2025 Award
Best Open source, 2025.
Editorial rationale
Open source CIAM in 2025 was about productionization rather than new entrants: the established projects matured their hosted offerings, tightened security posture, and improved upgrade paths. Keycloak remains the default choice for enterprise self-hosters and the reference open-source CIAM; Ory continues to lead for buyers separating identity, authorization (Keto), and authentication into composable services; Authentik shipped the most coherent admin UI and SAML/OIDC depth in the OSS field. Zitadel, Logto, and Authelia cover narrower niches credibly. Casdoor, SuperTokens, and BetterAuth remain interesting for narrower bets. No Avoid in this segment , these projects are all earnest community work, and selection is a fit-for-purpose question.
Leader
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
Ory
Ory is the most architecturally modern open-source CIAM in 2026, Go-based, Kubernetes-native, composable components, strict Apache 2.0, with native Zanzibar-style FGA via Keto that no other full-platform vendor in this index ships natively. The trade-off is operational scope: running four composable services rather than one binary suits Kubernetes-native teams and frustrates everyone else. For teams that want OSS plus FGA from one vendor, Ory is the singular pick.
Authentik
Authentik is the modern alternative to Keycloak for self-hosted enterprise CIAM in 2026, Python-based, MIT-licensed, with a materially nicer admin UI than Keycloak's dated console. The trade-off is mid-weight operational profile and no managed cloud offering. For teams with Python operational competence and a strict-OSS mandate, Authentik is the lower-friction alternative to Keycloak.
Strong challenger
Zitadel
Zitadel is the modern open-source CIAM with the strongest B2B Organizations data model in 2026, Go-based, single-binary, event-sourced, and Apache 2.0 licensed throughout. For self-hosted teams that find Keycloak's operational profile too heavy and Ory's component model too complex, Zitadel splits the difference with a single deployment artifact and B2B-native primitives. Swiss data residency on Zitadel Cloud is a meaningful differentiator for sovereignty-conscious buyers.
Logto
Logto is the modern OSS CIAM with the most aggressive pricing in 2026, MPL-2.0 self-hosted Community at any scale, Cloud free tier covering 5k MAU, and paid plans starting at $16/month. Connector-based pluggable architecture and clean TypeScript SDKs make it competitive on DX. The trade-off is narrower compliance and smaller community than Keycloak; for cost-sensitive greenfield projects, Logto is one of the strongest picks.
Authelia
Authelia is the lightweight self-hosted SSO portal for infrastructure access in 2026, single Go binary, Apache 2.0, designed for reverse-proxy forward-auth patterns rather than consumer-scale CIAM. It is intentionally narrow: no Organizations, no self-service registration, no SDK ecosystem. For homelab and self-hosted-infrastructure access control, Authelia is one of the cleanest choices; for customer identity, look at full-platform CIAM instead.
Niche pick
Casdoor
Casdoor is the OSS CIAM with the strongest native authorization integration via Casbin (same maintainer), Apache 2.0 licensed and broad-featured. The trade-offs are dated DX, English-documentation rough edges, and a sprawling scope that spans CIAM plus adjacent domains. For teams that value Casbin authz tightly coupled to identity, or for China-region deployments where Casdoor has strong adoption, it is a credible OSS pick. For Western enterprise with strict compliance needs, look at Keycloak / FusionAuth / Zitadel instead.
SuperTokens
SuperTokens is the modern OSS auth library with the cleanest pluggable architecture in 2026, Apache 2.0 self-hosted Core, Recipe-based composition (each auth method is a module), and strong session management primitives. For teams that want OSS auth as a library with optional managed offering, SuperTokens shortlists alongside FusionAuth and Zitadel. The trade-off is narrower compliance and weaker B2B Organizations than dedicated B2B platforms.
BetterAuth
BetterAuth is the most-discussed code-first OSS auth library in the TypeScript ecosystem in 2026, strict MIT, bring-your-own-database, plugin-architecture extensible, and a DX that feels like a modern framework primitive rather than a SaaS. The trade-off is that without a managed offering, the team owns the operational burden, the compliance story, and the production runtime. For teams that want auth as a library rather than a service, BetterAuth is a strong default; for teams that want managed compliance and SLAs, look elsewhere.
