Is Authelia — Single Sign-On & 2FA for Your Homelab free to use?

Yes. Authelia — Single Sign-On & 2FA for Your Homelab is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Authelia — Single Sign-On & 2FA for Your Homelab?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

ScriptsApr 15, 2026·3 min read

Authelia — Single Sign-On & 2FA for Your Homelab

OpenID Connect certified SSO portal that sits in front of your reverse proxy and adds TOTP, WebAuthn, or passkey login to any self-hosted app.

Script Depot · Community

TL;DR

Authelia is an SSO portal that adds TOTP, WebAuthn, and passkey authentication in front of your reverse proxy for self-hosted apps.

§01

What it is

Authelia is a self-hosted authentication and authorization server that adds single sign-on (SSO) and two-factor authentication (2FA) to any web application behind a reverse proxy. It supports TOTP, WebAuthn (hardware keys), passkeys, and push notifications for second factors. Authelia is OpenID Connect certified.

Authelia targets homelab users and small teams who run self-hosted applications (Grafana, Nextcloud, Gitea) and want unified login with strong authentication without paying for enterprise identity providers.

§02

How it saves time or tokens

Authelia centralizes authentication for all your self-hosted services. Instead of configuring separate login systems for each application, users authenticate once with Authelia and get access to all authorized services. This reduces password fatigue and eliminates per-app 2FA setup.

Integration with reverse proxies (Nginx, Traefik, Caddy, HAProxy) means you add authentication to any application without modifying the application itself.

§03

How to use

Deploy Authelia with Docker Compose:

services:
  authelia:
    image: authelia/authelia:4
    volumes:
      - ./config:/config
    ports:
      - 9091:9091
    environment:
      TZ: UTC

Configure Authelia in config/configuration.yml:

server:
  address: 'tcp://:9091'

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    - domain: '*.example.com'
      policy: two_factor

session:
  domain: example.com
  secret: a-long-random-secret

Configure your reverse proxy to forward authentication requests to Authelia.

§04

Example

Nginx configuration for Authelia-protected services:

server {
    server_name grafana.example.com;

    location /authelia {
        internal;
        proxy_pass http://authelia:9091/api/verify;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    }

    location / {
        auth_request /authelia;
        auth_request_set $user $upstream_http_remote_user;
        proxy_set_header Remote-User $user;
        proxy_pass http://grafana:3000;
    }
}

§05

Related on TokRepo

Self-hosted tools -- Self-hosted infrastructure and applications
AI tools for security -- Security tools for authentication and access control

§06

Common pitfalls

Not securing the Authelia configuration file. It contains secrets for sessions, OIDC clients, and SMTP credentials. Set restrictive file permissions (600) and never commit secrets to git.
Forgetting to configure SMTP for password reset and 2FA enrollment emails. Without email, users cannot recover accounts or complete WebAuthn enrollment.
Using file-based user storage for large teams. The file backend works for small deployments but switch to LDAP for teams with more than 20 users.

Frequently Asked Questions

What reverse proxies does Authelia support?+

Authelia integrates with Nginx, Traefik, Caddy, HAProxy, and Envoy. Each has documented integration guides. Traefik is the easiest to configure because it supports ForwardAuth middleware natively.

Does Authelia support passkeys and WebAuthn?+

Yes. Authelia supports WebAuthn for hardware security keys (YubiKey, SoloKey) and platform authenticators (Touch ID, Windows Hello). Passkeys are supported as a passwordless authentication method.

Can Authelia act as an OpenID Connect provider?+

Yes. Authelia is an OpenID Connect certified provider. Applications that support OIDC (Grafana, Gitea, Portainer) can use Authelia as their identity provider without the auth_request proxy pattern.

Is Authelia free?+

Yes. Authelia is open source under the Apache-2.0 license. There is no paid version or enterprise tier. The project is community-maintained with corporate sponsors.

How does Authelia compare to Keycloak?+

Keycloak is a full-featured enterprise identity platform with user federation, social login, and admin UI. Authelia is lighter and focused on reverse proxy authentication. Choose Keycloak for complex enterprise needs; choose Authelia for homelab and small team simplicity.

Citations (3)

Authelia GitHub— Authelia is an OpenID Connect certified SSO portal
W3C WebAuthn— WebAuthn specification for hardware key authentication
Authelia Integration Docs— Reverse proxy authentication patterns

Related on TokRepo

Self-hosted tools Security tools Featured workflows

Discussion

No comments yet. Be the first to share your thoughts.

Authelia — Single Sign-On & 2FA for Your Homelab

What it is

How it saves time or tokens

How to use

Example

Related on TokRepo

Common pitfalls

Frequently Asked Questions

Citations (3)

Related on TokRepo

Discussion

Related Assets

Moodle — Open-Source Learning Management System

Sylius — Headless E-Commerce Framework on Symfony

Akaunting — Free Self-Hosted Accounting Software