Back to Blog
team@tinypod.app

Self-Hosting Authentik: Identity Provider for All Your Apps

Authentik is a self-hosted identity provider. Single sign-on, two-factor auth, and user management for all your self-hosted applications.

authentikauthssoidentity

The Problem


Every self-hosted app has its own login: Nextcloud account, Gitea account, Grafana account, Mattermost account. Different passwords, different 2FA setups, no central user management.


What Authentik Solves


Authentik is an Identity Provider (IdP) — one login for everything.


Single Sign-On (SSO)

Log in once, access all your apps. Click "Login with Authentik" on any app, and you're in.


Supported Protocols

  • OAuth2/OIDC: Most modern apps (Nextcloud, Grafana, Gitea)
  • SAML: Enterprise apps
  • LDAP: Legacy apps
  • Proxy authentication: Apps without built-in SSO

    • Two-Factor Authentication

  • TOTP (authenticator app)
  • WebAuthn (hardware keys like YubiKey)
  • SMS (via Twilio)
  • Email verification

    • User Management

  • Central user directory
  • Groups and permissions
  • User self-service (password reset, profile management)
  • Invitation links for new users

    • Authentik vs Alternatives


    Authentik vs Keycloak

  • Authentik: Modern UI, easier to configure, Python-based
  • Keycloak: More enterprise features, Java-based, heavier resources
  • For self-hosting: Authentik is the better choice

    • Authentik vs Authelia

  • Authelia: Lighter, focused on proxy authentication
  • Authentik: Full IdP with more protocols and features
  • Authelia for basic proxy auth, Authentik for comprehensive identity management

    • Setup


    1. Deploy Authentik on TinyPod

    2. Configure your domain and branding

    3. Add applications (Nextcloud, Gitea, Grafana, etc.)

    4. Create users or enable self-registration

    5. Configure 2FA policies


    Resources: 2 CPU, 2 GB RAM.


    Connecting Apps


    Most self-hosted apps support OAuth2/OIDC:

    1. Create an OAuth2 provider in Authentik

    2. Get the client ID and secret

    3. Enter them in the app's SSO configuration

    4. Done — users can now log in with Authentik


    For apps without SSO support, Authentik's proxy outpost adds authentication to any web application.


    The Result


    One password, one 2FA, one login page. Add or remove users in one place. Enforce security policies globally.