Pocket-ID — Passkey-First Self-Hosted OIDC Provider

Introduction

Pocket-ID is a minimal, self-hosted OpenID Connect (OIDC) provider designed around passkeys. Instead of managing passwords, users register and log in with biometrics or hardware security keys, dramatically reducing the attack surface for self-hosted infrastructure.

What Pocket-ID Does

• Provides a standards-compliant OIDC identity provider for SSO
• Authenticates users exclusively via WebAuthn passkeys
• Integrates with reverse proxies like Caddy, Nginx, and Traefik for access control
• Manages OIDC clients through a clean admin dashboard
• Supports user groups and custom claims for fine-grained authorization

Architecture Overview

Pocket-ID is a Go backend with a SvelteKit frontend, bundled into a single Docker image. It stores data in SQLite, keeping the deployment footprint minimal. The OIDC discovery endpoint and token handling follow standard specifications, making it compatible with any OIDC-aware application.

Self-Hosting & Configuration

• Deploy via Docker or Docker Compose with a single container
• Mount a persistent volume for the SQLite database
• Place behind a reverse proxy with HTTPS for production use
• Configure OIDC clients through the web-based admin panel
• Set environment variables for trusted proxies and app URL

Key Features

• Passwordless authentication using WebAuthn/FIDO2 passkeys
• Single-binary deployment with SQLite storage
• Built-in admin UI for managing users and OIDC clients
• Email-based one-time code fallback for passkey recovery
• Proxy auth endpoint for protecting non-OIDC services

Comparison with Similar Tools

• Authentik — full-featured IdP with LDAP and SAML; Pocket-ID is simpler and passkey-native
• Authelia — 2FA gateway for reverse proxies; Pocket-ID provides full OIDC issuer capabilities
• Keycloak — enterprise IAM with complex setup; Pocket-ID targets homelabs with minimal config
• Casdoor — multi-protocol IAM; Pocket-ID focuses exclusively on passkey-based OIDC

FAQ

Q: Can Pocket-ID work alongside existing password-based auth? A: Pocket-ID is passkey-first by design. For password fallback, consider Authentik or Keycloak instead.

Q: Which services can use Pocket-ID for login? A: Any application supporting OIDC or OAuth2, including Portainer, Grafana, Proxmox, and Nginx auth_request.

Q: Does it support multiple passkeys per user? A: Yes, each user can register multiple passkeys across different devices.

Q: How do I recover access if I lose my passkey device? A: Admins can trigger an email-based one-time login code for account recovery.

Sources

• https://github.com/pocket-id/pocket-id
• https://pocket-id.org