authentik
authentik is an open-source identity provider that organisations host themselves. It bundles the login of every application into one central single sign-on (SSO) and speaks OIDC, SAML, LDAP, RADIUS, SCIM and forward-auth to do so.
The moment an organisation runs more than a handful of applications, the identity question arises: one account per service, or one central place that settles login, multi-factor and permissions once. The established answer is the identity provider, and the best-known commercial example is Okta. authentik answers the same question differently, namely open-source and on the organisation's own infrastructure. This page describes what authentik does, how it is built technically, and where the line runs between the open core and the paid Enterprise edition.
Self-hosted identity layer
An identity provider (IdP) is the central place where users sign in once and then reach connected applications without signing in again. authentik fills that role fully self-hosted. It manages users and groups, enforces multi-factor authentication (MFA), and brokers between applications and external identity sources. The core is licensed under MIT and runs from a small home lab to a production cluster. Anyone who wants to replace an existing cloud IdP, such as Okta, Auth0 or Entra ID, finds in authentik the protocol-equivalent, self-operated counterpart.
The protocols
authentik supports the common authentication protocols and thereby covers almost any application. Which protocol fits depends on the service being connected:
- OAuth2 and OIDC. The modern standard for web and API applications. OpenID Connect (OIDC) adds an identity layer on top of OAuth2 and is the preferred path when an application understands it directly.
- SAML 2.0. The established protocol for enterprise software that does not speak OIDC.
- LDAP. authentik can act as an LDAP directory itself and so connect legacy systems that know only that path.
- RADIUS. For network and VPN access.
- SCIM. For automatically provisioning and deprovisioning accounts in connected services.
- Forward-auth (proxy). For applications without their own SSO capability. authentik sits as an outpost in front of the application and checks the login at the edge before the request is passed through.
Forward-auth is the lever that lets even weak or entirely non-SSO applications be secured behind a single login. That logic, checking every access individually instead of trusting a network wholesale, is the core of a Zero Trust model.
The technical build
authentik typically runs via Docker Compose or on Kubernetes. The architecture consists of a few clearly separated parts:
architecture-beta
group user(cloud)["Access"]
group authentik(server)["authentik"]
group apps(server)["Applications"]
service browser(cloud)["Browser or client"] in user
service core(server)["Core and flows"] in authentik
service worker(server)["Worker"] in authentik
service db(database)["PostgreSQL"] in authentik
service outpost(server)["Outposts"] in authentik
service app(server)["App without SSO"] in apps
service source(server)["OIDC SAML directory"] in apps
browser:R -- L:core
core:R -- L:db
core:B -- T:worker
core:R -- L:outpost
outpost:R -- L:app
source:L -- R:core
The server contains the core, which handles logins, flows and SSO, including an embedded outpost. The worker runs background tasks such as sending and notifications. PostgreSQL holds configuration and data; a cache service speeds up operation. Outposts are upstream components that provide proxy, LDAP and RADIUS connections as well as web-based remote access (RAC) without loading the core. Flows model the login sequence as a configurable chain of steps, from the password check through MFA to consent. The multi-factor options range from TOTP through WebAuthn and passkeys to hardware keys.
Open core and Enterprise edition
authentik follows an open-core model, and the line is worth drawing precisely, because it is easily overstated. The open core is MIT-licensed, fully free, and usable with no user limit. It contains all the protocols named above (OIDC, SAML, LDAP, RADIUS, SCIM, Kerberos and proxy), multi-factor, and the web-based RDP and SSH access. What it does not contain is vendor support.
The Enterprise edition adds to the open core for a licence fee, by the vendor's own figure from five US dollars per internal user per month. It mainly adds operations- and compliance-oriented features: directory synchronisation with Google Workspace and Microsoft Entra ID, enhanced audit logging, client-certificate authentication (mTLS), embedding external OAuth and SAML sources, exportable reports, and ticket-based support for subscriptions above roughly USD 1000 per month. The honest reading: SSO, MFA and forward-auth, the core of any identity solution, belong to the open part. The Enterprise edition addresses integration depth, evidence obligations and support, not the base function.
Identities stay under the organisation's own control
The real difference from a cloud IdP like Okta lies not in the feature set but in where identities sit and who controls them. With a hosted provider, login data, group structures and access patterns leave the organisation's own house. authentik inverts that: the identity store stays on the organisation's own infrastructure, ideally in a Swiss data centre, and is thereby subject to the organisation's own access rather than a foreign contractual situation. That is precisely the contribution a self-hosted IdP makes to digital sovereignty: the most central of all data classes, identity, never leaves the organisation's control. How such an IdP fits into an overall architecture is set out by Security Strategy; the legal evidence side is covered by Compliance.
Assessment
- Use. Central login for staff portals, internal tools, customer areas and API protection; securing SSO-less applications via forward-auth.
- Strength. Full control over the identity store, broad protocol coverage, and a capable, free core under MIT license.
- Effort. Like any self-hosted IdP, authentik demands solid knowledge of authentication protocols and careful operation; flow configuration is powerful but not trivial.
- Kinship. Keycloak solves the same task and is the obvious open-source alternative; the choice between the two depends on protocol needs, the operating model and existing know-how.
References
- Authentik Security Inc. authentik documentation, releases. Official documentation of the self-hostable identity provider; current version line 2026.5. (2026). docs.goauthentik.io/releases/
- Authentik Security Inc. Pricing. Official breakdown of the free core and the Enterprise edition, including the open-core line and per-user price. (2026). goauthentik.io/pricing/
- goauthentik authentik source code (MIT license). Public repository of the identity provider with its license and protocol overview. (2026). github.com/goauthentik/authentik
- OpenID Foundation OpenID Connect Core 1.0, errata set 2. The specification that defines OIDC as an identity layer on top of OAuth2. (15.12.2023). openid.net/specs/openid-connect-core-1_0.html
Related topics
- Keycloak, the obvious open-source alternative for the same task.
- Zero Trust, the model behind checking access at the edge.
- Digital Sovereignty, why the location of identity matters.
- Security Strategy, the fit into an overall architecture.
- Compliance, the legal evidence side.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.