Menu
Article Guides

Authelia vs Authentik: Adding Authentication to Your Services

homelabbed

• 6 min read
Authelia vs Authentik: Adding Authentication to Your Services
Authelia vs Authentik: Adding Authentication to Your Self-Hosted Services

Authelia vs Authentik: Adding Authentication to Your Self-Hosted Services

So you've gone down the homelab rabbit hole. You're running Jellyfin, maybe some file syncing with Nextcloud, a dashboard or two, and probably a dozen other services you've forgotten about. Everything works great... until you realize that half your services are sitting there with default passwords, and the other half have no authentication at all.

Sound familiar? Yeah, we've all been there.

The solution is centralized authentication. Instead of managing separate logins for every single service, you get one login to rule them all. Today we're looking at two popular options in the self-hosted world: Authelia and Authentik. Both are free, open source, and solve the same fundamental problem. But they take very different approaches.

Why You Actually Need This

Before we dive into the comparison, let's talk about why you should care. If you're only running services on your local network and you trust everyone on that network, you might think authentication is overkill. Here's the thing though: eventually you'll want to access something from outside your home.

Maybe you want to check your media server while traveling. Maybe you want to share a file with a friend. The moment you expose anything to the internet, authentication becomes critical.

Here's what proper authentication gets you:

  • Single Sign-On (SSO): Log in once, access everything. No more remembering 15 different passwords.
  • Two-Factor Authentication (2FA): Add an extra layer of security with TOTP codes or push notifications.
  • Centralized user management: Add or remove users in one place instead of updating every service individually.
  • Access control: Decide who can access what. Maybe your partner can use Jellyfin but doesn't need access to your admin dashboards.
  • Protection for services that lack authentication: Some self-hosted apps have terrible (or no) built-in auth. Put them behind a proper auth layer instead.

The last point is huge. There are tons of useful tools that assume they're running on a trusted network. With Authelia or Authentik, you can expose them safely.

Authelia: The Lightweight Contender

Authelia is what I'd call the "just works" option. It's a single binary (or container) that handles authentication and authorization. No database server required for basic setups. No complicated cluster configuration. Just point your reverse proxy at it and go.

The Good:

  • Incredibly lightweight. Uses minimal resources.
  • Simple YAML configuration. No web UI needed for setup.
  • Works with files for user storage. No database required.
  • Excellent documentation with examples for every major reverse proxy.
  • Fast. Really fast. You won't notice any latency.
  • Supports TOTP, WebAuthn, and push notifications for 2FA.

The Not-So-Good:

  • No web UI for administration. You manage users by editing files or connecting to LDAP.
  • Limited to authentication. It's not a full identity provider.
  • OIDC support exists but is simpler than Authentik's implementation.
  • If you want advanced features, you'll need to integrate with external systems.

Authelia shines when you want to protect services behind your reverse proxy without a lot of fuss. It integrates directly with Nginx, Traefik, Caddy, and others through auth forwarding. When someone tries to access a protected service, they get redirected to Authelia's login page. After authentication, they're sent back to where they were trying to go.

Authentik: The Full Identity Platform

Authentik is a completely different beast. It's a full-featured identity provider that happens to also do what Authelia does. Think of it as "enterprise IAM but actually usable."

The Good:

  • Beautiful web UI for everything. User management, application setup, flow customization.
  • Full OIDC/OAuth2/SAML provider. Native integration with apps that support these protocols.
  • Incredibly flexible authentication flows. Build exactly the login experience you want.
  • User self-service. Users can reset passwords, manage their own 2FA, update profiles.
  • Groups, roles, and fine-grained permissions.
  • Built-in application launcher/dashboard.

The Not-So-Good:

  • Heavier resource usage. Needs PostgreSQL and Redis.
  • More complex to set up initially.
  • Can feel like overkill for simple use cases.
  • The flexibility means more decisions to make.

Authentik really shines when your apps natively support OIDC or SAML. Instead of relying on header authentication through a reverse proxy, the application itself talks to Authentik. This is cleaner and more secure. Apps like Grafana, Nextcloud, and Portainer all support OIDC out of the box.

Head-to-Head Comparison

Feature Authelia Authentik
Resource Usage Very Low (~50MB RAM) Moderate (~500MB+ RAM)
Setup Complexity Simple Moderate
Web UI Login portal only Full admin interface
User Management Files or LDAP Built-in with UI
OIDC/OAuth2 Basic support Full provider
SAML No Yes
2FA Options TOTP, WebAuthn, Push TOTP, WebAuthn, SMS, Email
Proxy Auth Excellent Good
Best For Simple setups, proxy auth Complex setups, native OIDC

Which One Should You Pick?

Choose Authelia if:

  • You're just starting out with self-hosted authentication
  • Most of your services don't support OIDC natively
  • You want something lightweight that won't eat your server resources
  • You're comfortable editing config files
  • You just want to put a login page in front of your services

Choose Authentik if:

  • You have multiple users who need self-service features
  • Your apps support OIDC/SAML and you want native integration
  • You want a web UI for managing everything
  • You need complex authentication flows or conditional access
  • You're building something that resembles an actual organization

For most homelabbers starting out, I'd recommend Authelia. It's simpler, lighter, and honestly covers 90% of use cases. You can always migrate to Authentik later if you outgrow it.

Setting Up Authelia: A Quick Start Guide

Let's walk through a basic Authelia setup. I'll assume you're using Docker and Traefik, but the concepts apply to other setups too.

Step 1: Create the Directory Structure

mkdir -p ~/authelia/config
cd ~/authelia

Step 2: Create the Configuration File

Create config/configuration.yml:

---
server:
  address: 'tcp://0.0.0.0:9091'

log:
  level: 'info'

totp:
  issuer: 'yourdomain.com'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'deny'
  rules:
    - domain: '*.yourdomain.com'
      policy: 'one_factor'

session:
  cookies:
    - name: 'authelia_session'
      domain: 'yourdomain.com'
      authelia_url: 'https://auth.yourdomain.com'

storage:
  local:
    path: '/config/db.sqlite3'

notifier:
  filesystem:
    filename: '/config/notification.txt'

A few notes on this config:

  • Replace yourdomain.com with your actual domain
  • The one_factor policy means username and password only. Change to two_factor once you've set up 2FA.
  • For production, you'll want a real notifier (SMTP) instead of the filesystem one

Step 3: Create the Users Database

Create config/users_database.yml:

---
users:
  yourusername:
    displayname: 'Your Name'
    password: '$argon2id$v=19$m=65536,t=3,p=4$...'
    email: 'you@example.com'
    groups:
      - 'admins'

Generate the password hash using:

docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'

Step 4: Docker Compose

Add Authelia to your docker-compose.yml:

services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    volumes:
      - ./config:/config
    environment:
      - TZ=Europe/London
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

Step 5: Protect a Service

To protect any other service, just add the middleware to its Traefik labels:

labels:
  - "traefik.http.routers.myservice.middlewares=authelia@docker"

That's it. Anyone trying to access that service will be redirected to Authelia for login first.

Step 6: Add Two-Factor Authentication

Once you've confirmed basic login works, you'll want to enable 2FA:

  1. Log into the Authelia portal at https://auth.yourdomain.com
  2. Go to Settings and register a TOTP device
  3. Scan the QR code with your authenticator app
  4. Update your access control policy to two_factor

Wrapping Up

Both Authelia and Authentik are excellent choices for adding authentication to your homelab. Authelia wins on simplicity and resource usage. Authentik wins on features and flexibility. Neither is objectively "better" because they serve slightly different needs.

My honest recommendation? Start with Authelia. It'll take you maybe an hour to set up, and it solves the immediate problem of protecting your services. If you find yourself wanting more advanced features down the road, Authentik will be waiting.

The most important thing is that you're adding authentication at all. Running services exposed to the internet without proper auth is asking for trouble. Even basic password protection is infinitely better than nothing.

Now go secure your homelab. Future you will be grateful.

Share