Skip to main content

Authentik vs Keycloak: Choosing a Self-Hosted Identity Provider (2026)

· 6 min read
Yassine El Haddad
Software Developer & Automation Specialist

I build production AI agents, web scrapers, and automation pipelines. Most of what I publish here comes from the actual problems they run into: proxies that get banned, anti-bot stacks that fingerprint your client, RAG that drifts when the underlying data moves. Stack: Python, TypeScript, Go, FastAPI, LangChain, Crawlee, Playwright, deployed on AWS, GCP, and Cloudflare.

Both Authentik and Keycloak provide enterprise-grade single sign-on, OIDC, SAML, and MFA for self-hosted application stacks. Both are serious identity providers — not lightweight utilities. The difference is philosophy: Authentik is built for modern DevOps teams who want something that works out of the box; Keycloak is the battle-tested choice for enterprise environments that need maximum protocol coverage and production history going back a decade.

TL;DR comparison

DimensionAuthentikKeycloak
LicenseMIT (core) + Enterprise editionApache-2.0
Backed byAuthentik Security (commercial)Red Hat / IBM
Language / runtimePython + GoJava (Quarkus)
Idle RAM~600 MB~1.5 GB
Setup complexityModerate (clean Docker Compose)High (realm/client model, steep learning curve)
OIDCYesYes
SAML 2.0YesYes
LDAPYes (provider and source)Yes (user federation)
PasskeysYes (native)Yes (Keycloak 22+, via WebAuthn)
Social loginYes (30+ providers)Yes (via social identity providers)
UI styleModern, cleanFunctional, dense
Production deploymentsGrowing fastMassive (decades of enterprise use)
Minimum Liquid Web VPS2 GB4 GB
WinnerRAM, ease of setup, modern UIBattle-tested history, enterprise support, community size

Setup complexity

Authentik ships a Docker Compose file with four services: a PostgreSQL database, Redis, the Authentik server, and a background worker. Initial setup — creating an admin account, configuring your first application provider (OIDC or SAML), and connecting Coolify or Outline — takes about 30–45 minutes for a developer who has not used Authentik before. The flow creation UI (for enrollment, password recovery, and MFA) uses a visual pipeline builder that is intuitive once you understand that flows are sequences of stages.

Keycloak uses a realm/client model that has more moving parts. A realm is an isolated namespace for users and applications; a client is an application registered within that realm. The admin UI exposes dozens of configuration panels per client: mapper configurations, protocol settings, client scopes, fine-grained permissions. For a developer configuring Keycloak for the first time, plan 2–4 hours to get a basic OIDC integration working correctly. The model is powerful — it is also genuinely complex.

Winner: Authentik. Faster to first working SSO integration. Keycloak's complexity is justified for organizations with complex protocol requirements; it is overhead for teams that need basic SSO.

RAM footprint

Measured idle on fresh Docker Compose deployments with no active sessions:

ToolIdle RAM
Authentik (server + worker + PostgreSQL + Redis)~600 MB
Keycloak (single node + PostgreSQL)~1.5 GB

Keycloak's Java runtime (Quarkus) accounts for most of the footprint. JVM startup is also slower than Authentik's Python/Go stack — Keycloak takes 60–90 seconds to reach healthy status after docker compose up.

Winner: Authentik. 2.5× lighter at idle. On a 2 GB VPS, Authentik leaves room for other services; Keycloak on a 2 GB VPS will be memory-constrained.

Protocol and feature coverage

Both tools cover the protocols that matter for most self-hosted stacks:

ProtocolAuthentikKeycloak
OIDC / OAuth 2.0YesYes
SAML 2.0YesYes
LDAP (source)YesYes (user federation)
LDAP (provider)YesYes
SCIMYes (v2023.6+)Yes (Keycloak 24+)
WebAuthn / PasskeysYes (native, first-class)Yes (Keycloak 22+)
Social loginYes (30+ built-in)Yes (requires IdP configuration)
RADIUSYes (enterprise only)Via third-party extension

Keycloak's advantage is protocol depth in edge cases: fine-grained authorization services, token exchange, client-initiated backchannel authentication (CIBA), and the ability to implement highly custom claim mappers via Java SPI extensions. These are enterprise requirements that most self-hosters never encounter.

Authentik's advantage is developer ergonomics: passkeys work without configuration gymnastics, social login providers require minimal setup, and the outpost system (for forward auth with Nginx, Traefik, or Caddy) is straightforward.

Backing and long-term risk

Authentik is developed by Authentik Security, a commercial company that offers an enterprise edition with additional features (RADIUS, premium support, SCIM provisioning). The MIT-licensed core covers the needs of most self-hosters. The company's commercial model provides funding stability without requiring users to purchase a license.

Keycloak is backed by Red Hat (IBM). It has been in production in enterprise environments for over a decade, powers identity for major financial institutions and governments, and has a large global community of contributors. Red Hat's commercial JBoss SSO is built on Keycloak. The production history and enterprise pedigree are Keycloak's strongest arguments.

Risk assessment: Authentik is newer and has less production history. Keycloak's risk is complexity and Java's operational weight — not project longevity.

Which should you choose?

Choose Authentik if:

  • You are configuring SSO for the first time and want a faster path to working integrations
  • RAM is a constraint (2 GB VPS, shared infrastructure)
  • You want native passkey support without additional configuration
  • Your stack is modern (Coolify, Outline, Gitea, Plane, Nextcloud) and you want a clean integration story
  • A modern UI and active community are priorities

Choose Keycloak if:

  • Your organization requires battle-tested identity infrastructure with enterprise support options
  • You need advanced protocol features (CIBA, fine-grained authorization, custom Java SPI extensions)
  • Existing enterprise tooling expects Keycloak (Red Hat ecosystem, specific SAML configurations)
  • Long production history in regulated industries matters to your security team
  • You have the operational capacity to manage a Java/JVM service

Authentik has a setup guide on this site:

Frequently Asked Questions

There is no automated migration tool. Both platforms support LDAP as a user source, so if your users are in an LDAP/Active Directory, both can connect to the same directory. For local users, migration requires a manual export from Keycloak (user data via REST API) and import into Authentik via its API. Application registrations (OIDC clients, SAML providers) must be recreated. Plan for a careful cutover, application by application, with parallel operation during transition.

Yes. The core Authentik installation is MIT-licensed — you can use it in commercial environments without purchasing a license. The Enterprise edition (paid) adds RADIUS support, dedicated support SLAs, and a few compliance features. For most self-hosted stacks — SSO, MFA, OIDC/SAML for internal tools — the MIT core covers everything you need at no cost.

Both Authentik and Keycloak work with any OIDC-compatible application, which includes Coolify, Outline, Plane, and most modern self-hosted tools. In practice, Authentik is more commonly documented in community guides for these specific apps — the forward auth flow (used by Traefik and Caddy integrations) is more straightforward in Authentik's outpost model. Keycloak works equally well but requires more client configuration steps.