Pocket ID — Lightweight OIDC Provider with Passkey Authentication

Introduction

Pocket ID is a minimal, self-hosted OpenID Connect (OIDC) identity provider built around passkey authentication. Instead of managing passwords and TOTP tokens, users register and log in with hardware security keys or platform biometrics. It is designed for homelabs and small teams who want a simple SSO layer in front of their self-hosted services.

What Pocket ID Does

• Acts as a standards-compliant OIDC provider for single sign-on across multiple applications
• Authenticates users via WebAuthn passkeys, eliminating password management entirely
• Provides an admin dashboard to manage users, groups, and registered OIDC clients
• Issues JWT access and ID tokens that downstream apps validate for authorization
• Supports user self-service for registering new passkeys and managing their profile

Architecture Overview

Pocket ID is written in Go with a SQLite database for persistent storage. The server exposes standard OIDC discovery, authorization, and token endpoints. Authentication flows use the WebAuthn protocol, where the browser handles the passkey challenge and the server verifies the cryptographic response. The front-end admin panel is a lightweight SPA served by the same binary. A single Docker container packages everything with no external database dependency.

Self-Hosting & Configuration

• Run the official Docker image with a single volume mount for the SQLite database
• Set the PUBLIC_URL environment variable to match your external domain for correct OIDC redirects
• Place behind a reverse proxy with TLS, as WebAuthn requires HTTPS in production
• Register OIDC clients in the admin UI with their redirect URIs and allowed scopes
• Configure email settings for user invite notifications, or manage users directly via the admin panel

Key Features

• Passwordless-first design using WebAuthn passkeys for phishing-resistant authentication
• Single self-contained binary with embedded SQLite, no external database or cache required
• Standard OIDC/OAuth2 compliance so it works with any app that supports OIDC login
• Lightweight resource footprint suitable for Raspberry Pi and low-power homelab hardware
• Clean admin UI for managing users, groups, and OIDC client registrations

Comparison with Similar Tools

• Authelia — full-featured auth portal with TOTP and Duo push; Pocket ID focuses exclusively on passkey-based OIDC with a simpler setup
• Authentik — enterprise-grade IdP with SAML, SCIM, and policy engine; Pocket ID trades breadth for deployment simplicity
• Keycloak — Java-based IdP with extensive protocol support; Pocket ID is a single Go binary with minimal resource usage
• Zitadel — cloud-native identity platform with multi-tenancy; Pocket ID targets single-tenant homelabs
• TinyAuth — lightweight auth middleware; Pocket ID provides a full OIDC server rather than just a proxy gate

FAQ

Q: Do I need a hardware security key? A: No. Passkeys work with platform authenticators like Touch ID, Windows Hello, or Android biometrics. Hardware keys like YubiKeys are also supported.

Q: Can I use Pocket ID with Nginx Proxy Manager or Traefik? A: Yes. Any app that supports OIDC authentication can use Pocket ID as the identity provider. Forward-auth integrations work with Traefik and similar proxies.

Q: Is there a way to fall back to passwords? A: Pocket ID is passkey-only by design. If you need password-based login, consider Authelia or Authentik instead.

Q: How many users can it handle? A: The SQLite backend handles hundreds of users comfortably. For larger deployments, the overhead remains low since authentication is cryptographic, not password-hashing intensive.

Sources

• https://github.com/pocket-id/pocket-id
• https://pocket-id.org