Tired of managing separate logins for every self-hosted service? Authentik gives you enterprise-grade Single Sign-On (SSO) for your home lab—one login for everything.
This guide shows you how to set up Authentik with Docker Compose and connect your services in minutes.
What is Authentik?
Authentik is an open-source identity provider (IdP) that centralizes authentication for all your self-hosted services. It supports OAuth2, SAML, LDAP, and has a built-in proxy for apps without SSO support.
Key features:
- One login for all services
- Two-factor authentication (2FA/MFA)
- User and group management
- Fine-grained access policies
- Beautiful modern UI
- Self-hosted and privacy-focused
Quick Start with Docker Compose
Create docker-compose.yml:
version: '3.8'
services:
postgresql:
image: postgres:16-alpine
restart: unless-stopped
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS}
POSTGRES_USER: authentik
POSTGRES_DB: authentik
redis:
image: redis:alpine
restart: unless-stopped
volumes:
- redis:/data
authentik-server:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ./media:/media
ports:
- "9000:9000"
depends_on:
- postgresql
- redis
authentik-worker:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ./media:/media
depends_on:
- postgresql
- redis
volumes:
database:
redis:
Generate secrets:
echo "PG_PASS=$(openssl rand -base64 32)" > .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env
Start Authentik:
docker-compose up -d
Access initial setup: http://your-server:9000/if/flow/initial-setup/
Connecting Your First App (Nextcloud Example)
In Authentik:
- Go to Applications → Create
- Name: Nextcloud, Slug: nextcloud
- Create OAuth2/OpenID Provider
- Set redirect URI:
https://nextcloud.yourdomain.com/* - Note the Client ID and Client Secret
In Nextcloud:
- Install “OpenID Connect user backend” app
- Configure with Authentik provider URL, client ID, and secret
- Users can now log in via Authentik
Common Integrations
Grafana: Native OAuth2 support
Proxmox: OIDC realm configuration
Gitea/Forgejo: OAuth2 authentication source
Portainer: OAuth provider setup
For apps without SSO support, use Authentik Proxy Provider.
Security Best Practices
- Enable 2FA for all users (TOTP/WebAuthn)
- Use HTTPS with reverse proxy (Traefik/Nginx)
- Regular backups of PostgreSQL database
- Update regularly:
docker-compose pull && docker-compose up -d - Strong passwords for admin accounts
User Management
Create users in Directory → Users. Organize with Groups and control access with Policy Bindings (e.g., restrict apps to specific groups).
Troubleshooting
OAuth errors? Verify redirect URIs match exactly.
Login loops? Check reverse proxy headers and SSL configuration.
Check logs: docker-compose logs authentik-server
Why Authentik Over Alternatives?
vs Authelia: More features, better UI, supports SAML
vs Keycloak: Lighter, easier to configure, modern stack
vs Cloud providers: Self-hosted, privacy-focused, no vendor lock-in
Conclusion
With Authentik, you get enterprise SSO for your home lab. One password, centralized 2FA, and granular access control—all under your control.
Set it up once, secure everything forever.
Running Authentik? Share your setup in the comments!