Auth0 lets you skip building authentication from scratch. Drop in their SDK and you get login, social sign-in, SSO, MFA, and API authorization that mostly just work, which is a real gift when auth is a means to an end rather than your product. The problem is the meter. Pricing scales with monthly active users, so a feature every app needs gets steadily more expensive precisely as you succeed, and your entire user directory lives in a tenant you don't operate.
The open source identity servers below speak the same OAuth, OIDC, and SAML your apps already expect, so swapping them in is mostly reconfiguration. Self-host them and the cost stops tracking your user count, while credentials and profiles stay inside your own network.
Vault is a tool for securely accessing secrets such as API keys, passwords, and certificates. It provides a unified interface to secrets, tight access control, detailed audit logs, and encryption as a service for data you need to protect.
Keycloak is open source identity and access management for modern applications and services. It helps add authentication with minimal effort and avoids the need to store or authenticate users in each application. It is built for securing services while centralizing identity handling.
Authelia is an open-source authentication and authorization server for single sign-on and two-factor authentication. It provides a web portal for applications and sits in front of them to allow, deny, or redirect requests.
Infisical is an open-source platform for centralizing application configuration and secrets such as API keys and database credentials. Teams use it to sync secrets across projects, environments, infrastructure, and CI/CD workflows while preventing secrets from leaking to git.
authentik is an open-source Identity Provider for modern SSO. It is designed for self-hosting and can fit small labs or large production clusters. It provides a single place to handle authentication and authorization instead of relying on a hosted IdP.
Teleport is an infrastructure access platform for connectivity, authentication, access controls, and audit. It provides one identity and access layer for cloud and on-prem infrastructure, covering human users and workloads. It protects SSH servers, Kubernetes clusters, databases, Windows desktops, web apps, cloud APIs, Git repositories, and MCP servers without long-lived keys or passwords.
Ory Hydra is an OpenID Certified OAuth 2.0 server and OpenID Connect provider. It handles OAuth2 and OpenID Connect flows, token issuance and validation, client management, login and consent orchestration, and JWKS management for SSO, API access, and machine-to-machine authorization.
SuperTokens is an open-core authentication provider for adding login and session management to applications. It is positioned as an alternative to proprietary login providers like Auth0 and AWS Cognito, with on-premises deployment so user data stays in your own database.
ZITADEL is an open-source identity and access management platform for teams that need more than basic authentication. It covers SSO, MFA, passkeys, OIDC, SAML, and SCIM for SaaS products, B2B platforms, and self-hosted IAM stacks, with vendor lock-in avoided through an API-first model.
Casdoor is an open-source identity and access management server with a web UI for managing users, organizations, applications, and identity providers. It covers authentication and single sign-on for teams that need one place to handle access across apps and services.
Ory Kratos is an API-first identity and user management system for cloud native applications. It centralizes login, registration, recovery, verification, and profile management so those flows live outside your application code.
Logto is open-source authentication and authorization infrastructure for SaaS and AI apps. It helps teams build production auth without handling OIDC and OAuth 2.1 details from scratch, while adding multi-tenancy, enterprise SSO, and RBAC for customer-facing products.
Dex is an identity service that uses OpenID Connect to authenticate users for other apps. It sits in front of upstream identity providers and lets client apps talk to one OIDC endpoint instead of handling LDAP, SAML, GitHub, Google, or Active Directory directly.
Hanko is an open source authentication and user management system for apps that need modern sign-in without giving up control of the backend. It is framework-agnostic, privacy-first, and built around data minimization and phishing resistance. You can run it yourself or use Hanko Cloud, with the option to move between self-hosted and managed deployment.
Medplum is a developer platform for building healthcare apps. It bundles identity, clinical data storage, a FHIR API, a web app, server-side logic, SDKs, and React components for teams shipping clinical software.
Conjur provides secrets management and application identity for modern infrastructure. It is built to secure non-human access by managing identities, storing secrets, and controlling access with a policy model for humans and machines.
Janssen Project is an open source identity and access management stack for enterprise digital identity infrastructure. It combines Auth Server, Agama low-code identity orchestration, and the Cedarling policy decision point under one control plane, so teams can run IAM components together instead of stitching separate systems.
