# Pocket-ID — Passkey-First Self-Hosted OIDC Provider > Lightweight OpenID Connect provider that lets users authenticate to self-hosted services using passkeys instead of passwords. ## Install Save in your project root: # Pocket-ID — Passkey-First Self-Hosted OIDC Provider ## Quick Use ```bash docker run -d -p 80:80 -v pocket-id-data:/app/backend/data -e TRUST_PROXY=true stonith404/pocket-id:latest ``` ## Introduction Pocket-ID is a minimal, self-hosted OpenID Connect (OIDC) provider designed around passkeys. Instead of managing passwords, users register and log in with biometrics or hardware security keys, dramatically reducing the attack surface for self-hosted infrastructure. ## What Pocket-ID Does - Provides a standards-compliant OIDC identity provider for SSO - Authenticates users exclusively via WebAuthn passkeys - Integrates with reverse proxies like Caddy, Nginx, and Traefik for access control - Manages OIDC clients through a clean admin dashboard - Supports user groups and custom claims for fine-grained authorization ## Architecture Overview Pocket-ID is a Go backend with a SvelteKit frontend, bundled into a single Docker image. It stores data in SQLite, keeping the deployment footprint minimal. The OIDC discovery endpoint and token handling follow standard specifications, making it compatible with any OIDC-aware application. ## Self-Hosting & Configuration - Deploy via Docker or Docker Compose with a single container - Mount a persistent volume for the SQLite database - Place behind a reverse proxy with HTTPS for production use - Configure OIDC clients through the web-based admin panel - Set environment variables for trusted proxies and app URL ## Key Features - Passwordless authentication using WebAuthn/FIDO2 passkeys - Single-binary deployment with SQLite storage - Built-in admin UI for managing users and OIDC clients - Email-based one-time code fallback for passkey recovery - Proxy auth endpoint for protecting non-OIDC services ## Comparison with Similar Tools - **Authentik** — full-featured IdP with LDAP and SAML; Pocket-ID is simpler and passkey-native - **Authelia** — 2FA gateway for reverse proxies; Pocket-ID provides full OIDC issuer capabilities - **Keycloak** — enterprise IAM with complex setup; Pocket-ID targets homelabs with minimal config - **Casdoor** — multi-protocol IAM; Pocket-ID focuses exclusively on passkey-based OIDC ## FAQ **Q: Can Pocket-ID work alongside existing password-based auth?** A: Pocket-ID is passkey-first by design. For password fallback, consider Authentik or Keycloak instead. **Q: Which services can use Pocket-ID for login?** A: Any application supporting OIDC or OAuth2, including Portainer, Grafana, Proxmox, and Nginx auth_request. **Q: Does it support multiple passkeys per user?** A: Yes, each user can register multiple passkeys across different devices. **Q: How do I recover access if I lose my passkey device?** A: Admins can trigger an email-based one-time login code for account recovery. ## Sources - https://github.com/pocket-id/pocket-id - https://pocket-id.org --- Source: https://tokrepo.com/en/workflows/asset-32a8bb01 Author: AI Open Source