Running Authentik vs Authelia: SSO Comparison for Self-Hosters (2026)
You’re tired of logging into every self-hosted service separately. You want single sign-on. You’ve narrowed it down to two options: Authentik and Authelia. Both are open-source, both work with Docker, both solve the “too many logins” problem — but they take fundamentally different approaches.
Authentik is a full identity provider. Authelia is a lightweight authentication portal. Choosing between them depends on what you actually need.
Quick Comparison
| Feature | Authentik | Authelia |
|---|---|---|
| Architecture | Full IdP (identity provider) | Auth portal + reverse proxy middleware |
| Protocols | OAuth2/OIDC, SAML, LDAP, Proxy | Forward auth / Proxy auth |
| Resource Usage | ~1–2 GB RAM | ~50–100 MB RAM |
| Dependencies | PostgreSQL + Redis | Redis (optional) + YAML config |
| Admin UI | Full web admin panel | YAML configuration only |
| User Self-Service | Yes (password reset, profile, enrollment) | Limited (password reset) |
| MFA Support | TOTP, WebAuthn, Duo, SMS | TOTP, WebAuthn, Duo |
| Flow Builder | Visual drag-and-drop flows | Predefined policies |
| Social Login | Google, GitHub, Discord, etc. | Not built-in |
| LDAP Provider | Built-in LDAP outpost | No (consumes LDAP, doesn’t provide it) |
| Learning Curve | Moderate–steep | Low–moderate |
| Best For | Full identity management | Lightweight access gating |
What Authentik Does
Authentik is a complete identity provider — think of it as a self-hosted alternative to Okta or Auth0. It doesn’t just gate access to your services; it manages the entire identity lifecycle.
Key Capabilities
- OAuth2/OIDC provider: Services that support “Sign in with…” can connect directly to Authentik — Nextcloud, Gitea, Grafana, Portainer, Outline, and dozens more
- SAML provider: Enterprise apps that need SAML (yes, some self-hosted apps use it) work out of the box
- LDAP outpost: Authentik can act as an LDAP server, so apps that only support LDAP auth (like older services) can authenticate against it
- Proxy outpost: For apps that don’t support any SSO protocol, Authentik’s proxy outpost sits in front and handles auth — similar to what Authelia does for everything
- Flow builder: Visual editor for login, enrollment, recovery, and authorization flows — you can build custom login experiences without code
- Social login: Let users sign in with Google, GitHub, Discord, or any OIDC provider
- User management: Admin panel for creating users, groups, roles, and managing access
- Self-service: Users can reset passwords, manage MFA, update profiles without admin intervention
Docker Compose Setup
services:
authentik-server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-server
command: server
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
ports:
- "9000:9000"
- "9443:9443"
depends_on:
- authentik-db
- authentik-redis
restart: unless-stopped
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
depends_on:
- authentik-db
- authentik-redis
restart: unless-stopped
authentik-db:
image: postgres:16-alpine
container_name: authentik-db
environment:
POSTGRES_DB: authentik
POSTGRES_USER: authentik
POSTGRES_PASSWORD: ${PG_PASS}
volumes:
- authentik_db:/var/lib/postgresql/data
restart: unless-stopped
authentik-redis:
image: redis:7-alpine
container_name: authentik-redis
restart: unless-stopped
volumes:
authentik_db:
That’s four containers minimum — server, worker, PostgreSQL, and Redis.
What Authelia Does
Authelia is an authentication portal that works as middleware between your reverse proxy and your services. It’s not a full identity provider — it’s a gatekeeper that checks “are you allowed in?” before forwarding requests.
Key Capabilities
- Forward auth: Works with Nginx, Traefik, Caddy, HAProxy, and Envoy as an authentication middleware
- Access control rules: Define who can access what with regex-based URL rules, IP-based policies, and group requirements
- MFA: TOTP and WebAuthn support with per-resource policy (one-factor for internal, two-factor for external)
- Lightweight: Single Go binary, single container, minimal dependencies
- YAML config: Everything defined in configuration files — no web UI for admin tasks
- Session management: Single sign-on across all proxied services via shared session cookies
- Notification: Email or file-based notification for password resets
Docker Compose Setup
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./authelia/configuration.yml:/config/configuration.yml:ro
- ./authelia/users_database.yml:/config/users_database.yml
- authelia_data:/data
environment:
TZ: America/New_York
ports:
- "9091:9091"
restart: unless-stopped
volumes:
authelia_data:
One container. Authelia can use a local SQLite database and file-based user store — no PostgreSQL, no Redis required (though Redis is recommended for multi-instance setups).
Head-to-Head: The Details
Resource Usage
This is where the gap is most dramatic:
Authentik runs four containers and idles at 1–2 GB RAM. PostgreSQL alone takes 200–400 MB. The server and worker processes are Python-based and relatively heavy. On a Raspberry Pi 4, you’ll feel it.
Authelia runs one container and idles at 50–100 MB RAM. It’s a compiled Go binary — fast startup, minimal footprint. Runs comfortably on a Pi Zero.
Winner: Authelia, by a wide margin. If you’re resource-constrained, this matters.
Setup Complexity
Authentik has a web-based setup wizard, a full admin panel, and visual flow editors. But the initial configuration has more moving parts — multiple containers, environment variables, and concepts like outposts, providers, and applications to understand. Documentation is thorough but dense.
Authelia is configured entirely through YAML. No admin UI. You edit configuration.yml, define access rules, and configure your reverse proxy to use forward auth. The concepts are simpler — rules, users, sessions, policies — but you need to be comfortable with YAML and reverse proxy configuration.
Winner: Depends on your style. Click-and-configure people prefer Authentik. YAML-and-vim people prefer Authelia.
Protocol Support
Authentik speaks OAuth2/OIDC, SAML, LDAP, and proxy auth. This means services that support “Login with OIDC” can integrate directly — no proxy middleware needed. Grafana, Nextcloud, Gitea, Portainer, Outline, and many others have native OIDC support.
Authelia primarily uses forward auth / proxy authentication. Your reverse proxy checks with Authelia before allowing access. Recently, Authelia added an OpenID Connect provider (still maturing), but its core strength remains proxy-based auth.
Winner: Authentik, especially if your services support OIDC natively.
User Management
Authentik has full user lifecycle management — invite flows, self-enrollment, self-service password reset, profile management, group-based access control, and admin delegation. You can manage hundreds of users through the web UI.
Authelia uses a YAML file or LDAP backend for users. Adding a user means editing users_database.yml and hashing a password. There’s no self-enrollment. Password resets go through email or file-based notifications.
Winner: Authentik, no contest. If you have more than a handful of users, Authentik is the clear choice.
Access Control
Authentik controls access through application-level permissions, group memberships, and policy bindings. Each application has its own authorization configuration.
Authelia uses URL-based access rules in YAML:
access_control:
default_policy: deny
rules:
- domain: public.example.com
policy: bypass
- domain: "*.example.com"
policy: two_factor
- domain: internal.example.com
policy: one_factor
networks:
- 192.168.1.0/24
This is elegant for reverse proxy setups — you can gate entire domains or paths with regex patterns.
Winner: Tie. Different approaches for different architectures.
Reverse Proxy Integration
Authelia was built for this. Native integration with:
- Nginx:
auth_requestdirective - Traefik: ForwardAuth middleware
- Caddy:
forward_authdirective - HAProxy / Envoy: Supported via auth request
Authentik has a proxy outpost that does the same thing, but it’s an additional container to deploy. For services that support OIDC, you don’t need the proxy outpost at all.
Winner: Authelia for pure reverse proxy setups. Authentik if your services support OIDC natively.
When to Choose Authentik
Pick Authentik if:
- You run services that support OIDC/OAuth2 — direct integration is cleaner than proxy auth
- You need user self-service — enrollment, password resets, profile management
- You manage multiple users — family members, team, small org
- You want social login — “Sign in with Google/GitHub”
- You need LDAP — some services (Nextcloud, older apps) work better with LDAP
- You want a visual admin interface — no YAML editing
- Resources aren’t a concern — you have 4+ GB RAM to spare
When to Choose Authelia
Pick Authelia if:
- You’re the only user (or maybe +1 family member)
- You use a reverse proxy for everything — Authelia slots in perfectly
- Resources are limited — Pi, small VPS, shared hosting
- You want simple, auditable config — everything in YAML, version-controlled
- Most of your services don’t support OIDC — proxy auth works with anything
- You prefer minimal moving parts — one container, one config file
- You want fast setup — Authelia is running in 15 minutes
Can You Use Both?
Yes, actually. Some people run Authentik as their identity provider and use Authelia as a lightweight forward-auth layer for services that don’t support OIDC. Authelia can authenticate against an LDAP backend — and Authentik provides one.
This is overkill for most home labs, but it’s an option if you want the best of both worlds.
Migration Path
Starting with Authelia and outgrowing it? Migration to Authentik is straightforward:
- Set up Authentik alongside Authelia
- Migrate services one at a time — switch OIDC-capable apps first
- Move proxy-auth services to Authentik’s proxy outpost
- Decommission Authelia when everything’s migrated
The reverse (Authentik → Authelia) is also possible but less common, since it means giving up features.
Our Recommendation
Start with Authelia if you’re a solo self-hoster running a handful of services behind a reverse proxy. It’s lightweight, fast to set up, and does the job.
Graduate to Authentik when you need proper identity management — multiple users, OIDC integrations, self-service, or social login. The resource cost is justified by the features.
For most home lab setups in 2026, Authelia gets you 80% of the value at 10% of the resource cost. That’s a compelling ratio. But if you’re building something that needs to scale or serve a team, Authentik is the more complete solution.
Further Reading
- How to Set Up Authelia for Single Sign-On — step-by-step Authelia setup
- Setting Up Authentik for Self-Hosted Authentication — complete Authentik guide
- Linux Server Hardening Checklist — secure your server before adding SSO
- Running Caddy Server: Zero-Config HTTPS — pair with Authelia for easy auth