Website • Documentation • GitHub • Discord
Authentik is an open-source identity provider offering modern, flexible, and secure authentication and authorization. Perfect for self-hosted deployments or integrating with existing infrastructure.
- Single Sign-On (SSO) — Centralized authentication for all your applications
- Multiple Protocols — OAuth2, OIDC, SAML, LDAP, and SCIM support
- Multi-Factor Authentication — TOTP, WebAuthn, and more
- User Management — Intuitive interface for users, groups, and permissions
- Customizable Flows — Build custom authentication workflows
- Self-Hosted — Full control over your identity infrastructure
- Docker and Docker Compose
- External Docker network
- Reverse proxy (Caddy, Nginx, Traefik)
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .envEdit .env and update:
PG_USER— PostgreSQL usernameAUTHENTIK_EMAIL__*— SMTP settings for email notificationsCOMPOSE_PORT_HTTP/COMPOSE_PORT_HTTPS— Port mappings
Edit docker-compose.yml:
- Replace
your-networkwith your Docker network name
docker compose up -d- Access Authentik at
https://your-domain/if/flow/initial-setup/ - Create your admin account
- Configure applications and providers
| Variable | Description | Default |
|---|---|---|
PG_USER |
PostgreSQL username | authentik |
PG_PASS |
PostgreSQL password | (required) |
AUTHENTIK_SECRET_KEY |
Secret key for encryption | (required) |
AUTHENTIK_EMAIL__HOST |
SMTP server | - |
AUTHENTIK_EMAIL__PORT |
SMTP port | 587 |
AUTHENTIK_EMAIL__FROM |
Sender email address | - |
auth.example.com {
reverse_proxy http://localhost:9000
}
| Port | Service | Description |
|---|---|---|
| 9000 | HTTP | Web interface |
| 9443 | HTTPS | Web interface (TLS) |
Authentik is released under the MIT License.