Auth that lives in your stack,
not someone else's cloud.
Kotauth is the open-source, Docker-native identity platform. Enterprise-grade OAuth, OIDC and multi-tenancy, self-hosted in one command. The free alternative to Clerk, Auth0 and Keycloak.
Your auth shouldn't be someone else's SaaS.
Three reasons teams move their identity layer in-house.
Your data never leaves
Users, tokens and audit logs stay on infrastructure you control. No third party sits in your authentication path. Ever.
No per-MAU billing
Free and open source under MIT. Scale from ten users to ten million without a pricing tier, a sales call, or a surprise invoice.
Runs anywhere Docker runs
A ~120 MB image, non-root and read-only by default. Cloud, on-prem, air-gapped, or your laptop. One command to start.
Everything you need for identity
Complete authentication infrastructure with the simplicity developers expect.
OAuth 2.0 & OpenID Connect
Authorization Code + PKCE, Client Credentials, token rotation, introspection and OIDC Discovery. Any OIDC client works out of the box.
Multi-Tenant Workspaces
Isolated user directories, per-tenant RS256 keys, slug-routed APIs and independent security policies. One instance, many products.
Magic-Link Passwordless
Email passwordless login with 15-minute one-time tokens and same-device binding. User-enumeration safe and fully MFA-aware.
Backup & Restore
Encrypted tenant snapshots with PBKDF2 600k + AES-256-GCM. Export and import via CLI or admin API. Portable, schema-validated.
AI-Native Management
Manage users, roles, sessions and audit logs from Claude, Cursor or any MCP client. 33 tools across 8 domains, scope-based access.
Docker-Native Deployment
~120 MB image on GHCR. Non-root, read-only, no-new-privileges. One-command quickstart, auto-migrations, fully air-gapped.
Manage identity in plain language.
The first self-hosted IAM with native Model Context Protocol support. Connect Claude, Cursor or any MCP client. 33 scoped tools, no SDK, no custom code.
npx @kotauth/mcp one command to connect On it. Locking the account, revoking sessions, pulling the audit trail.
Done. Here's the last hour:
Looks like credential stuffing, then account takeover. The email change confirms it.
Auth screens that don't look like auth screens.
Production-ready login, registration, MFA and account pages, beautiful by default, fully white-labeled per tenant, zero rebuild required.
How Kotauth stacks up
The differentiators that actually matter, measured against the self-hosted incumbent and the SaaS players.
Ready to own your
authentication?
Deploy Kotauth in under a minute. No credit card, no sales call, no lock-in.