Rauthy

Self-hosted identity management, honestly reviewed. No marketing fluff — just what you get when you run your own OpenID Connect provider.

TL;DR

• What it is: A lightweight, self-hosted Identity Provider (IdP) supporting OpenID Connect, OAuth 2.0, and PAM — the same protocols Okta and Auth0 use, running on your own hardware [README].
• Who it’s for: Founders and small teams paying per-MAU for Auth0 or Okta who want SSO, MFA, and passkeys without a monthly identity bill. Also homelabbers who find Keycloak’s 500MB JVM overhead offensive.
• Cost savings: Auth0 Essentials starts around $35/month and climbs fast past 7,500 MAU. Rauthy is Apache-2.0 with no per-user pricing — it runs on a $5–10/mo VPS with no SaaS fees at all.
• Key strength: Built in Rust. Idle memory is typically below 100MB, sometimes below 50MB. It ran through an independent security audit from Radically Open Security funded by NGI Zero Core, which is more than most identity servers this size can say [README].
• Key weakness: ~1,023 GitHub stars — small project, single maintainer, thin third-party documentation. If the maintainer vanishes, you’re on your own with the source code. Not a concern if you know Rust; potentially serious if you don’t [1].

---

What is Rauthy

Rauthy is a self-hosted identity provider. You deploy it in front of your applications, and it handles login, token issuance, MFA, and session management. Any app that speaks OpenID Connect or OAuth 2.0 — which is most of them — can delegate authentication to Rauthy instead of building it themselves or paying Auth0 to handle it.

The pitch is narrower and more honest than what you get from enterprise IdP marketing: “lightweight and easy to use Identity Provider supporting OpenID Connect, OAuth 2.0 and PAM” [README]. It doesn’t claim to replace every identity management platform in existence. It claims to do SSO correctly, with very secure defaults, on minimal hardware.

Three things set it apart from the rest of the self-hosted SSO field. First, it’s written in Rust — the same language choice that made Caddy fast and nginx replaceable. The memory profile at idle is often under 50MB, which is absurd compared to Keycloak’s minimum JVM heap requirements. Second, it ships with an embedded database (Hiqlite) so you can stand up a fully functional HA identity provider with no external Postgres required — though Postgres is available if you already have it [README]. Third, and most importantly for anyone putting this in front of real users: it received an independent security audit from Radically Open Security as part of the EU-funded NGI Zero Core program. The audit found issues that were patched in v0.32.1, and the full report is public [README]. That’s a level of scrutiny most 1K-star projects never get.

As of this review, Rauthy sits at 1,068 GitHub stars with 89 forks, added to AlternativeTo in October 2024 [1]. It’s young and small. That matters and we’ll get to it.

---

Why people choose it

The third-party review landscape for Rauthy is thin — it’s a newer project and the written reviews haven’t caught up yet. What exists is mostly AlternativeTo listing activity and comparisons with adjacent tools [1][2][3][4]. But the reasons people end up at Rauthy are readable from that context.

People arriving from Keycloak. Keycloak is the entrenched open-source identity giant. It works. It also requires a JVM, a minimum of 512MB RAM comfortably, an external database you have to maintain, and an XML-era admin UI that looks like a settings page from 2009. For teams that just want “SSO for my Nextcloud, Gitea, and Grafana,” that overhead is genuinely punishing. Rauthy positions itself as the solution: same protocols, one-tenth the footprint [README].

People arriving from Auth0 / Okta. Both are excellent services that cost real money once you’re past the free tier or need features like custom domains, attack protection, or enterprise connections. Auth0’s free tier caps at 7,500 monthly active users; after that, the billing starts. Okta’s workforce identity pricing runs per-user-per-month and adds up fast for small teams. Rauthy costs $0 in licensing fees — you pay VPS costs only.

People who care about security architecture. The AlternativeTo listing highlights that Rauthy’s default behavior actively refuses to do things wrong — new OIDC clients get ed25519 token signing and S256 PKCE by default, which will break clients that don’t support modern standards [README]. That’s a deliberate security posture, not an oversight. Passkey-only accounts (no password at all), non-discoverable credentials to avoid storage exhaustion on hardware keys, and built-in brute-force protection with automatic IP blacklisting are all on by default [README][website]. For an operator who wants “secure by default” without having to read 200 pages of Keycloak hardening guides, that’s a meaningful signal.

People who want passkeys without enterprise pricing. Okta charges for advanced MFA features. Auth0 includes passkeys on higher tiers. Rauthy supports FIDO2/WebAuthn and passkey-only accounts at zero additional cost — it’s table stakes, not an add-on [README].

---

Features

Authentication protocols:

• OpenID Connect (OIDC) — full support with ed25519 signing by default
• OAuth 2.0 — including PKCE S256 flow by default
• PAM (Pluggable Authentication Modules) — for headless/CLI tooling and IoT use cases [README]

MFA and passkeys:

• FIDO2 / WebAuthn with two modes: password + security key (cookie-based re-authentication), and passkey-only accounts with no password at all [README][website]
• Non-discoverable credential approach — passkeys registered in Rauthy don’t consume hardware storage slots on Yubikeys, etc. [README]
• Traditional TOTP still available for compatibility

Infrastructure:

• Default embedded database via Hiqlite — no external DB required
• Optional PostgreSQL backend if you already have it
• HA (High Availability) mode with Hiqlite’s own embedded consensus layer, or with Postgres
• Docker deployment; runs on Raspberry Pi class hardware [README]
• Below 100MB RAM at idle; often below 50MB for small deployments [README]

Administration:

• Admin UI for user management, client configuration, IP blacklisting, event viewing
• Per-user account dashboard for self-service password/passkey management
• Per-client custom branding (color theme + logo) [website]
• RBAC [feature list]
• LDAP support [feature list]
• Multi-language UI [README]

Security operations:

• Event and alerting system — events can be sent via email, Matrix, or Slack by severity level
• Real-time event stream for external processing
• Brute-force protection with automatic IP blacklisting and expiry
• Manual IP blacklist management via Admin UI [website]

Audit:

• Independent security audit by Radically Open Security (NGI Zero Core funded), findings addressed in v0.32.1, full report public [README]

---

Pricing: SaaS vs self-hosted math

Rauthy has no SaaS tier. It’s Apache-2.0, self-hosted only.

Auth0 for comparison:

• Free: up to 7,500 MAU, limited features
• Essentials: ~$35/month starting, climbing with MAU
• Professional: ~$240/month with attack protection, custom domains
• Enterprise: custom — typically $1,000+/month for large deployments

Okta Workforce Identity:

• Typically $2–8 per user per month depending on tier and features
• A 50-person company at $4/user = $200/month, $2,400/year

ZITADEL for comparison (the closest self-hostable competitor with SaaS option): Cloud starts at $100/month; self-hosted community edition is free under AGPL-3.0 [4].

Rauthy self-hosted:

• License: $0 (Apache-2.0) [1]
• A VPS adequate to run it: $5–10/month (Hetzner or Contabo)
• All users, all features, all protocols: included

Math for a typical 50-person internal tool stack:

• Auth0 Professional: ~$240/month → ~$2,880/year
• Okta at $4/user: ~$200/month → ~$2,400/year
• Rauthy on a $6 VPS: $72/year — saving roughly $2,300–2,800/year

For a founder running internal tooling — Gitea, Grafana, Nextcloud, a few custom apps — with maybe 20–50 internal users, that math is hard to argue with.

One honest caveat: Auth0 and Okta include infrastructure operation, support contracts, SLAs, and compliance certs. You’re not just buying software — you’re buying managed service. With Rauthy, if something breaks at 2am, you’re the one who fixes it.

---

Deployment reality check

Rauthy is meaningfully simpler to deploy than Keycloak. The default path is a single Docker container with an embedded database — no Postgres, no Redis, no Java heap tuning. The README is direct and documentation lives at sebadob.github.io/rauthy [website].

What you actually need:

• A Linux VPS (Raspberry Pi class works; 512MB RAM is comfortable)
• Docker (or binary deployment — Rust binaries are single-file)
• A domain and reverse proxy (Caddy is the obvious choice given Rauthy’s simplicity ethos)
• SMTP provider for email verification and alerts (optional but recommended)
• No external database required unless you want Postgres

What can go sideways:

The security audit finding is actually the most important deployment signal: it means the project takes security seriously enough to commission external review, but it also means there were findings to address. v0.32.1 patched them; anything older than that shouldn’t be running in production [README].

The ed25519/PKCE-first defaults will break older OIDC clients that only support RSA signing or don’t implement PKCE. This is correct behavior, but it means your first hour with Rauthy might involve debugging why an older app refuses to authenticate. The fix is to drop back the signing algorithm for that specific client — Rauthy supports it — but you need to know this going in [README][website].

The project has one primary maintainer (sebadob). GitHub shows 1,068 stars and 89 forks [1]. This is thin for an identity-critical dependency. If you’re a 200-person company putting Rauthy in front of production auth, the bus factor is real. For a solo founder or small team, it’s fine — but it should be an explicit decision, not an oversight.

HA mode exists and works, but “highly available” with embedded Hiqlite means you need to understand Hiqlite’s consensus model, which adds operational complexity if you’ve never run a Raft-based system.

Realistic time to working instance for someone comfortable with Docker: 30–60 minutes. For someone who needs to set up a VPS, configure DNS, and install Docker first: 2–4 hours. Genuinely one of the simpler identity servers to stand up.

---

Pros and Cons

Pros

• Rust performance. Under 100MB RAM at idle, often under 50MB. Runs on Raspberry Pi hardware. No JVM, no heap tuning [README].
• No external database required. The embedded Hiqlite backend means a complete SSO deployment is a single container. Postgres is there if you need it, not required [README].
• Independent security audit with public report. Not many projects this size have this. NGI Zero Core-funded audit from Radically Open Security, results addressed in v0.32.1 [README].
• Apache-2.0 license. Genuinely free. No “Community Edition” that secretly withholds critical features. SSO, MFA, RBAC, LDAP, passkeys — all in the free tier [1][README].
• Passkeys as first-class citizens. Passkey-only accounts with no password, hardware key support without consuming device storage slots — these are thoughtful design decisions, not bolted-on features [README].
• Secure defaults that actively resist misconfiguration. ed25519 and S256 PKCE on by default; brute-force protection and IP blacklisting on by default. You can relax them for compatibility, but the defaults protect you [README][website].
• HA without external coordination. Built-in high availability via Hiqlite’s embedded consensus — no separate etcd or Redis cluster to maintain [README].
• Event system with external alerting. Real-time events to email, Matrix, or Slack. Useful for security monitoring without building custom log analysis [website].

Cons

• ~1,023 stars, single maintainer. This is the biggest risk for production use. Keycloak has Red Hat and a 20K-star community behind it. authentik has a dedicated team. Rauthy has one engineer. That engineer is clearly skilled, but the bus factor is real [1].
• Thin documentation and third-party guides. The official docs are good; third-party tutorials are nearly nonexistent. If you hit an edge case, you’re reading source code or opening a GitHub issue [1].
• ed25519-first will break legacy clients. Correct security decision, but it will cause friction integrating older apps that only support RSA. You need to know this before you start [README].
• No hosted/SaaS tier. There’s no “just pay $X and have it managed for you” option. Self-hosted only. If operational responsibility is the blocker, there’s no escape hatch [merged profile].
• Smaller ecosystem than Keycloak or authentik. Extensions, plugins, and community-built integrations are sparse. What ships is what you get, plus what you write yourself [1].
• HA adds complexity. The embedded HA is elegant, but running a distributed consensus system in production still requires understanding failure modes. Simpler than Keycloak HA, but not trivial.
• No reviews yet. AlternativeTo has 0 comments/reviews for Rauthy at time of writing [1]. “Early adopter” and “production-critical auth system” are a tension worth sitting with.

---

Who should use this / who shouldn’t

Use Rauthy if:

• You’re running internal tooling for a small team (Gitea, Grafana, Nextcloud, custom apps) and paying Auth0 or Okta more than $50/month for the privilege.
• You or someone on your team is comfortable operating a single Docker container and debugging OIDC config when something acts up.
• You want passkeys and MFA without unlocking a paid tier.
• The Apache-2.0 license matters to you — no commercial restrictions, no CLAs, no “Fair-code” lawyering.
• You find Keycloak’s JVM overhead offensive and authentik’s Python stack heavy.
• You care about running on minimal hardware (Raspberry Pi, low-RAM VPS, edge nodes).

Skip it, pick authentik instead, if:

• You need a project with a dedicated company behind it and commercial support available.
• You want a larger ecosystem of community documentation and third-party guides.
• You need SAML as a primary protocol (Rauthy is OIDC/OAuth-first).
• Your team is non-technical and you need polished UI that a non-engineer can administer without reading docs.

Skip it, pick ZITADEL instead, if:

• You want a commercially-backed open-source IdP with a SaaS option as a fallback.
• You need multi-tenancy built in at the architecture level.
• You want a larger GitHub community (13,539 stars) and enterprise support contracts [4].

Skip it, stay on Auth0/Okta, if:

• Your compliance team requires SOC 2 / ISO 27001 on the identity provider itself, not just your application.
• You have fewer than 7,500 MAU and Auth0’s free tier covers you.
• The person who would deploy and maintain this doesn’t exist at your company.
• Self-hosted infrastructure is specifically out of scope for your infra policy.

---

Alternatives worth considering

• Keycloak — the enterprise standard, Red Hat-backed, enormous ecosystem. Also enormous: JVM, 500MB+ minimum heap, XML admin UI. If you need serious enterprise SAML/LDAP federation, it’s the choice. If you just want SSO for 20 users, it’s overkill.
• authentik — the modern Keycloak replacement with a Python/Django backend. Larger community, dedicated company (Authentik Security), more third-party guides. Uses more RAM than Rauthy but dramatically less than Keycloak. Stronger ecosystem, weaker performance profile [2].
• ZITADEL — Go-based, commercially-backed, strong multi-tenancy story. AGPL-3.0. Has a cloud SaaS tier starting at $100/month for teams that want managed but want to stay open-source [4]. More mature than Rauthy with 13,539 GitHub stars.
• Ory — a collection of open-source identity microservices (Hydra for OAuth2, Kratos for user management, Keto for permissions). Complex but extremely flexible. Commercial cloud at $29–$3,000/month; self-hosted core is free [3]. Overkill for small teams; powerful for engineers who want composable pieces.
• Authelia — well-established, simpler feature set focused on reverse proxy authentication and 2FA. Less full-featured on the OIDC/OAuth side. Good for adding auth in front of apps without a full IdP.
• VoidAuth — newer TypeScript-based alternative with a similar simplicity pitch to Rauthy. 1,942 GitHub stars, AGPL-3.0 [2]. If you want TypeScript instead of Rust, this is the comparable option.
• Pocket ID — smaller, passkey-focused, minimalist. Good if passkeys are the only thing you need and OIDC breadth isn’t a priority.

For a small team choosing between the fully self-hosted options: Rauthy if you want maximum performance and minimum dependencies. ZITADEL if you want a larger community and commercial backup. authentik if you want the easiest setup experience.

---

Bottom line

Rauthy is what happens when a security-conscious Rust developer looks at Keycloak’s JVM heap requirements and decides to rebuild the important parts from scratch. The result is an identity provider that actually runs on modest hardware, passes an independent security audit, and doesn’t charge per MAU. For a founder paying Auth0 or Okta $200–300/month to authenticate a small internal team, the math is immediate: one afternoon of Docker setup and a $6 VPS replaces a recurring bill that only grows.

The honest risk is size and maturity. This is a ~1,000-star project with thin third-party documentation and a single primary maintainer. For a homelab or a startup’s internal tooling, that’s acceptable. For a large company whose entire authentication stack depends on it, that single point of failure deserves hard thinking before you commit. If that concern is blocking you, ZITADEL or authentik are larger projects in the same space. But if the Keycloak tax is what you’re trying to escape, Rauthy is the most resource-efficient way to do it.

---

Sources

1. AlternativeTo — Rauthy listing (1,068 GitHub stars, Apache-2.0, added Oct 2, 2024, last updated Oct 1, 2025). https://alternativeto.net/software/rauthy/about/
2. AlternativeTo — VoidAuth listing (1,942 GitHub stars, AGPL-3.0, competing self-hosted SSO). https://alternativeto.net/software/voidauth/about/
3. AlternativeTo — Ory listing (open source IAM, $29–$3,000/month cloud pricing). https://alternativeto.net/software/ory/about/
4. AlternativeTo — ZITADEL listing (13,539 GitHub stars, AGPL-3.0, cloud from $100/month, user reviews). https://alternativeto.net/software/zitadel/about/
5. AlternativeTo — AuthKit listing (3,213 GitHub stars, MIT, WorkOS-backed). https://alternativeto.net/software/authkit/about/

Primary sources:

• GitHub repository and README: https://github.com/sebadob/rauthy (1,068 stars, Apache-2.0, independent security audit report linked in README)
• Official documentation: https://sebadob.github.io/rauthy
• Security audit report (Radically Open Security / NGI Zero Core): https://raw.githubusercontent.com/sebadob/rauthy/refs/heads/main/assets/security_audit_report_v0.32.pdf