Authentik vs. Authelia 2026: Which Self-Hosted Identity Provider Fits?
Authentik vs. Authelia 2026: Which Self-Hosted Identity Provider Fits?
Authentik vs. Authelia head-to-head: protocol support, architecture, resource usage, enterprise features. Why Authelia falls short for businesses – and how authhost delivers Managed Authentik from €34.90/month.
Content notice: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, pricing, versions, licensing models and external content are subject to change. Please verify the information independently, especially before making business-critical or security-relevant decisions. This article does not constitute individual professional, legal or tax advice.
Authentik or Authelia? The question comes up in every self-hosting forum – and the answer is less nuanced than most comparisons suggest. Authelia is an excellent auth gateway for homelabs. But as soon as a business needs SAML for legacy apps, LDAP for network devices, SCIM for automated on-/offboarding, or centralized user management with flows and policies – Authelia reaches its limits. Authentik covers all of that, as an open-source solution with MIT license. And with authhost, you get Managed Authentik Hosting from €34.90/month – without the operations overhead.
Also worth reading: Keycloak Alternative for SMBs
Quick Comparison: Authentik vs. Authelia at a Glance
| Criterion | Authentik | Authelia |
|---|---|---|
| Type | Full identity provider | Auth gateway / reverse proxy companion |
| Language | Python/Django + TypeScript | Go + React |
| OIDC/OAuth2 | ✓ | ✓ (OpenID Certified) |
| SAML 2.0 | ✓ | ✗ (Roadmap, no timeline) |
| LDAP server | ✓ (Outpost) | ✗ (backend only) |
| SCIM provisioning | ✓ | ✗ |
| RADIUS | ✓ (Outpost) | ✗ |
| Application proxy | ✓ | ✗ |
| Flow engine | ✓ (visual builder) | ✗ |
| Admin UI | ✓ (full) | Minimal |
| Docker image | ~500 MB | ~20 MB |
| RAM (idle) | ~150–200 MB | ~30 MB |
| License | MIT | Apache 2.0 |
| Managed hosting | ✓ (authhost) | ✗ |
Table of Contents
- What Is Authelia?
- What Is Authentik?
- Architecture: Auth Gateway vs. Identity Provider
- Protocol Support: The Decisive Difference
- MFA and Conditional Access
- User Management and Automation
- Resource Usage: Lightweight vs. Full-Stack
- Reverse Proxy Integration vs. Application Proxy
- Security and Community
- Setup and Operations: YAML vs. Self-Service Portal
- Cost Comparison
- Decision Guide: When Authelia, When Authentik?
- Conclusion
- Sources
What Is Authelia?
Authelia is an open-source authentication server written in Go. It acts as a companion for reverse proxies – Nginx, Traefik, Caddy, HAProxy, Envoy – placing a login page with MFA in front of your applications.
What Authelia does well:
- Login portal with MFA (TOTP, WebAuthn, Passkeys, Duo Push)
- OpenID Connect 1.0 provider (OpenID Certified since 2024)
- Granular access policies per subdomain/path
- Brute-force protection and session management
- Extremely lightweight: <20 MB image, ~30 MB RAM
What Authelia cannot do by design:
- No SAML 2.0 provider (on roadmap, no published timeline)
- No LDAP server (can only use LDAP as backend, not provide it)
- No SCIM provisioning
- No RADIUS
- No application proxy for apps without native SSO support
- No visual flow engine or workflow automation
- No full user management dashboard
- No user impersonation
Authelia was built for a specific purpose: placing an authentication layer in front of a reverse proxy. It does this excellently – but it is not an identity provider in the true sense.
What Is Authentik?
Authentik is an open-source identity provider written in Python/Django with a TypeScript frontend. It is the self-hosted alternative to commercial solutions like Okta, Auth0, or Azure AD – with full protocol support and a visual flow engine.
What Authentik offers:
- SSO via OIDC, OAuth2, SAML 2.0, LDAP, SCIM, RADIUS, and Kerberos
- Full admin dashboard with user management
- Flow engine: authentication processes as configurable flows with stages, policies, and providers – visually modeled
- Application proxy: SSO for applications that don't speak OIDC or SAML
- LDAP outpost: full LDAP server for legacy applications
- RADIUS outpost: authentication for VPN, WiFi, and network devices
- SCIM provisioning: automatic on-/offboarding via HR systems or IdPs
- Remote Access Gateway: browser-based RDP, SSH, and VNC access
- Conditional access: GeoIP checks, impossible travel detection, device posture
- User impersonation for support and debugging
- MIT license: no usage restrictions, including commercial use
Authentik Enterprise ($5/user/month) adds features that most SMBs don't need: Google Workspace integration, WS-Federation, mTLS login, extended compliance reports. The open-source version covers the majority of business requirements.
Architecture: Auth Gateway vs. Identity Provider
Authelia: In Front of the Reverse Proxy
User ──► Reverse Proxy (Traefik/Nginx) ──► Authelia checks login ──► App
│
MFA, Session, OIDC
Authelia guards the entrance. It sits as forward-auth middleware in front of the reverse proxy and decides: may the user pass or must they log in first? This works via auth_request (Nginx), forwardAuth (Traefik), or forward_auth (Caddy).
Advantage: Extremely lightweight, fast to set up, minimally invasive. Disadvantage: The application behind it knows nothing about the user – except via HTTP headers. For apps that need real SSO integration (tokens, claims, groups), this isn't enough.
Authentik: Central Identity Platform
User ──► Authentik (Login, MFA, Flow Engine) ──► Token/Session
│
┌───────────┼───────────┬──────────────┐
▼ ▼ ▼ ▼
OIDC App SAML App LDAP Device Proxy App
Authentik manages the identity. It is the central point where users are authenticated, authorized, and provisioned. Applications speak directly with Authentik via OIDC, SAML, LDAP, or the application proxy.
Advantage: Every application knows the user, their groups, their roles. Automation via flows and SCIM. Disadvantage: Larger footprint (~250–350 MB RAM including PostgreSQL; no Redis since release 2025.10).
Architecture Comparison
| Aspect | Authelia | Authentik |
|---|---|---|
| Role | Auth gateway in front of reverse proxy | Central identity platform |
| Integration | HTTP headers / forward-auth | OIDC, SAML, LDAP, RADIUS, proxy |
| App knowledge of user | Limited (headers) | Complete (tokens, claims, groups) |
| Scaling | Vertical (single gateway) | Horizontal (outposts, workers) |
| Setup effort | 5–10 minutes | 15–20 minutes |
| Operations effort | Low (YAML config) | Medium (admin UI, flows, policies) |
Protocol Support: The Decisive Difference
This is where the comparison becomes clear-cut. In a business, there are never only OIDC-capable applications. There's legacy software that only speaks LDAP. Network devices that need RADIUS. Enterprise SaaS vendors that insist on SAML. And internal tools that don't support any SSO protocol at all.
| Protocol | Authentik | Authelia | Relevance |
|---|---|---|---|
| OIDC / OAuth2 | ✓ | ✓ (OpenID Certified) | Standard for modern web apps |
| SAML 2.0 | ✓ (Provider) | ✗ (Roadmap) | Enterprise SaaS, legacy apps |
| LDAP | ✓ (Outpost as server) | ✗ (backend only) | Network devices, NAS, legacy |
| RADIUS | ✓ (Outpost) | ✗ | VPN, WiFi, switches |
| SCIM | ✓ | ✗ | Automatic on-/offboarding |
| Kerberos | ✓ | ✗ | Windows domains |
| Proxy mode | ✓ (Application Proxy) | ✓ (Forward-Auth) | Apps without native SSO support |
Authelia's SAML problem: SAML 2.0 has been on the Authelia roadmap for years (GitHub Issue #493) but is not implemented as of April 2026. There is no published timeline. The Authelia team consists of 3 developers working in their spare time. For businesses that need SAML for Microsoft 365, Salesforce, AWS SSO, or other enterprise services, this is a dealbreaker.
Authelia's LDAP problem: Authelia can use LDAP as an authentication backend (e.g., against an existing Active Directory). But it cannot provide an LDAP service. If you want to authenticate a NAS (Synology, QNAP), a firewall (OPNsense, pfSense), or network switches via LDAP, you need an LDAP server – and Authelia can't do that.
MFA and Conditional Access
MFA Methods
| Method | Authentik | Authelia |
|---|---|---|
| TOTP | ✓ | ✓ |
| WebAuthn / FIDO2 | ✓ | ✓ |
| Passkeys | ✓ | ✓ |
| SMS OTP | ✓ (optional) | ✗ |
| Duo Push | ✗ | ✓ |
| Email OTP | ✓ | ✗ |
Both support the essential MFA methods. Authelia has the advantage of Duo Push integration, while Authentik offers SMS and email as additional factors.
Conditional Access
This is where the tools clearly diverge:
Authelia offers rule-based access policies: allow/deny access based on domain, path, group, and network. Sufficient for simple scenarios.
Authentik offers a full policy engine:
- GeoIP checks: Login from an unusual country? Additional MFA prompt.
- Impossible travel detection: Login from Berlin and 5 minutes later from Tokyo? Block.
- Device posture: Device known and compliant? Access granted.
- Reputation scoring: IP addresses with known abuse patterns are blocked.
- Time-based policies: Access only during business hours.
- Flow engine: All conditions visually modeled, no code required.
For businesses with compliance requirements (NIS2, GDPR, ISO 27001), Authentik's conditional access functionality is a decisive advantage.
User Management and Automation
Authelia: Minimal by Design
Authelia doesn't manage users in the traditional sense. It authenticates against an external backend (LDAP server, local YAML file) and stores sessions. There's no admin dashboard for user management, no group assignment via UI, no self-service features for end users.
Authentik: Full Identity Platform
- Admin dashboard: Users, groups, roles, applications – all manageable via web UI
- Flow engine: Visually model authentication processes (registration, recovery, login, enrollment)
- SCIM provisioning: Automatically sync users from HR systems or external IdPs. Employee leaves the company → access automatically revoked.
- User impersonation: View from a user's perspective as admin – for support and debugging
- Self-service: Users can reset passwords, manage MFA, register devices – without admin intervention
- Event logging: Every action logged – login, logout, policy change, group assignment. Enhanced audit logging (diff view, CSV export, visual analytics) with Authentik Enterprise.
| Feature | Authentik | Authelia |
|---|---|---|
| Admin dashboard | ✓ Full | Minimal |
| User self-service | ✓ | Basic (password reset) |
| Group/role management | ✓ (UI) | Via backend (LDAP/YAML) |
| SCIM provisioning | ✓ | ✗ |
| User impersonation | ✓ | ✗ |
| Flow engine | ✓ (visual) | ✗ |
| Custom branding | ✓ (white-label) | Basic theming |
| Event logging | ✓ (Enhanced audit logging with Enterprise) | ✓ Basic |
Resource Usage: Lightweight vs. Full-Stack
Docker Footprint Comparison
| Component | Authelia | Authentik |
|---|---|---|
| Docker image | ~20 MB | ~500 MB |
| RAM (idle, app only) | ~30 MB | ~150–200 MB |
| PostgreSQL | ~100–150 MB | ~100–150 MB |
| Redis | Not needed | Not needed (since release 2025.10, PostgreSQL only) |
| Total RAM (idle) | ~130–180 MB | ~250–350 MB |
| CPU (idle) | <1% | 1–3% |
Authelia is 2–3× more resource-efficient. On a Raspberry Pi or mini PC with 2 GB RAM, that matters. On a server with 8+ GB RAM – meaning any business server – the difference is negligible.
For perspective: A single Chrome tab uses more RAM than the entire Authelia stack. The question "which uses less RAM?" is the wrong question for businesses. The right question is: "which solves my problem?"
Reverse Proxy Integration vs. Application Proxy
Authelia: Forward-Auth Specialist
Authelia integrates natively with:
- Nginx (via
auth_request) - Traefik (via
forwardAuthmiddleware) - Caddy (via
forward_authplugin) - HAProxy, Envoy, Skipper
Integration is tight and well-documented. For Docker setups with Traefik, Authelia is up and running in 5 minutes.
Authentik: Three Integration Paths
- Forward-auth (like Authelia) – via Traefik, Nginx, Caddy
- Application proxy (outpost) – Authentik provides its own reverse proxy that puts SSO in front of any application
- Native integration – applications speak OIDC/SAML directly with Authentik
The application proxy is a genuine differentiator: it enables SSO for applications that have zero SSO support – without modifying the application. For businesses with legacy software, this is critical.
Security and Community
Security
Authelia has historically fewer reported security vulnerabilities. This is primarily due to its smaller attack surface: less code, no admin UI, no multi-protocol support. The Go codebase is memory-safe.
Authentik has a broader attack surface due to more features and code. However, the project is professionally maintained by Authentik Security Inc. – with a dedicated security team, regular releases, and a responsible disclosure process.
Community and Development
| Aspect | Authentik | Authelia |
|---|---|---|
| GitHub stars | ~14,000+ | ~27,000 |
| Contributors | 500+ | 272 |
| Development | Company (Authentik Security Inc.) | 3 developers (spare time) |
| Release cycle | Every 2–4 weeks | Every 2–3 weeks |
| Current version | 2026.2.2 (March 2026) | v4.39.19 (April 2026) |
| Enterprise support | ✓ ($5/user/month) | ✗ |
| License | MIT | Apache 2.0 |
Authelia has more GitHub stars – a sign of its strong homelab community. Authentik has more contributors and is developed by a company, which guarantees long-term stability and enterprise readiness.
Setup and Operations: YAML vs. Self-Service Portal
Authelia: YAML Configuration
Authelia is configured via a YAML file. Comfortable for developers and self-hosters, but every change requires a file edit and service restart. There's no web UI for configuration.
Authentik: Web UI + Flow Engine
Authentik is configured via a full web dashboard. Flows, policies, providers, and applications are managed graphically. Changes take effect immediately, without restart.
authhost: Managed Authentik Hosting
For those who want to eliminate operations overhead entirely, there's authhost – Managed Authentik Hosting from merkaio:
- Create account on portal.merkaio.com
- Deploy instance – choose plan, select region (Germany, Netherlands, USA, Canada, Singapore, Japan, Sydney, or India)
- Open Authentik dashboard – your dedicated instance is ready
- Connect applications and onboard users
7 days free trial – own dedicated instance.
| Aspect | Authelia (self-hosted) | Authentik (self-hosted) | authhost (managed) |
|---|---|---|---|
| Setup time | 5–10 min (YAML) | 15–20 min (Docker) | Minutes (portal) |
| Configuration | YAML files | Web UI | Web UI |
| Updates | Manual | Manual | Automatic |
| Monitoring | Set up yourself | Set up yourself | 24/7 included |
| Backups | Set up yourself | Set up yourself | Automatic |
| Support | Community | Community / Enterprise | Included in price |
| Certifications (DCs) | Own responsibility | Own responsibility | DE: ISO 27001 + BSI C5; Others: ISO 27001 + SOC 2 Type II |
Cost Comparison
Authelia: Free, But Operations Overhead
Authelia is free (Apache 2.0). But operations cost:
- Server hosting: ~€20–50/month (VM with PostgreSQL)
- Admin time: 2–4 hours/month for updates, troubleshooting, certificates
- No commercial support for issues
Authentik Self-Hosted: Free or $5/User/Month
The open-source version is free (MIT license). The Enterprise license costs $5/user/month and adds features most SMBs don't need. Operations costs are comparable to Authelia – but with more functionality.
authhost: Flat Rate Without Per-User Fees
| Plan | Monthly | Annual (-30%) |
|---|---|---|
| Starter (rec. up to 250 users) | €49.90 | €34.90 |
| Business (rec. up to 1,000 users) | €149.90 | €104.90 |
| Enterprise (1,000+ users) | Contact sales | Contact sales |
All plans: No per-user fees, 8 regions worldwide, 24/7 monitoring, updates and patches included, event logging in all plans.
Cost Comparison: 50 Users, 3 Years
| Item | Authelia (self-hosted) | Authentik (self-hosted) | authhost Starter |
|---|---|---|---|
| Software | €0 | €0 (open source) | Included in plan |
| Server | ~€720–1,800 | ~€720–1,800 | €0 |
| Admin time (3Y) | ~€3,600–7,200 | ~€3,600–7,200 | €0 (managed) |
| Enterprise support | ✗ | ~€9,000 ($5×50×36) | Included in plan |
| Total 3 years | ~€4,300–9,000 | ~€4,300–9,000 (without Enterprise) | ~€1,257 (€34.90 × 36) |
Admin time costs conservatively estimated: 2–4 hours/month × €50/hour.
Decision Guide: When Authelia, When Authentik?
Authelia is the right choice if you:
- Run a homelab or small self-hosting setup with 3–10 applications
- Exclusively use OIDC-capable applications (no SAML, no LDAP needed)
- Need minimal resource usage on a Raspberry Pi or mini PC
- Only need login + MFA in front of a reverse proxy – without centralized user management
- Are comfortable with YAML configuration and don't need enterprise support
Authentik / authhost is the better choice if you:
- Need SAML 2.0 for enterprise SaaS services (Microsoft 365, Salesforce, AWS SSO)
- Need an LDAP server for NAS systems, firewalls, or network devices
- Want SCIM provisioning for automatic on-/offboarding
- Need RADIUS for VPN or WiFi authentication
- Want to deploy an application proxy for legacy apps without SSO support
- Need conditional access with GeoIP, impossible travel, and device posture
- Need centralized user management with flows, policies, and event logging
- Manage more than 20 users and want to minimize operations overhead
- Prefer GDPR-compliant managed hosting in Germany
The Short Formula
Authelia = Auth gateway. It guards the entrance. Authentik = Identity provider. It manages the entire identity.
If you only need an entrance, Authelia is enough. If you need identity management, you need Authentik.
Conclusion
Authelia is an excellent tool for its purpose: a lightweight authentication layer in front of a reverse proxy. For homelabs and small self-hosting setups, it's perfect.
But for businesses – even small ones – Authelia falls short. No SAML means no integration with enterprise SaaS. No LDAP server means no authentication for network devices. No SCIM means manual on-/offboarding. No flow engine means no automation. And a 3-person spare-time project without enterprise support is a risk for business-critical infrastructure.
Authentik offers all of that – as an open-source solution with MIT license. Combined with managed hosting from authhost, businesses get a full identity provider that's ready in minutes, operated at a predictable flat rate, and hosted in certified data centers.
Try it now: Start your own Authentik instance via the merkaio self-service portal – 7 days free.
Recommended reading: Keycloak Alternative for SMBs
Sources
- Authelia – Official Website
- Authelia GitHub Repository (Apache 2.0)
- Authelia Roadmap – SAML 2.0 Planning
- Authelia Roadmap – Overview
- Authentik – Official Website
- Authentik GitHub Repository (MIT)
- Authentik Documentation
- Authentik Features
- Authentik Pricing
- Authentik Version 2026.2 Release Notes
- Cerbos: Authelia vs Authentik 2026
- selfhosting.sh: Authelia vs Authentik Comparison
- House of FOSS: State of Open-Source Identity 2025
- authhost.io – Managed Authentik Hosting
Frequently Asked Questions
What is the main difference between Authentik and Authelia?▼
Does Authelia support SAML?▼
Does Authelia support LDAP as a provider?▼
Which solution uses fewer resources?▼
Can I migrate from Authelia to Authentik?▼
What is authhost?▼
Do I need Authentik Enterprise for business use?▼
Does Authelia have fewer security vulnerabilities than Authentik?▼
Written by
Timo Wevelsiep
Founder, merkaio
Founder of merkaio. Managed Authentik Identity Hosting. Focus on identity management, SSO and zero trust architecture.
LinkedIn