation of multiple tenants with separate PostgreSQL schemas. Each tenant can be associated with a domain
Role‑based access control allows administrators to create roles as collections of permissions and assign them to groups to manage access
Administrators can impersonate user profiles and reset passwords through the admin interface
Health endpoints and Prometheus metrics allow monitoring of server, worker and outpost health and can be used with Grafana dashboards
