Pocket ID — Self-Hosted OIDC Provider with Passkey Authentication

Introduction

Pocket ID is a lightweight self-hosted OpenID Connect (OIDC) provider focused on simplicity and passwordless authentication. It allows users to log in to any OIDC-compatible service using passkeys (WebAuthn) and biometrics, eliminating passwords entirely while remaining easy to deploy and manage.

What Pocket ID Does

• Acts as a standards-compliant OIDC identity provider for your self-hosted services
• Authenticates users via passkeys (fingerprint, Face ID, hardware keys) with no passwords
• Manages OIDC client registrations for applications needing SSO
• Provides user and group management with custom claim mapping
• Supports one-time login links as a fallback for devices without passkey support

Architecture Overview

Pocket ID is a Go application with a SvelteKit frontend, compiled into a single binary or Docker image. It stores user data and OIDC client configurations in SQLite. The WebAuthn flow handles passkey registration and verification via the FIDO2 standard. Token signing uses RSA keys generated and stored locally.

Self-Hosting & Configuration

• Single Docker container with a SQLite database (no external DB required)
• Configure application URL and admin credentials via environment variables
• Register OIDC clients through the web admin panel
• Supports custom branding with logo and color configuration
• Reverse proxy compatible with standard X-Forwarded headers

Key Features

• Passwordless-first: passkeys are the primary authentication method
• Minimal footprint: single binary, SQLite storage, under 50 MB RAM
• Standards-compliant: full OIDC and OAuth 2.0 support with PKCE
• User groups: assign users to groups and map them to OIDC claims
• Admin audit log: track login events and client access

Comparison with Similar Tools

• Authelia — full-featured 2FA/SSO proxy; Pocket ID is simpler, passkey-focused
• Authentik — enterprise identity platform; Pocket ID is lighter for small deployments
• Keycloak — Java-based, heavy; Pocket ID is a single Go binary
• Zitadel — cloud-native IAM; Pocket ID targets homelab simplicity
• Kanidm — Rust identity server; Pocket ID has a simpler setup for OIDC-only use cases

FAQ

Q: What services can I connect to Pocket ID? A: Any application supporting OIDC/OAuth 2.0 login — including Portainer, Grafana, Nextcloud, Gitea, and most self-hosted apps with SSO support.

Q: What happens if I lose my passkey device? A: Admins can generate one-time login links, and users can register multiple passkeys for redundancy.

Q: Does Pocket ID support traditional username/password login? A: The focus is passkey-only, but one-time email links provide a fallback when passkeys are unavailable.

Q: Can I use hardware security keys like YubiKeys? A: Yes, any FIDO2/WebAuthn-compatible device works, including YubiKeys, Titan keys, and platform authenticators.

Sources

• https://github.com/pocket-id/pocket-id
• https://pocket-id.org