Authelia
Last verified 2026-04-29 · Reviewed by guptadeepak
Editorial verdict
Authelia is the lightweight self-hosted SSO portal for infrastructure access in 2026, single Go binary, Apache 2.0, designed for reverse-proxy forward-auth patterns rather than consumer-scale CIAM. It is intentionally narrow: no Organizations, no self-service registration, no SDK ecosystem. For homelab and self-hosted-infrastructure access control, Authelia is one of the cleanest choices; for customer identity, look at full-platform CIAM instead.
Last verified by @guptadeepak on 2026-04-29.
At a glance
- Best for
- Self-hosted infrastructure (homelab, internal SaaS) where Authelia gates access to backend services
- Pricing
- free-open-source
- Free tier
- Unlimited
- Deployment
- self-hosted
- SOC 2 Type II
- No
- Passkeys
- Native
- Self-host
- Yes
- Open source
- Yes
Funding & business
- Funding model
- Open-source / foundation
- Total raised
- None
- Latest round
- None disclosed
- Years in business
- 9 yrs
- Profitable
- Not disclosed
Volunteer-driven open-source authentication portal; no commercial entity or institutional funding.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Single Go binary with minimal operational footprint, among the lightest in the OSS index.
- Apache 2.0 licensed, fully community-driven, no commercial layer.
- Excellent fit for self-hosted infrastructure (homelab, internal SaaS, reverse-proxy-based access control).
- First-class integration with reverse proxies (Traefik, NGINX, HAProxy, Caddy) for forward-auth patterns.
Limitations
- Not a full CIAM, designed for web SSO portal scenarios, not customer identity at scale.
- No B2B Organizations, no multi-tenancy, no self-service registration as a default flow.
- User store is file-based or LDAP-backed, not designed for high-volume consumer apps.
- Compliance attestations are operator-earned; no SDK ecosystem; minimal API surface for app integration.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | No |
| Magic links | No |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | No |
| Adaptive MFA | No |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Partial |
| Self-service registration | No |
|---|---|
| Progressive profiling | No |
| Self-service account | Partial |
| Bulk user import | Yes |
| Admin user search | Partial |
| Custom user metadata | Partial |
| Organizations / tenants | No |
| Multi-tenancy | No |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | n/a |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | YAML configuration + access control rules |
| Bot detection | No |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Partial |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | No |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | No |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $50/mo |
|---|---|
| 100,000 MAU | $100/mo |
| 500,000 MAU | $300/mo |
| 1,000,000 MAU | $600/mo |
- Apache 2.0 licensed; free at any scale
- Single Go binary; minimal infrastructure footprint
- Designed primarily as web SSO portal, not full CIAM
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Self-hosted infrastructure (homelab, internal SaaS) where Authelia gates access to backend services
- Reverse-proxy-based forward-auth deployments
- Developer-tools and small-scale internal platforms
Not for
- B2C consumer apps with self-service registration
- B2B SaaS needing Organizations or multi-tenancy
- Workloads requiring vendor-attested compliance
FAQ
- Is Authelia a CIAM platform?
- Not really, in the sense the rest of this index uses the term. Authelia is designed as an SSO portal that gates access to backend services via reverse-proxy forward-auth, Traefik, NGINX, HAProxy, Caddy. It supports OIDC and SAML for downstream apps, but the focus is workforce / infrastructure access rather than consumer or B2B SaaS identity.
- What is forward-auth?
- A reverse-proxy pattern where the proxy queries an external auth service (Authelia) to authorize each request before forwarding it to the backend. Common in homelab and self-hosted contexts; Authelia is one of the most popular implementations.
- Should I use Authelia for my SaaS app?
- Probably not, Authelia is not designed for self-service consumer flows or multi-tenant B2B SaaS. For SaaS, look at Keycloak, FusionAuth, Zitadel, Logto, or one of the SaaS CIAM products.
Sources
- Authelia Documentationaccessed 2026-04-22
- Authelia GitHubaccessed 2026-04-22
What Authelia is
Authelia launched in 2017 as a self-hosted SSO portal for infrastructure access, designed primarily for reverse-proxy forward-auth patterns where Authelia gates access to backend services (Grafana, internal dashboards, code-server, file shares, etc.) routed through Traefik, NGINX, HAProxy, or Caddy. It is a single Go binary with a small operational footprint, popular in homelab and self-hosted-infrastructure contexts.
Where Authelia wins
Lightest operational profile in the index, single Go binary plus optional database. Apache 2.0 licensed and fully community-driven. First-class reverse-proxy integration that no other CIAM in this index matches as cleanly. Excellent for the use case it targets.
Where Authelia hurts
It is intentionally narrow, not a full CIAM. No B2B Organizations, no multi-tenancy, no self-service registration as a default. User store is file-based or LDAP-backed. No SDK ecosystem. Compliance attestations are operator-earned. For consumer apps or B2B SaaS, look elsewhere.
How Authelia compares
The closest comparisons are Keycloak vs Authelia for the self-hosted workforce-access call. For full-platform CIAM that handles customer identity at scale, Keycloak, Authentik, FusionAuth, and Zitadel are the alternatives. For workforce-IAM specifically (Authelia's adjacent space), Pomerium and Teleport are outside this CIAM-focused index.
Editorial changelog (1 entry)
Capability matrix and pricing bands re-verified against the vendor's latest documentation and changelog.