What is Pocket-ID — Passkey-First Self-Hosted OIDC Provider?

Lightweight OpenID Connect provider that lets users authenticate to self-hosted services using passkeys instead of passwords.

Is Pocket-ID — Passkey-First Self-Hosted OIDC Provider free to use?

Yes. Pocket-ID — Passkey-First Self-Hosted OIDC Provider is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Pocket-ID — Passkey-First Self-Hosted OIDC Provider?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Pocket-ID — Passkey-First Self-Hosted OIDC Provider

Introduction

Pocket-ID is a minimal, self-hosted OpenID Connect (OIDC) provider designed around passkeys. Instead of managing passwords, users register and log in with biometrics or hardware security keys, dramatically reducing the attack surface for self-hosted infrastructure.

What Pocket-ID Does

Provides a standards-compliant OIDC identity provider for SSO
Authenticates users exclusively via WebAuthn passkeys
Integrates with reverse proxies like Caddy, Nginx, and Traefik for access control
Manages OIDC clients through a clean admin dashboard
Supports user groups and custom claims for fine-grained authorization

Architecture Overview

Pocket-ID is a Go backend with a SvelteKit frontend, bundled into a single Docker image. It stores data in SQLite, keeping the deployment footprint minimal. The OIDC discovery endpoint and token handling follow standard specifications, making it compatible with any OIDC-aware application.

Self-Hosting & Configuration

Deploy via Docker or Docker Compose with a single container
Mount a persistent volume for the SQLite database
Place behind a reverse proxy with HTTPS for production use
Configure OIDC clients through the web-based admin panel
Set environment variables for trusted proxies and app URL

Key Features

Passwordless authentication using WebAuthn/FIDO2 passkeys
Single-binary deployment with SQLite storage
Built-in admin UI for managing users and OIDC clients
Email-based one-time code fallback for passkey recovery
Proxy auth endpoint for protecting non-OIDC services

Comparison with Similar Tools

Authentik — full-featured IdP with LDAP and SAML; Pocket-ID is simpler and passkey-native
Authelia — 2FA gateway for reverse proxies; Pocket-ID provides full OIDC issuer capabilities
Keycloak — enterprise IAM with complex setup; Pocket-ID targets homelabs with minimal config
Casdoor — multi-protocol IAM; Pocket-ID focuses exclusively on passkey-based OIDC

FAQ

Q: Can Pocket-ID work alongside existing password-based auth? A: Pocket-ID is passkey-first by design. For password fallback, consider Authentik or Keycloak instead.

Q: Which services can use Pocket-ID for login? A: Any application supporting OIDC or OAuth2, including Portainer, Grafana, Proxmox, and Nginx auth_request.

Q: Does it support multiple passkeys per user? A: Yes, each user can register multiple passkeys across different devices.

Q: How do I recover access if I lose my passkey device? A: Admins can trigger an email-based one-time login code for account recovery.

Pocket-ID — Passkey-First Self-Hosted OIDC Provider

Introduction

What Pocket-ID Does

Architecture Overview

Self-Hosting & Configuration

Key Features

Comparison with Similar Tools

FAQ

Sources

讨论

相关资产

Pocket ID — Lightweight OIDC Provider with Passkey Authentication

Hanko — Open-Source Passkey-First Authentication

Fathom Lite — Privacy-First Self-Hosted Web Analytics

Pocket ID — Self-Hosted OIDC Provider with Passkey Authentication