Auth that lives in your stack, not someone else's cloud.

Kotauth is the open-source, Docker-native identity platform. Enterprise-grade OAuth, OIDC and multi-tenancy, self-hosted in one command. The free alternative to Clerk, Auth0 and Keycloak.

$ docker compose -f docker-compose.quickstart.yml up -d
S
Startup Labs
workspace
A
Apps
Directory
Security
Logs
Settings
v1.19.2
Workspacesstartup-labsUsers
Users
New User
Filter by username, email, or name…
3 users in this workspace
USERNAMEFULL NAMEEMAILSTATUS
jordan.lee Jordan Lee jordan@startup.example Active Open
casey.smith Casey Smith casey@startup.example Active Open
riley.jones Riley Jones riley@startup.example Active Open
A free, self-hosted alternative to
ClerkAuth0KeycloakZitadelAutheliaPocket-ID
Why self-host

Your auth shouldn't be someone else's SaaS.

Three reasons teams move their identity layer in-house.

Your data never leaves

Users, tokens and audit logs stay on infrastructure you control. No third party sits in your authentication path. Ever.

No per-MAU billing

Free and open source under MIT. Scale from ten users to ten million without a pricing tier, a sales call, or a surprise invoice.

Runs anywhere Docker runs

A ~120 MB image, non-root and read-only by default. Cloud, on-prem, air-gapped, or your laptop. One command to start.

Features

Everything you need for identity

Complete authentication infrastructure with the simplicity developers expect.

OAuth 2.0 & OpenID Connect

Authorization Code + PKCE, Client Credentials, token rotation, introspection and OIDC Discovery. Any OIDC client works out of the box.

Multi-Tenant Workspaces

Isolated user directories, per-tenant RS256 keys, slug-routed APIs and independent security policies. One instance, many products.

Magic-Link Passwordless

Email passwordless login with 15-minute one-time tokens and same-device binding. User-enumeration safe and fully MFA-aware.

Backup & Restore

Encrypted tenant snapshots with PBKDF2 600k + AES-256-GCM. Export and import via CLI or admin API. Portable, schema-validated.

AI-Native Management

Manage users, roles, sessions and audit logs from Claude, Cursor or any MCP client. 33 tools across 8 domains, scope-based access.

Docker-Native Deployment

~120 MB image on GHCR. Non-root, read-only, no-new-privileges. One-command quickstart, auto-migrations, fully air-gapped.

AI-native management

Manage identity in plain language.

The first self-hosted IAM with native Model Context Protocol support. Connect Claude, Cursor or any MCP client. 33 scoped tools, no SDK, no custom code.

npx @kotauth/mcp one command to connect
Users 10
Roles 5
Groups 6
Applications 3
Sessions 2
Audit Logs 1
Attributes 3
Claim Mappers 3
MCP Session
Bob's account may be compromised. Disable him, kill all his sessions, and show me the last hour.

On it. Locking the account, revoking sessions, pulling the audit trail.

disable_user
✓ Account disabled · userId 87
revoke_session
✓ 2 active sessions revoked

Done. Here's the last hour:

LOGIN_FAILED ×3 from 191.96.x.x
LOGIN_SUCCESS from 191.96.x.x
USER_UPDATED email changed

Looks like credential stuffing, then account takeover. The email change confirms it.

Auth experience

Auth screens that don't look like auth screens.

Production-ready login, registration, MFA and account pages, beautiful by default, fully white-labeled per tenant, zero rebuild required.

Server-rendered, zero JS overhead
Pure server-rendered HTML. No client framework, no hydration delay. First paint under 100ms.
White-label per workspace
CSS custom properties injected at render time. Each tenant gets its own colors, logo and favicon, with zero rebuild.
Complete screen set
Login, register, forgot/reset password, accept invite, TOTP MFA and email verification, all production-ready.
Three presets, full control
Start with Light, Dark or Simple. Override any token to match your brand without touching backend code.
auth.acme.com/login
Sign in
to continue to Acme Corp
Email address
you@acme.com
or
Continue with GitHub
No account? Sign up
Compare

How Kotauth stacks up

The differentiators that actually matter, measured against the self-hosted incumbent and the SaaS players.

Capability
Kotauth
Keycloak
Clerk / Auth0
Self-hosted, full data ownership
Free at any user count
$$$
One-command Docker deploy
Modern admin UI
AI-native management (MCP)
White-label auth screens
partial
$$$
Air-gapped deployment
Multi-tenant workspaces
$$$
Developer experience
Live demo · no install

Ready to own your authentication?

Deploy Kotauth in under a minute. No credit card, no sales call, no lock-in.