Keycloak
Red Hat (IBM)
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Public sector and regulated workloads requiring on-prem / sovereign deployment
- Pricing
- free-open-source
- Free tier
- Unlimited
- Deployment
- self-hosted, on-prem, hybrid
- SOC 2 Type II
- No
- Passkeys
- Native
- Self-host
- Yes
- Open source
- Yes
Funding & business
- Funding model
- Open-source / foundation
- Total raised
- None
- Latest round
- None disclosed
- Years in business
- 12 yrs
- Profitable
- Not disclosed
CNCF incubating project sponsored by Red Hat (IBM); commercialised as Red Hat build of Keycloak, not separately funded.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Most widely deployed open-source CIAM globally, enormous community, Stack Overflow coverage, third-party themes and extensions.
- Fully self-hostable with no vendor lock-in; data residency and sovereignty are unconstrained.
- Mature SAML / OIDC / OAuth 2.0 support, including the kind of legacy IdP bridges enterprise federation needs.
- Free at any MAU, meaningful for high-MAU consumer apps that would otherwise pay $10k+/mo to a SaaS CIAM.
Limitations
- Operating cost is real, production deployments typically need 0.5–1.0 FTE for upgrades, security patching, and incident response.
- DX is dated compared to Auth0 / Stytch / Clerk, the admin console is functional but not modern, SDKs prioritize Java.
- No native FGA, no first-class compliance attestations (SOC 2, ISO, HIPAA must be earned by the operator), no MCP support.
- Passkey support exists but UI orchestration is bare; expect <10% adoption without significant theming work.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Partial |
| SMS OTP | Partial |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Partial |
| Adaptive MFA | Partial |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Partial |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | java, js, node, python, go, dotnet |
| CLI | Yes |
| Terraform provider | Yes |
| Local emulator | Yes |
| Extension model | SPI extensions (Java) + custom themes |
| Bot detection | No |
|---|---|
| Breached password detection | Partial |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | No |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | Partial |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $250/mo |
|---|---|
| 100,000 MAU | $800/mo |
| 500,000 MAU | $2,500/mo |
| 1,000,000 MAU | $5,000/mo |
- Self-hosted infrastructure cost (cluster nodes, database, observability)
- Engineering operating cost, typically 0.5–1.0 FTE-equivalent at production scale
- Optional Red Hat support contract for SLA-backed assistance
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Public sector and regulated workloads requiring on-prem / sovereign deployment
- High-MAU consumer apps where SaaS pricing is the binding constraint
- Enterprises with existing Java / Red Hat operational footprint
Not for
- Teams without operational capacity to run a stateful service in production
- Apps that need first-class passkey orchestration without theming work
- Mid-market SaaS that values developer velocity over data sovereignty
FAQ
- Is Keycloak free?
- Yes. Keycloak is open-source under the Apache 2.0 license, sponsored by Red Hat (IBM), and free to deploy at any scale. Operating costs (infrastructure, engineering time, optional support contract) are real and should be modeled, see the build-vs-buy guide.
- How much does Keycloak cost to operate at 1M MAU?
- A typical 1M MAU production deployment costs $3,000–$8,000 per month in infrastructure and amortized engineering time, depending on HA topology, regional footprint, and support tier. Compare to $9,500+/mo on Auth0 at the same scale, Keycloak wins the unit economics, loses on engineering velocity.
- Does Keycloak support passkeys?
- Yes, since version 19+. The default UI is functional but not orchestrated, expect <10% adoption without theming and prompting work. Teams pursuing serious passkey rollouts on Keycloak typically pair it with Authsignal or Corbado as an orchestration layer, or migrate to a passkey-native vendor.
Sources
- Keycloak Documentationaccessed 2026-04-22
- Keycloak GitHub repositoryaccessed 2026-04-22
- Red Hat build of Keycloakaccessed 2026-04-22
What Keycloak is
Keycloak is the dominant open-source CIAM platform, Apache 2.0 licensed, originally developed at Red Hat, now stewarded as a CNCF Sandbox project with active contribution from IBM, government agencies, and a broad enterprise community. It runs as a stateful Java service backed by a database (PostgreSQL is the standard), and is most often deployed on Kubernetes for HA. The product is mature: SAML, OIDC, OAuth 2.0, identity brokering, social login, MFA, theming, and a full admin REST API.
Where Keycloak wins
Data sovereignty is the unbeatable proposition. For public-sector workloads, regulated industries, and any deployment where the customer dataset cannot leave their infrastructure, Keycloak is the only credible option among the platforms in this index that doesn't require self-building.
The unit economics matter at scale. A 1M MAU SaaS CIAM bill of $9,500+/month on Auth0 becomes $3,000–$8,000/month of infrastructure plus engineering on Keycloak, with the ability to choose hardware, region, and operational topology unconstrained.
The community is the largest in CIAM. Stack Overflow has near-complete coverage of operational issues; the GitHub repo accepts community PRs; theme and SPI extensions exist for nearly every legacy IdP integration.
Where Keycloak hurts
Operating Keycloak well is engineering work. A typical production deployment needs 0.5–1.0 FTE-equivalent for upgrades, schema migrations, security patching, observability, and incident response. Teams without that capacity end up running Keycloak badly, which means downtime and stale security patches.
The DX gap relative to Auth0 / Clerk / Stytch is real. The admin console is dated, the SDK ecosystem prioritizes Java, and theming the user-facing pages takes design effort. For developer velocity, this is a meaningful tax.
Compliance attestations (SOC 2, ISO, HIPAA, FedRAMP) are earned by the operator, not provided by the platform. For a SaaS CIAM, the vendor's SOC 2 report flows through to your auditors; for self-hosted Keycloak, you produce your own attestations.
Passkey support exists but orchestration is bare. Expect single-digit adoption without theming work or an external orchestration layer (Authsignal, Corbado).
How Keycloak compares
The closest open-source alternative with a lighter operational profile is FusionAuth (commercial-supported OSS, single binary). For modern OSS architecture, Ory Kratos / Hydra / Keto and Zitadel are credible. For SaaS migrations, the most common comparison is Auth0 vs Keycloak.