Keycloak and Authentik are the two most popular open-source identity platforms for self-hosted deployments. Keycloak brings enterprise maturity with 25,000+ GitHub stars and CNCF backing. Authentik brings modern developer experience with 20,000+ stars and rapid community growth. This comparison covers architecture, features, deployment, and when each is the right choice.

At a Glance

KeycloakAuthentik
LanguageJava (Quarkus)Python (Django) + Go outposts
LicenseApache 2.0MIT (core) + Enterprise License
DatabasePostgreSQL, MySQL, Oracle, MSSQLPostgreSQL only
GitHub Stars~25,000~20,200
First Release20142020 (originally “Supervisr”, 2018)
BackingRed Hat / IBM, CNCF IncubatingAuthentik Security (Open Core Ventures)
Multi-tenancyRealms (production-ready)Brands (cosmetic) + Tenants (alpha)
FAPI CertifiedYes (1.0 Advanced, all 8 profiles)No
Min Resources2 CPU / 2 GB RAM2 CPU / 2 GB RAM
Latest Version26.x2025.12.4

Architecture

Keycloak

Keycloak runs on the Quarkus framework (Java). A single binary handles all protocol endpoints (OIDC, SAML, LDAP), admin console, and account console. It stores sessions and configuration in an embedded Infinispan cache with database persistence.

OEIPDCKe(PMySoycIesSlnstQoSEfsgLaAPiirkMnoe/LinSSsQeepCLtraacvnc/eChrAoedn)msionle

Key architectural traits:

  • JVM-based: Higher memory baseline (~512 MB minimum), but excellent throughput under load with JIT optimization
  • Infinispan clustering: Built-in distributed cache for multi-node HA without external dependencies
  • Multiple database support: PostgreSQL, MySQL, Oracle, MSSQL, MariaDB
  • SPI extension model: Custom authenticators, protocol mappers, event listeners deployed as JARs

Authentik

Authentik uses a Django backend (Python) with Go microservices for proxy and protocol outposts. A lightweight Go router sits in front of Gunicorn, handling reverse proxying and static files. Background tasks run via Celery.

G(opsrtRoaoxtuyi(tcCe+)erleAAruuytthhbPeD(eaonjAfncsotaPltktninIoigglkg,wkrryosoeS)WuSDeonQBrrdL)vkeetrraskEO(smup)btrepodoxdsyet)d

Key architectural traits:

  • Python/Django: Lower barrier for custom logic (Expression Policies are inline Python), but slower per-request throughput than Java or Go
  • Redis eliminated: As of version 2025.10, only PostgreSQL is required — significant operational simplification
  • Outpost architecture: Separate Go binaries for LDAP, RADIUS, and proxy functionality, deployable independently
  • Two containers minimum: Server (API + flows) and Worker (background tasks)

Architecture Verdict

Keycloak’s JVM architecture handles higher concurrent loads with better per-request performance. Authentik’s Python/Go hybrid offers simpler operations (single database, no cache layer) and easier extensibility through inline Python. For high-throughput enterprise deployments, Keycloak has the edge. For simplicity-first self-hosted setups, Authentik wins.

Feature Comparison

Authentication Protocols

ProtocolKeycloakAuthentik
OAuth 2.0 / OIDCYes (OpenID Certified)Yes
SAML 2.0YesYes
LDAP (consume)Yes (User Federation)Yes (Source)
LDAP (provide)No (use external LDAP)Yes (Outpost)
RADIUSNoYes (Outpost)
SCIM 2.0Via extension (keycloak-scim)Yes (provider + source)
Kerberos / SPNEGOYesYes
WS-FederationNo (removed in Quarkus migration)Yes (added 2026.2)
Proxy AuthenticationNo (need external proxy)Yes (built-in Outpost)

Authentik’s built-in LDAP provider outpost is a standout feature — it can expose Authentik as an LDAP server, enabling legacy applications that only understand LDAP to authenticate against Authentik without any application changes. Keycloak consumes LDAP but does not expose itself as one.

Similarly, the proxy outpost provides identity-aware reverse proxying for applications with zero native SSO support. Keycloak requires an external tool (like OAuth2 Proxy) for this use case.

MFA and Passwordless

MethodKeycloakAuthentik
TOTPYesYes
WebAuthn / FIDO2YesYes
Passkeys (Conditional UI)PartialYes (2025.12+)
Duo PushVia extensionYes (built-in)
SMS OTPVia extensionYes (built-in)
Recovery CodesYesYes

Authentik has native Passkey Autofill (WebAuthn Conditional UI) since version 2025.12 and built-in Duo integration. Keycloak supports WebAuthn but requires extensions for SMS and Duo.

Authorization

CapabilityKeycloakAuthentik
RBACYesYes
Fine-grained Authorization ServicesYes (UMA 2.0, policies)No
Resource-based PermissionsYesNo
User Managed Access (UMA)YesNo
Client PoliciesYesNo

This is Keycloak’s biggest advantage. Keycloak Authorization Services provide policy-based, resource-level access control that applications can query at runtime. Authentik’s RBAC controls access to Authentik objects and applications but does not provide an authorization engine for downstream application resources.

Multi-tenancy

AspectKeycloakAuthentik
Isolation ModelRealms (full isolation)Brands (cosmetic) / Tenants (alpha)
Production ReadyYesBrands only
Per-tenant UsersYesNot with Brands (shared)
Per-tenant BrandingYesYes (Brands)

Keycloak Realms are production-proven with complete data isolation between tenants. Authentik Brands only change visual appearance — users, applications, and providers remain global. True multi-tenancy (Tenants feature) has been in alpha since 2024.2 and is not recommended for production.

Extensibility

ApproachKeycloakAuthentik
Custom LogicJava SPIs (JAR deployment)Python Expression Policies (inline)
Configuration as CodeKeycloak Config CLI, TerraformBlueprints (YAML), Terraform
Theme CustomizationFreeMarker templatesBuilt-in theme settings
Event SystemEvent Listener SPIEvent-matching Policies

Authentik’s Expression Policies let you write arbitrary Python code directly in the admin UI — no compilation, no JAR packaging, no restart. This is dramatically simpler than Keycloak’s SPI model, which requires Java development, Maven builds, and server restarts.

However, Keycloak’s SPI system reaches deeper into the protocol stack — you can customize token mappers, storage providers, and authentication mechanisms at a level that Expression Policies cannot match.

Unique Authentik Features

Features that Keycloak does not have natively:

  • Remote Access Control (RAC): Built-in web-based RDP/SSH/VNC to remote machines (open source since 2025.2)
  • LDAP Provider Outpost: Expose Authentik as an LDAP server for legacy app integration
  • RADIUS Outpost: Built-in RADIUS server for network device authentication
  • Proxy Outpost: Identity-aware reverse proxy without external tools
  • Inline Python Policies: Write custom auth logic in the admin UI without compilation

Deployment

Keycloak Docker Compose

services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.1
    command: start --db=postgres
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak
      KC_HOSTNAME: auth.example.com
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
    ports:
      - "8080:8080"
    depends_on:
      - postgres

  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak
    volumes:
      - pgdata:/var/lib/postgresql/data

volumes:
  pgdata:

Authentik Docker Compose

services:
  server:
    image: ghcr.io/goauthentik/server:2025.12
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key-here
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgres

  worker:
    image: ghcr.io/goauthentik/server:2025.12
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key-here
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
    depends_on:
      - postgres

  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: authentik
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: authentik
    volumes:
      - pgdata:/var/lib/postgresql/data

volumes:
  pgdata:

Since version 2025.10, Authentik no longer requires Redis — a significant simplification. Keycloak has never required Redis but uses embedded Infinispan which can add complexity in clustered deployments.

Kubernetes

Both offer official Helm charts. Keycloak’s Kubernetes Operator is more mature and provides CRD-based realm management. Authentik’s Helm chart handles server + worker deployments with optional outpost containers.

Resource Comparison

ResourceKeycloakAuthentik
Minimum RAM~512 MB (JVM)~500 MB
Recommended Production2+ GB2+ GB
Containers1 (monolith)2 (server + worker)
External DependenciesDatabase onlyDatabase only (since 2025.10)

Licensing

AspectKeycloakAuthentik
Core LicenseApache 2.0MIT
CopyleftNoNo
Enterprise FeaturesAll features freeEnterprise license ($5/user/month)
Commercial SupportRed Hat (~$1,000/year/server)Authentik Security (starts at $1,000/year)
Enterprise-only FeaturesNoneGoogle Workspace connector, mTLS, FIPS, endpoint management

Both licenses are permissive — you can use, modify, and distribute without restriction. The key difference is that all Keycloak features are free, while Authentik gates some enterprise features behind a paid license. That said, Authentik’s open-source core covers the vast majority of use cases.

Community and Ecosystem

MetricKeycloakAuthentik
GitHub Stars~25,000~20,200
Contributors1,000+506
Project Age12 years (2014)6 years (2020, rebrand from Supervisr)
GovernanceCNCF Incubating, Red Hat stewardshipOpen Core Ventures backed
Extension EcosystemLarge (SPIs, themes, adapters)Growing (Blueprints, Terraform)
Community ChannelsDiscourse, GitHub, Mailing listDiscord, GitHub Discussions

Keycloak’s ecosystem is significantly larger — more third-party themes, SPIs, blog posts, Stack Overflow answers, and integration guides. Authentik’s community is growing rapidly, especially in the self-hosting and homelab spaces.

When to Choose Keycloak

  • Enterprise protocol compliance: FAPI certification, UMA 2.0, OpenID Foundation certified
  • Fine-grained authorization: Applications need resource-level permission checks via Authorization Services
  • Multi-tenant isolation: Production-ready Realms with complete data separation
  • Large-scale deployments: JVM handles high-concurrency workloads efficiently with Infinispan clustering
  • SAML-heavy environments: Deeper SAML support with extensive configuration options
  • Java/Spring ecosystem: Native integration with Spring Security, Quarkus OIDC
  • Existing Red Hat investment: Red Hat build of Keycloak with enterprise support and SLAs

When to Choose Authentik

  • Self-hosted / homelab: Simpler setup, intuitive UI, lower operational burden
  • Legacy app SSO: Proxy outpost adds SSO to applications with zero code changes
  • LDAP/RADIUS provider: Need to expose your IdP as an LDAP or RADIUS server for legacy infrastructure
  • Python-centric teams: Expression Policies allow inline Python customization without Java
  • SMB / small teams: Faster time-to-value with visual flow designer and sensible defaults
  • Network device auth: Built-in RADIUS outpost for switches, APs, and VPN concentrators
  • Remote access: RAC feature provides web-based RDP/SSH/VNC access through the IdP

Migration Considerations

Keycloak to Authentik

There is no official migration tool. The general approach:

  1. Export users from Keycloak via realm export (JSON)
  2. Write import script using the Authentik API to create users, groups, and group memberships
  3. Password hashes: Keycloak bcrypt/PBKDF2 hashes may not be directly compatible — plan for password reset or gradual migration using the Authentik password source
  4. Reconfigure clients: OIDC and SAML client configurations must be manually recreated
  5. Rebuild flows: Keycloak authentication flows map conceptually to Authentik flows/stages but require manual recreation

Authentik to Keycloak

Similarly, no official tool exists. The Authentik API can export user data, which you can transform for Keycloak’s realm import format. The same password hash compatibility challenges apply in reverse.

Conclusion

Keycloak and Authentik serve overlapping but distinct audiences. Keycloak is the enterprise standard — battle-tested, CNCF-backed, with deep protocol compliance and authorization services that no other open-source platform matches. Authentik is the modern challenger — developer-friendly, operationally simple, with unique features like proxy outposts and inline Python extensibility.

If you need FAPI compliance, UMA authorization, or production multi-tenancy, Keycloak is the clear choice. If you need a self-hosted IdP with minimal operational overhead and built-in proxy/LDAP/RADIUS capabilities, Authentik delivers.

For a broader comparison of open-source IAM platforms, see our Top 10 Open Source IAM Solutions in 2026 or the IAM Tools Comparison pillar page. For other head-to-head comparisons, see Keycloak vs Zitadel and Auth0 vs Keycloak.