Auth

Authentik22.1k★

SSO (single sign-on), multi-factor auth, user directories, all in one place. The open source version is extremely capable. You get SAML, OAuth2/OIDC, LDAP, SCIM, and proxy authentication. The admin UI is clean and modern. You can set up enrollment flows, password recovery, and MFA without touching code. For a homelab or small company, this replaces paid services like Okta or Auth0. Authentik Enterprise adds features like long-term support, AI-powered risk assessment, and enterprise support starting at $5/user/mo with a 100-user minimum ($500/mo floor). Solo/homelab: the open source version is fantastic. Small teams: same. Growing teams needing vendor support: Enterprise makes sense at $5/user/mo. Large orgs: serious Okta alternative at a fraction of the cost. The catch: initial setup has a learning curve. Authentik uses a flow-based system for authentication logic that's powerful but not intuitive at first. Plan to spend a weekend getting it right. Docker Compose is the recommended deployment; you'll run Postgres, Redis, and the Authentik containers.

SuperTokens15.1k★

SuperTokens is the open source authentication platform: signup, password reset, social login, multi-factor auth, without Auth0 prices or Firebase lock-in. It handles session management, email verification, passwordless login, and social OAuth out of the box. Self-hosting is free with all features. The managed cloud has a free tier up to 5,000 monthly active users (MAUs), which covers most startups. Paid tiers kick in at scale. The catch: the self-hosted version requires running a Java-based core service alongside your app. That's a real dependency: Java runtime, separate process, separate database. The cloud version eliminates this but you're trusting a smaller company with your auth. And the SDK ecosystem, while growing, is narrower than Auth0's. Check that your framework is supported before committing.

oauth2-proxy14.6k★

Oauth2-proxy sits in front of them and handles it. It's a reverse proxy that forces users to authenticate with Google, GitHub, Azure AD, or dozens of other identity providers before they can reach your app. It's a bouncer for your internal services. Fully free under MIT. No paid tier. You deploy it as a container or binary, configure your identity provider, and point it at whatever you want to protect. It handles the entire OAuth2/OIDC flow. Your backend app never needs to know about authentication. The catch: it's authentication only, not authorization. Everyone who logs in gets the same access. There's no built-in role system or per-path permissions. For that, you need something like Authelia or Authentik. And the configuration is YAML/CLI flags with a lot of options. Getting it right the first time takes some trial and error, especially with less common identity providers.

ZITADEL14.2k★

ZITADEL is a self-contained identity platform: login, signup, SSO, multi-factor auth, user roles, all in one. It's an alternative to Auth0 or Clerk that you can self-host for free. The self-hosted version is free under AGPL-3.0 with all features included: unlimited users, SSO, MFA, RBAC, organizations, branding customization. Nothing is gated. The managed cloud starts free (25,000 monthly active users on the free tier, which is absurdly generous), with paid tiers starting at usage-based pricing. Self-hosting requires a Postgres-compatible database and runs as a single binary or Docker container. Setup is moderate. ZITADEL has good docs but identity systems are inherently complex. Plan for a day of setup and configuration. Solo developers: the cloud free tier at 25K MAU is more than enough. Small teams: still free. Growing teams: self-host or stay on cloud. The free tier covers you longer than any competitor. Large teams: self-host for control, or use the paid cloud for compliance features. The catch: ZITADEL is newer than Keycloak and has a smaller community. If you hit an edge case, Stack Overflow won't have the answer yet. GitHub issues and their Discord are your support channels.

Ory Kratos13.7k★

Ory Kratos is a headless identity server that handles login, registration, password recovery, and account management without depending on Auth0. It handles the backend logic: password hashing, session management, MFA, social sign-in, and you build whatever frontend you want on top of its API. "Headless" means no built-in UI. Kratos exposes APIs and you render the login forms, registration flows, and account settings pages yourself. This gives you complete control over the user experience but means more work upfront. Kratos handles identity lifecycle: registration, login, logout, account recovery, email verification, settings management, and MFA (TOTP, WebAuthn). It stores identities in Postgres or MySQL. The security model is solid, built by a team that takes auth seriously. Ory Network (the managed cloud) offers a free tier with 25K monthly active users, which is generous. Beyond that, pricing starts at usage-based rates. The catch: the learning curve is steep. Kratos has its own concepts (self-service flows, identity schemas, Jsonnet mappers) that take real time to understand. The documentation is extensive but dense. If you just need "add Google login to my app," Kratos is like bringing a bulldozer to dig a garden hole. Supertokens or even NextAuth are simpler for straightforward auth needs.

Logto12.2k★

Logto is an auth platform you can self-host for free or use their cloud: login, signup, SSO, MFA, and user management for SaaS apps. Drop in their SDK, get a polished login experience, manage users through their admin console, done. It handles the stuff that's hard to build correctly: OAuth 2.0/OIDC compliance, social login (Google, GitHub, Apple), passwordless auth, MFA, organization management for B2B SaaS, and RBAC (role-based access control, controlling who can do what in your app). MPL-2.0 license. The self-hosted version is fully featured, no artificial feature gates to push you to cloud. The catch: auth is a 'get it wrong and you're on the news' category. Logto is well-built but younger than Auth0 or Keycloak. If you self-host, you're responsible for security patches and uptime of your auth system, and that's not something you want going down at 2am.

Lucia10.5k★

Lucia is an open source auth library you run on your own server, not a hosted service. It handles sessions, cookies, and the messy parts of auth, but you own the database, you own the code, and you control every decision. No redirect to someone else's login page. It works with any database (Postgres, SQLite, MySQL, MongoDB) and any framework (Next.js, SvelteKit, Astro, Express). The API is deliberately minimal: create a session, validate a session, invalidate a session. OAuth, email/password, and magic links are all supported through clean patterns rather than black-box modules. Completely free under the BSD Zero Clause License, one of the most permissive licenses that exists. No paid tier, no cloud service, no upsells. The catch: Lucia deprecated itself in early 2025. The maintainer explicitly recommended using it as a learning resource and pattern guide rather than a production dependency going forward. The code works, but don't expect new features or security patches. If you're starting fresh, look at Better Auth (similar philosophy, actively maintained) or Logto for a self-hostable auth server with a UI. If you want a managed service and don't mind the vendor dependency, Clerk or Auth0 handle everything but you lose control.

casl7.0k★

CASL handles authorization: who can do what to which resources in your app. Define abilities in one place, enforce them on both frontend and backend. The entire library is 6KB minzipped and MIT licensed. The mental model is simple. You declare rules like "editors can update articles they own" using a readable DSL, then check permissions with can and cannot methods anywhere in your code. Works with React, Vue, Angular, Prisma, and Mongoose out of the box. Rules serialize to JSON, so the same permission set travels from API to UI without duplication. Solo developers building anything with user roles need this. Teams get consistent authorization logic across the stack without rolling their own RBAC from scratch. Scales from "admin vs user" to complex attribute-based access control without swapping libraries. The catch: it is authorization, not authentication. You still need something handling login and identity. CASL just decides what authenticated users are allowed to touch.

authlib5.4k★

Authlib is the Python library for building OAuth and OpenID Connect into your own app. It implements OAuth 1.0, OAuth 2.0, OIDC, and JWT, and works across Flask, Django, FastAPI, and Starlette, so you can build both sign-in flows and your own authorization server. BSD-3-Clause and free, with a commercial license available for teams that want it. This is a low-level toolkit, not a hosted login button. You wire up token storage, the framework integration, and the flow details yourself, and getting OAuth and OIDC right takes actual security knowledge, the kind of thing where a small mistake is a real vulnerability. That is the price of control: nothing leaves your infrastructure and you are not paying per active user, but you own the correctness. For Python teams that need standards-compliant auth they fully control, this is one of the best options going. Solo and small teams: free, just budget the time to implement carefully. Teams that want a support contract and a commercial license: Authlib sells one at $1000/year, or $2000 by invoice. If what you actually want is sign-in without building any of it, that is Auth0, Clerk, or Cognito, and you pay them per user to skip this work. The catch is responsibility. Authlib hands you correct, well-built primitives; it does not hand you a finished, audited auth system. If your team does not have someone comfortable with OAuth's sharp edges, a hosted provider is the safer call even at the per-user price.

authorizer2.0k★

Authorizer is a self-hosted auth server that replaces Auth0, Firebase Auth, or Supabase Auth. Bring your own database (Postgres, MySQL, SQLite, MongoDB, and 7 more), deploy it, and own every byte of user data. Email/password, social logins (Google, GitHub, Apple, Facebook, LinkedIn), magic links, MFA, and full OAuth2/OIDC compliance. One-click deploy buttons for Railway, Heroku, and Render lower the barrier. For production you need to manage TLS, database backups, Redis for sessions, and an SMTP server for email verification. The Go binary runs in Docker with non-root containers. SDKs cover JavaScript, React, Vue, Svelte, and Go. Privacy-conscious teams or anyone in a regulated industry who cannot send user data to a third party: this is built for you. Solo developers who already run Postgres can colocate auth with their data and skip the monthly Auth0 bill entirely. The catch: you are your own auth provider now. Auth is high-stakes surface area, and any misconfiguration is on you. The project has a small maintainer team, so security patches may lag behind commercial providers. The v1-to-v2 migration is a breaking change. Some SDKs (React Native, Flutter, Python) are still on the roadmap.