Authelia vs Authentik
Authelia is the lightweight choice: a config-file companion to your reverse proxy that adds login and two-factor in front of your apps with a tiny footprint. Authentik is a full identity provider with a web UI, SAML, OIDC, and LDAP, closer to a self-hosted Keycloak. If you want to protect a handful of apps behind a proxy with minimal resources, use Authelia. If you need a real IdP that many apps authenticate against with a proper admin interface, use Authentik.
Updated 2026-06-04 · by Jonathan Caruso
Side by side
| Authelia | Authentik | |
|---|---|---|
| Model | Forward-auth companion to a proxy | Full identity provider (IdP) |
| Configuration | YAML files (config as code) | Web UI plus database |
| Protocols | Forward auth, OpenID Connect | OIDC, SAML, LDAP, proxy/forward auth |
| Footprint | Very light, single service | Heavier: server, worker, Postgres, Redis |
| User management | File or LDAP backend | Built-in UI, flows, policies |
| Admin UI | Minimal (login portal only) | Full admin web interface |
| Best for | Protecting apps behind a reverse proxy | Central SSO across many apps |
| Learning curve | Lower | Higher, more concepts |
Two different answers to the same problem
Both solve single sign-on for self-hosted apps, but they sit at different points on the scale. Authelia is designed to ride alongside a reverse proxy. The proxy intercepts a request, asks Authelia whether the user is allowed, and Authelia returns yes or no after handling login and any second factor. This forward-auth pattern is simple and adds a login wall in front of apps that have no auth of their own.
Authentik is a full identity provider. Apps delegate authentication to it over standard protocols, and Authentik owns the users, the login flows, the multi-factor policies, and the admin experience. It can do forward auth too, but its reason to exist is being the central identity system that everything else trusts, the way an enterprise would run Keycloak or Okta.
Authelia: light, file-driven, proxy-bound
Authelia's appeal is its small footprint and config-as-code model. You define users, access rules, and two-factor policy in YAML, commit it to your repo, and run a single lightweight service. It pairs naturally with Traefik, Nginx, or Caddy, and the documentation centers on those integrations. For a homelab that wants to put a login and TOTP in front of a few internal tools, it is hard to beat on simplicity and resource use.
The tradeoffs follow from that design. There is no rich admin UI; you edit files. User management through flat files is fine for a handful of accounts but does not scale to many users without an LDAP backend. And while Authelia provides an OpenID Connect provider, its center of gravity is forward auth in front of a proxy, not being a full protocol hub for dozens of apps.
Authentik: a real identity provider
Authentik gives you the full identity stack with a polished web interface. It speaks OIDC and SAML so apps can integrate the standard way, offers an LDAP outpost for legacy software, and has a flexible flow engine for building custom login, enrollment, and recovery sequences. If you want users to log in once and reach many apps, manage accounts from a dashboard, and apply MFA policies centrally, this is the tool.
That power costs resources and concepts. A typical Authentik deployment runs the server, a worker, PostgreSQL, and Redis, so it is several containers rather than one small binary. The flow-and-policy model is flexible but takes time to learn. For protecting two or three apps it is overkill; for being the front door to your whole self-hosted estate it is exactly right.
Resource footprint and where it runs
On a small box this difference is real. Authelia runs comfortably alongside everything else and barely registers. Authentik's multi-container stack, with a database and Redis, wants more memory and is more to keep updated and backed up. If you are running on a single mini PC already crowded with services, that weight matters.
Backups differ accordingly. Authelia's state is mostly its YAML plus a small database for sessions and a user file, which is trivial to back up and version. Authentik holds its configuration and users in PostgreSQL, so protecting it means backing up that database properly, the same care you would give any stateful service.
How to choose
Choose Authelia if your goal is to put authentication and two-factor in front of apps that sit behind a reverse proxy, you like config in files, and you want the smallest possible footprint. It is the pragmatic homelab default for proxy-level protection.
Choose Authentik if you want a central identity provider that many apps authenticate against using OIDC or SAML, you need an admin UI and richer user management, or you require LDAP for older software. It is the better long-term home if SSO across a growing set of services is the actual goal, and you can spare the resources to run it well.
Where Authelia wins
- Tiny footprint: a single service that rides alongside your reverse proxy.
- Config as code in YAML, easy to version and reproduce.
- Fast to stand up for forward auth plus two-factor.
Where Authentik wins
- Full identity provider with OIDC, SAML, and LDAP.
- Polished admin UI, flexible login flows, and central MFA policy.
- Scales to being the single front door for many apps and users.
Which to pick, by situation
| Your situation | Pick | Why |
|---|---|---|
| Login wall in front of a few internal tools | Authelia | Forward auth plus TOTP with a single light service. |
| Central SSO across many apps | Authentik | A real IdP with OIDC and SAML is what apps integrate against. |
| Config-as-code, minimal resources | Authelia | YAML files and a tiny footprint suit a crowded mini PC. |
| Need LDAP for legacy software | Authentik | Its LDAP outpost serves apps that only speak LDAP. |
| Want an admin UI and user self-service | Authentik | Built-in flows and a dashboard beat editing files. |
The verdict
Pick Authelia to add login and two-factor in front of apps behind your reverse proxy with the smallest footprint and config kept in files. Pick Authentik when you want a genuine identity provider that many apps trust over OIDC, SAML, or LDAP, with an admin UI and central policy, and you can run its heavier stack. Start with Authelia for proxy-level protection; reach for Authentik when central SSO across your whole setup is the real goal.
Choose Authelia if you want lightweight forward auth and two-factor in front of a reverse proxy, with config as code.
Choose Authentik if you need a full identity provider with OIDC, SAML, LDAP, and a real admin UI for SSO across many apps.
Official links
Authelia
Authentik
FAQ
What is the difference between Authelia and Authentik?
Authelia is a lightweight forward-auth companion to a reverse proxy that adds login and two-factor in front of apps. Authentik is a full identity provider with a web UI that apps authenticate against over OIDC, SAML, or LDAP. Authelia is simpler and lighter; Authentik is more capable and heavier.
Which is lighter on resources?
Authelia, by a wide margin. It runs as a single small service. Authentik typically needs a server, a worker, PostgreSQL, and Redis, so it uses more memory and is more to maintain.
Do I need a reverse proxy for either?
Authelia is built around one; it works through your proxy's forward-auth feature, so yes. Authentik can use forward auth too but more often integrates with apps directly over OIDC or SAML, so a proxy is optional depending on the app.
Can Authelia do single sign-on across apps?
It includes an OpenID Connect provider, so apps that support OIDC can use it for SSO. But its main strength is forward auth in front of a proxy. For broad SSO across many apps with SAML and LDAP, Authentik is the more complete option.
Is Authentik like Keycloak?
In role, yes: both are full self-hosted identity providers supporting OIDC and SAML. Authentik has a more modern UI and a flexible flow engine, and many homelabbers find it friendlier than Keycloak while covering the same job.
Which should a beginner pick?
If you just want to protect a few apps behind your proxy, start with Authelia; it has fewer moving parts. If you know you want central SSO for many services, learning Authentik up front saves a migration later.
Can I migrate from Authelia to Authentik later?
Yes, though it means standing up Authentik, recreating users and policies, and reconfiguring each app to authenticate against it. There is no automatic import, so plan it as a deliberate project rather than a quick switch.