17 Best Open Source Alternatives to Auth0

Updated July 2026

Auth0 lets you skip building authentication from scratch. Drop in their SDK and you get login, social sign-in, SSO, MFA, and API authorization that mostly just work, which is a real gift when auth is a means to an end rather than your product. The problem is the meter. Pricing scales with monthly active users, so a feature every app needs gets steadily more expensive precisely as you succeed, and your entire user directory lives in a tenant you don't operate.

The open source identity servers below speak the same OAuth, OIDC, and SAML your apps already expect, so swapping them in is mostly reconfiguration. Self-host them and the cost stops tracking your user count, while credentials and profiles stay inside your own network.

HashiCorp Vault logo

1.HashiCorp Vault

35.8kOtherGo Self-host
HashiCorp Vault screenshot

Vault is a tool for securely accessing secrets such as API keys, passwords, and certificates. It provides a unified interface to secrets, tight access control, detailed audit logs, and encryption as a service for data you need to protect.

  • Store arbitrary key value secrets with encryption before persistence
  • Generate dynamic secrets for systems like AWS and SQL databases
  • Lease, renew, and revoke secrets automatically
  • Encrypt and decrypt data without storing it
Keycloak logo

2.Keycloak

34.9kApache-2.0Java Self-host
Keycloak screenshot

Keycloak is open source identity and access management for modern applications and services. It helps add authentication with minimal effort and avoids the need to store or authenticate users in each application. It is built for securing services while centralizing identity handling.

  • User federation for centralized identity
  • Strong authentication and user management
  • Fine grained authorization
  • OIDC and SAML support
Authelia logo

3.Authelia

28.1kApache-2.0Go Self-host
Authelia screenshot

Authelia is an open-source authentication and authorization server for single sign-on and two-factor authentication. It provides a web portal for applications and sits in front of them to allow, deny, or redirect requests.

  • OpenID Connect 1.0 and OAuth 2.0
  • Security keys with FIDO2 WebAuthn
  • TOTP and Duo push notifications
  • Passkeys via WebAuthn
Infisical logo

4.Infisical

27.4kOtherTypeScript Self-host
Infisical screenshot

Infisical is an open-source platform for centralizing application configuration and secrets such as API keys and database credentials. Teams use it to sync secrets across projects, environments, infrastructure, and CI/CD workflows while preventing secrets from leaking to git.

  • Centralized secrets across projects and environments
  • Secret syncs for GitHub, Vercel, AWS, Terraform, and Ansible
  • Secret versioning, point-in-time recovery, rotation, and dynamic secrets
  • Internal PKI, external CA integrations, and certificate lifecycle management
authentik logo

5.authentik

22kOtherPython Self-host
authentik screenshot

authentik is an open-source Identity Provider for modern SSO. It is designed for self-hosting and can fit small labs or large production clusters. It provides a single place to handle authentication and authorization instead of relying on a hosted IdP.

  • SAML, OAuth2/OIDC, LDAP, and RADIUS support
  • Application Proxy adds forward-auth SSO to apps
  • Customizable login, enrollment, and recovery flows
  • Multi-factor authentication with WebAuthn and TOTP
Teleport logo

6.Teleport

20.5kAGPL-3.0Go Self-host
Teleport screenshot

Teleport is an infrastructure access platform for connectivity, authentication, access controls, and audit. It provides one identity and access layer for cloud and on-prem infrastructure, covering human users and workloads. It protects SSH servers, Kubernetes clusters, databases, Windows desktops, web apps, cloud APIs, Git repositories, and MCP servers without long-lived keys or passwords.

  • SSO for cloud and on-prem infrastructure
  • Short-lived certificate auth without shared SSH keys
  • Access to SSH, Kubernetes, databases, RDP, web apps, and cloud APIs
  • Tunnels to resources behind NATs and firewalls without VPNs
Ory Hydra logo

7.Ory Hydra

17.2kApache-2.0Go Self-host
Ory Hydra screenshot

Ory Hydra is an OpenID Certified OAuth 2.0 server and OpenID Connect provider. It handles OAuth2 and OpenID Connect flows, token issuance and validation, client management, login and consent orchestration, and JWKS management for SSO, API access, and machine-to-machine authorization.

  • OAuth 2.0 and OpenID Connect flows
  • Token issuance, validation, revocation, and introspection
  • Client management and dynamic client registration
  • Login and consent flow orchestration with existing identity providers
SuperTokens logo

8.SuperTokens

15.1kOtherJava Self-host
SuperTokens screenshot

SuperTokens is an open-core authentication provider for adding login and session management to applications. It is positioned as an alternative to proprietary login providers like Auth0 and AWS Cognito, with on-premises deployment so user data stays in your own database.

  • Passwordless, social, email password, and phone password login
  • Session management with signout and session refresh APIs
  • Multi-factor authentication, user roles, and microservice auth
  • Multi-tenancy and organization support for Enterprise SSO
ZITADEL logo

9.ZITADEL

14.1kAGPL-3.0Go Self-host
ZITADEL screenshot

ZITADEL is an open-source identity and access management platform for teams that need more than basic authentication. It covers SSO, MFA, passkeys, OIDC, SAML, and SCIM for SaaS products, B2B platforms, and self-hosted IAM stacks, with vendor lock-in avoided through an API-first model.

  • SSO, MFA, passkeys, OIDC, SAML, and SCIM
  • Strict multi-tenancy with identity system, orgs, and projects
  • API access via connectRPC, gRPC, and HTTP/JSON
  • Immutable event stream with API-accessible audit trail
Casdoor logo

10.Casdoor

13.8kApache-2.0Go Self-host
Casdoor screenshot

Casdoor is an open-source identity and access management server with a web UI for managing users, organizations, applications, and identity providers. It covers authentication and single sign-on for teams that need one place to handle access across apps and services.

  • OAuth 2.0, OIDC, SAML, CAS, LDAP, and SCIM support
  • WebAuthn, TOTP, MFA, and Face ID authentication
  • MCP gateway and A2A protocol support
  • User management, audit logs, and multi-tenancy
Ory Kratos logo

11.Ory Kratos

13.7kApache-2.0Go Self-host
Ory Kratos screenshot

Ory Kratos is an API-first identity and user management system for cloud native applications. It centralizes login, registration, recovery, verification, and profile management so those flows live outside your application code.

  • Headless APIs for login, registration, recovery, and verification
  • Identity schemas and traits for custom user data
  • Admin APIs for identity lifecycle management
  • Browser-based and native app flows
Logto logo

12.Logto

12.2kMPL-2.0TypeScript Self-host
Logto screenshot

Logto is open-source authentication and authorization infrastructure for SaaS and AI apps. It helps teams build production auth without handling OIDC and OAuth 2.1 details from scratch, while adding multi-tenancy, enterprise SSO, and RBAC for customer-facing products.

  • Multi-tenancy, enterprise SSO, and RBAC
  • Pre-built sign-in flows with customizable UIs
  • OIDC, OAuth 2.1, and SAML support
  • MFA, social login, and Google One Tap
Dex logo

13.Dex

10.9kApache-2.0Go Self-host
Dex screenshot

Dex is an identity service that uses OpenID Connect to authenticate users for other apps. It sits in front of upstream identity providers and lets client apps talk to one OIDC endpoint instead of handling LDAP, SAML, GitHub, Google, or Active Directory directly.

  • OpenID Connect identity provider with OAuth2 ID tokens
  • Connectors for LDAP, SAML, GitHub, Google, and Active Directory
  • Signed JWT claims for user identity and group membership
  • Kubernetes authentication using OIDC and CRDs
Hanko logo

14.Hanko

9kOtherGo Self-host
Hanko screenshot

Hanko is an open source authentication and user management system for apps that need modern sign-in without giving up control of the backend. It is framework-agnostic, privacy-first, and built around data minimization and phishing resistance. You can run it yourself or use Hanko Cloud, with the option to move between self-hosted and managed deployment.

  • Passwords, MFA, passkeys, social logins, and SAML SSO
  • Hanko Elements web components for login and profile flows
  • API handles onboarding states, users, sessions, and JWT issuing
  • Frontend SDK for custom UI integrations
Medplum logo

15.Medplum

2.4kApache-2.0TypeScript Self-host
Medplum screenshot

Medplum is a developer platform for building healthcare apps. It bundles identity, clinical data storage, a FHIR API, a web app, server-side logic, SDKs, and React components for teams shipping clinical software.

  • FHIR-based API for clinical data
  • Auth with OAuth, OpenID, and SMART-on-FHIR
  • Clinical Data Repository backend
  • Web app for viewing and editing records

16.Conjur

935OtherRuby Self-host
Conjur screenshot

Conjur provides secrets management and application identity for modern infrastructure. It is built to secure non-human access by managing identities, storing secrets, and controlling access with a policy model for humans and machines.

  • MAML policy language for roles, privileges, and metadata
  • REST web service for identity lifecycle and access control
  • Built-in and custom authenticators
  • Built-in and custom rotators
Janssen Project logo

17.Janssen Project

633Apache-2.0Java Self-host
Janssen Project screenshot

Janssen Project is an open source identity and access management stack for enterprise digital identity infrastructure. It combines Auth Server, Agama low-code identity orchestration, and the Cedarling policy decision point under one control plane, so teams can run IAM components together instead of stitching separate systems.

  • Auth Server for OAuth and OpenID Connect
  • Agama low-code identity orchestration
  • Cedarling policy decision point
  • Janssen Server bundles components under one control plane

Switching from Auth0 to open source

Start by mapping the Auth0 features you actually depend on, not the marketing category. Hosted login, custom domains, database connections, social login, enterprise SAML, MFA, machine-to-machine clients, Organizations, Rules, Actions, and Management API workflows all translate differently in open source systems. The big choice is whether you want an identity server that stays close to OAuth 2.0 and OIDC primitives, or a higher-level user management product with admin screens and policy workflows. Also decide who owns uptime for login, because identity outages take down every app at once.

Expect gaps around polish, defaults, and edge-case integrations. Auth0 hides a lot of operational detail: key rotation, email templates, brute-force protection, anomaly handling, tenant isolation, hosted login UX, and provider-specific social login quirks. Open source replacements can be strong, but you usually assemble more of the surrounding system yourself. Rules and Actions are another friction point because they often contain business logic that grew organically. Treat them as application code that needs design review, tests, and a new deployment path, not as snippets to copy over blindly.

Migration usually starts with a parallel realm or tenant in the new system, then one application moves first using OIDC discovery, issuer, client ID, client secret, callback URLs, scopes, and JWKS changes. User export from Auth0 can preserve profile fields and metadata, but password migration depends on the connection type, hash availability, and whether you choose forced reset or just-in-time migration. MFA enrollments, sessions, refresh tokens, logs, and custom rule side effects rarely move cleanly. Keep Auth0 running during cutover, verify token claims app by app, and plan a rollback path before changing production callbacks.

Related alternatives

Frequently asked questions

What is the hardest part of replacing Auth0?+

The hardest part is usually not OAuth or OIDC. It is discovering all the behavior Auth0 accumulated around your apps: Rules, Actions, custom claims, tenant settings, social providers, email flows, Management API scripts, and login page assumptions. Build an inventory first, then classify each item as standard protocol behavior, product configuration, or custom business logic that must be rewritten and tested.

How do costs change when moving from Auth0 to open source?+

License fees may drop, but identity has real operating cost. You take responsibility for hosting, upgrades, monitoring, backups, incident response, email delivery, rate limiting, and security review. The calculation should include engineering time and on-call exposure, not just subscription spend. Open source makes the cost structure more controllable, but it does not make authentication free to run.

Do I need to self-host the replacement?+

Not always. Some open source identity systems can be self-hosted, run by your platform team, or consumed through a hosted service from a vendor. The right choice depends on your risk model. Self-hosting gives you more control over data residency, network boundaries, and custom patches, but it also means your team owns login availability, database durability, upgrades, and emergency fixes.

Will Auth0 password hashes import into an open source system?+

Sometimes, but do not assume it. Auth0 user exports can include profile data and metadata, while password hash availability depends on the connection and export method. Even when hashes are available, the target system must support the same algorithm and parameters. Many teams choose forced password reset, staged migration, or just-in-time migration where the old credential is verified once before rehashing in the new system.

What happens to social login and enterprise SAML connections?+

Each provider needs to be recreated and tested. Social login depends on app registrations, callback URLs, requested scopes, and provider-specific profile fields. Enterprise SAML adds certificate handling, NameID formats, attribute mappings, signing settings, and customer-side metadata updates. Do not treat these as bulk configuration. Prioritize the highest-volume providers and coordinate enterprise customer changes well before cutover.

How much application code usually changes?+

If your apps already use standard OIDC flows, the code change can be limited to issuer, discovery URL, client credentials, callback URLs, scopes, and claim mapping. The work grows when apps depend on Auth0-specific claim names, Management API calls, logout behavior, refresh token rotation, or custom rule outputs. Test login, token renewal, logout, and authorization checks separately for every application.

How should MFA and passwordless login be handled during migration?+

Plan MFA and passwordless as their own migration stream. Enrolled factors often do not transfer cleanly, especially authenticator apps, SMS numbers, recovery codes, and WebAuthn credentials. Decide whether users must re-enroll, whether step-up policies change, and how support will verify identity during resets. For passwordless, retest email and SMS deliverability, token lifetime, replay behavior, and abuse controls.

Are Auth0 Rules and Actions portable?+

No, not directly. They are tied to Auth0's runtime, event shape, secrets model, and deployment flow. Read each one and identify its purpose: claim enrichment, access control, redirects, user normalization, logging, or external API calls. Then move that behavior into the new identity system, an application service, or a gateway. Add tests because these snippets often affect authorization in subtle ways.

How do roles, organizations, and permissions move off Auth0?+

Exporting names is easy; preserving semantics is the hard part. Auth0 roles, permissions, Organizations, app metadata, and custom claims may all participate in authorization. Decide which source becomes authoritative after migration. Then define the token claims your applications will trust and avoid carrying over stale metadata blindly. Authorization bugs often appear when old Auth0 assumptions meet a cleaner but different role model.

What security work replaces Auth0's built-in platform controls?+

You need to verify the replacement's threat model and your own deployment. Review password hashing, session storage, key rotation, token lifetimes, admin permissions, audit logs, rate limits, brute-force protection, secret handling, backup encryption, and upgrade process. If compliance matters, map required evidence early. Open source code access helps review, but production security still depends on configuration, operations, and disciplined change control.

What rollback plan should we have before cutting over?+

Keep Auth0 usable until the new system has proven real traffic. Use a pilot app first, preserve old callback URLs where possible, and avoid deleting Auth0 clients, connections, or users during the first cutover. Log issuer, subject, and claim differences. A practical rollback means you can switch DNS or app configuration back without losing newly created users, password resets, or authorization changes made during the test window.