authentik
The modern identity provider - OIDC, SAML, LDAP, and visual login flows - now Redis-free on a managed Postgres.
One-click deploy, from $25/mo on a Miget plan.
authentik is what teams pick when Keycloak feels like a JVM-shaped commitment: the same core job (OIDC, SAML, LDAP, SCIM, MFA, SSO across your apps) with a visual flow designer - login journeys, conditional access, and enrollment built by composing stages in a UI instead of writing SPIs.
The 2025.10 release made it dramatically easier to operate: Redis is gone entirely, with tasks, cache, and sessions all on Postgres. That makes this template a clean pair - server and worker from one image - on the managed Postgres, auto-wired with sslmode=require.
Bootstrap is headless (admin password and email in env, applied on first start) and the per-MAU math is the usual story: Auth0 wants $70/month at one thousand users; authentik does not count.
Upstream project: authentik
#what you get
- OIDC, OAuth2, SAML, LDAP, SCIM, and proxy/forward auth
- Visual flow designer: MFA, conditional access, enrollment, recovery
- No Redis since 2025.10 - Postgres carries everything
- Headless admin bootstrap via env
- MIT core; enterprise features license-gated, off by default
- Server + worker on managed Postgres, auto-wired
#topology
| Service | Role | Public |
|---|---|---|
| server | authentik UI + APIs + flows (:5000) | yes |
| worker | background tasks | no |
| db | Postgres - managed service on Miget, container locally | no |
#miget sizing
// this stack needs
2.8 GiB RAM · 6 GB disk · 3 services
1 GiB server + 768 MiB worker matches upstream’s 2 GB stack guidance. Media and custom templates ride small shared volumes.
Hobby - recommended fit
$25/mo
2 vCPU · 4 GiB · 80 GiB disk
Headroom for your own apps: 8 GiB at $49/mo
Professional - production
$43/mo
2 vCPU · 4 GiB · 25 GiB disk
Dedicated resources, production SLOs - plan details
One Miget plan is a fixed pool of compute - the whole stack (managed databases included) deploys inside it, and anything left over runs your other apps. No per-service or per-seat math.
#vs. the managed service
What the hosted equivalents charge, against the flat Miget plan this stack fits on. Prices as of June 2026, sources linked.
| Service | Plan | Monthly | What you get |
|---|---|---|---|
| authentik on Miget ★ | 4 GiB plan | $25 | this whole stack, flat - no usage meters, and room left for your own apps |
| Auth0 | Essentials (B2C) | ~$70 | at 1,000 MAU; Professional $240+/mo - the free tier now covers 25k MAU but the paid cliff is steep |
| Okta | Starter Suite | ~$60 | $6/user/mo at 10 users, with a $1,500 annual contract minimum |
Identity SaaS counts users; authentik does not - users are rows in your managed Postgres.
#vs. other PaaS
Estimated monthly cost of running this exact stack (2.8 GiB RAM, 6 GB disk, 3 containers) elsewhere, from published June 2026 rates.
| Platform | Est. monthly | Notes |
|---|---|---|
| Miget ★ | $25 flat | compose stacks first-class: one deploy, dedicated vCPU, managed Postgres/Valkey, volumes and TLS all included in the plan |
| Heroku | ~$138 | no volumes; nothing between 1 GB ($50) and 2.5 GB ($250) dynos - 2 GB containers cost far more than shown |
| DO App Platform | ~$38 | no persistent volumes - stateful containers need managed DBs/Spaces (base $5 Spaces included here) |
| Render | ~$36 | per-service instances (0.5 GB $7, 2 GB $25) - every container is its own paid service |
| Railway | ~$28 | usage-based ($10/GB RAM-mo); vCPU billed separately at $20/vCPU-mo on top |
| Fly.io | ~$17 | cheapest sticker price - but burstable shared CPUs (1/16 core; dedicated vCPUs cost ~2-3×), no compose deploys (one app per container, manual wiring), managed DBs billed extra |
Estimates assume RAM fully allocated at published on-demand rates - and sticker price isn't the whole comparison: the cheaper rows buy burstable shared CPUs, per-service wiring instead of a compose deploy, and managed databases billed separately. Heroku and DO App Platform have no persistent volumes at all - stateful stacks like this one need workarounds there.
#deploy it
On Miget
- Create a Compose Stack in app.miget.com pointing at the templates repository
- Set the stack path to
authentik -
Set the required variables:
AUTHENTIK_SECRET_KEY, openssl rand -base64 60AUTHENTIK_BOOTSTRAP_PASSWORD / AUTHENTIK_BOOTSTRAP_EMAIL, akadmin login, applied on first start
- Deploy. Miget layers
compose.miget.yaml(RAM, privacy, volumes, managed services) automatically
Locally first?
Every template is portable, vanilla Docker Compose - the Miget overrides are ignored locally:
git clone https://github.com/deployable-sh/stacks
cd miget-compose-templates/authentik
docker compose up -dSame files, same behavior. The template README covers connection strings and scaling notes.
#faq
authentik or Keycloak - this catalogue has both?
Deliberately. Keycloak is the two-decade enterprise standard (deep SAML/federation edge cases, Red Hat lineage); authentik is the modern operator’s choice - visual flows, lighter footprint, faster iteration. Same flat-price economics either way; pick by taste and protocol needs.
How does it compare to Auth0 pricing?
Auth0’s free tier is generous now (25k MAU), but the paid cliff is steep: Essentials is $70/month at 1,000 MAU and Professional $240+. authentik on this $25/month stack has no MAU concept at all - users are rows in your Postgres.
Really no Redis?
Really - upstream removed it across 2025.8-2025.10 (tasks, then cache and sessions, all to Postgres). The trade is more Postgres connections, which the managed instance absorbs. Older tutorials showing Redis services are simply outdated.
Can it protect apps that have no auth of their own?
Yes - proxy/forward-auth outposts can sit in front of plain apps. On this platform the embedded outpost in the server covers the common cases; register the app, route through authentik, done.
Ship authentik today
One compose stack, 2.8 GiB of RAM, from $25/month flat, and it runs on your laptop with the same files.