Best Self-hosted Alternatives to SuperTokens Cloud

ZITADEL is an identity and access management platform for authenticating users and securing applications. It provides hosted and custom login options, supports modern standards like OIDC/OAuth2 and SAML, and is designed with multi-tenancy in mind for B2B and CIAM scenarios.

Key Features

• Multi-tenant organizations with team and project management
• Single Sign-On with OpenID Connect and OAuth 2.x flows
• SAML 2.0 support for enterprise federation
• Multifactor authentication (OTP) and passkeys (FIDO2/WebAuthn)
• Role-based access control (RBAC) and permission management
• Self-service user registration and account management
• API-first platform with gRPC and REST APIs
• SCIM 2.0 server for automated user provisioning
• Event-sourced architecture with an audit trail

Use Cases

• Centralized authentication for web and mobile apps using OIDC/OAuth2
• B2B SaaS user management with isolated organizations and delegated admin
• Enterprise integrations via SAML and automated provisioning via SCIM

Limitations and Considerations

• Requires PostgreSQL (commonly version 14+) as the primary storage backend

ZITADEL combines standards-based authentication with strong multi-tenancy and extensibility, making it suitable for both customer-facing and internal identity scenarios. It can be operated with a hosted login or integrated more deeply via APIs for fully custom experiences.

Casdoor is an open-source, UI-first Identity and Access Management (IAM) and Single Sign-On (SSO) platform that provides a web-based admin console for managing users, organizations, and authentication flows. It is designed to integrate with applications via standard identity protocols and offers extensible user authentication options.

Key Features

• Web UI for user, organization, application and permission management
• SSO and federation support via OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0
• Directory and provisioning integrations including LDAP and SCIM
• Multiple authentication methods including WebAuthn and TOTP-based MFA
• Built-in registration, email verification, and password recovery flows
• Public REST API and SDKs to simplify application integration

Use Cases

• Centralized login and SSO for internal apps and SaaS-style multi-tenant products
• Adding MFA and modern authentication (OIDC/WebAuthn) to existing services
• User lifecycle management and provisioning across connected systems

Casdoor fits teams that want an admin-friendly IAM/SSO solution with broad protocol support and a ready-to-use web console. It is especially useful when you need standards-based SSO plus flexible authentication methods in one deployable service.

Pocket ID is a lightweight OpenID Connect (OIDC) identity provider designed for simple deployments. It focuses on passwordless authentication by using passkeys, enabling users to sign in securely without managing passwords.

Key Features

• OpenID Connect provider for authenticating users to compatible services
• Passkey-only (passwordless) authentication flow
• Designed to be simpler to operate than larger IAM suites for small setups
• Web-based admin/user interface for managing the identity provider
• Container-friendly deployment options for straightforward installation

Use Cases

• Centralized login (OIDC) for homelab and self-hosted applications
• Passwordless sign-in using hardware keys (for example, security keys)
• Lightweight alternative for small teams that only need OIDC authentication

Limitations and Considerations

• Passkey-only approach may not fit environments that require passwords or multiple auth methods

Pocket ID is a good fit when you want an OIDC provider with minimal complexity and a strong passwordless stance. It prioritizes ease of use and modern authentication for smaller, focused deployments.

Cerbos is a language-agnostic authorization layer that externalizes permissions into context-aware policies evaluated by a stateless Policy Decision Point (PDP). It is designed to support least-privilege access control across applications, APIs, services, and modern workloads.

Key Features

• Policy-based authorization using simple YAML policies for resources, actions, and principals
• Context-aware decisions with conditional rules and attribute-based access control (ABAC)
• Derived roles and principal-specific policies for dynamic and exception-driven authorization
• Stateless PDP service exposing APIs for authorization checks and query planning
• Multiple policy storage backends (e.g., local disk, Git-based workflows, and supported databases)
• Designed for scalable, highly available deployments (service, sidecar, or other runtime patterns)

Use Cases

• Centralize authorization for microservices, APIs, and web applications with consistent rules
• Implement fine-grained RBAC/ABAC for multi-tenant or enterprise software
• Offload authorization logic from application code to a dedicated decision service

Cerbos helps teams manage authorization as code, enabling clearer permission logic, easier auditing of intent, and safer evolution of access rules as systems grow.

VoidAuth is an open-source authentication and user management service designed to sit in front of your self-hosted applications. It provides Single Sign-On via OpenID Connect and can also protect apps through a reverse-proxy ForwardAuth flow.

Key Features

• OpenID Connect (OIDC) identity provider for SSO integrations
• ForwardAuth-style proxy authentication for protecting apps behind a reverse proxy
• Built-in user and group management with an admin panel
• User invitations and optional self-registration
• Multi-factor authentication support, including passkeys (WebAuthn)
• Secure password reset via email verification
• Customization for branding and emails (logo, title, theme color, email templates)
• Encryption at rest with PostgreSQL or SQLite-backed storage

Use Cases

• Centralized login for a homelab or self-hosted app suite using OIDC
• Protecting internal dashboards and services via reverse-proxy ForwardAuth
• Lightweight IAM for small teams with groups and invitation-based onboarding

Limitations and Considerations

• The project notes it has not been security audited; evaluate risk and keep dependencies updated

VoidAuth fits users who want a modern, self-hosted SSO solution with both OIDC-based federation and reverse-proxy authentication, plus practical account management features. It is especially suited for homelabs and small organizations standardizing authentication across multiple services.

Authgear is an identity and authentication platform for consumer and B2B applications, providing hosted login, user management, and standards-based SSO. It can be deployed for self-hosting and is designed to support modern authentication methods across web and mobile.

Key Features

• Pre-built, customizable signup/login and account settings UI
• Passwordless authentication (magic link / OTP via email and SMS) and passkeys (WebAuthn)
• Multi-factor authentication (TOTP, email OTP, SMS OTP)
• SSO and federated identity via OAuth 2.0 / OIDC and SAML 2.0
• Admin portal for configuration, user/session management, and operational insights (e.g., logs)
• Admin API with GraphQL for managing auth resources and automation
• Extensibility via webhooks and server-side hooks for custom auth logic
• Enterprise-oriented controls such as audit logs, rate limiting, and brute-force protection

Use Cases

• Add authentication to SaaS products and multi-app ecosystems with a unified identity layer
• Implement enterprise SSO for B2B customers using OIDC/SAML and directory integrations
• Roll out phishing-resistant sign-in using passkeys plus MFA for higher assurance logins

Authgear combines turnkey UI components with protocol support and administrative tooling, making it suitable for teams that want a customizable IAM foundation without building auth from scratch. Its API and hooks enable deeper integration while keeping authentication flows consistent across platforms.

Melody Auth is a turnkey OAuth 2.0 and authentication system you can run on Cloudflare Workers (with D1 and KV) or self-host on Node.js with Redis and PostgreSQL. It provides a complete auth server, management UI, and developer-facing APIs and SDKs for integrating secure login flows into applications.

Key Features

• OAuth 2.0 flows including authorization, token exchange, refresh token revoke, scopes, consent, and user info retrieval
• OpenID Connect support (discovery/openid configuration) and JWT/JWKS-based authentication with key rotation
• Multi-factor authentication options including email/OTP/SMS, passkeys, recovery codes, and “remember device”
• External identity providers including social login (Google, GitHub, Discord, Apple, etc.) and OIDC providers; SAML SSO in Node.js deployments
• Role-based access control (RBAC), user attributes, account linking, organizations and groups
• Admin panel for managing users, apps, roles/scopes, organizations, IdPs, and logs (including impersonation)
• Server-to-server REST API plus embedded auth API and frontend SDKs for web, React, Angular, and Vue
• Brute-force protection and security-focused logging for sign-in and verification flows

Use Cases

• Ship OAuth/OIDC authentication for new products with a built-in admin console
• Add MFA, passkeys, and social login to existing apps without building auth from scratch
• Run an internal identity provider for multiple apps with RBAC, org/group management, and audit-friendly logs

Melody Auth is well-suited for teams that want a complete, customizable auth stack with minimal operational overhead on the edge or full control in a traditional server deployment.

AuthPortal is a lightweight, Go-built authentication gateway that provides a unified login experience for Plex, Jellyfin, and Emby users. It issues signed session cookies, offers an admin console, and can act as an OAuth 2.1 / OIDC authorization server for downstream apps.

Key Features

• Unified login flows for Plex (PIN flow), Jellyfin, and Emby with provider-specific handling.
• Signed, HTTP-only JWT session cookies and session lifecycle management.
• Optional TOTP-based multi-factor authentication with recovery codes and per-tenant enforcement.
• Built-in OAuth 2.1 / OIDC endpoints (discovery, JWKS, token, userinfo) with PKCE and refresh support.
• Admin SPA for runtime config editing (providers, security, MFA), OAuth client management, and encrypted config backups with scheduling/retention.

Use Cases

• Provide single sign-on for a media-focused community (Plex/Jellyfin/Emby) across internal portals and apps.
• Act as a lightweight first-party OIDC authorization server for home-lab or intranet applications.
• Centralize MFA enforcement, OAuth client lifecycle, and runtime configuration for downstream services.

Limitations and Considerations

• Designed for same-origin / intranet scenarios; production use requires proper HTTPS reverse proxy and careful key management (SESSION_SECRET, DATA_KEY).
• Relies on Postgres for user/profile storage and expects you to manage DB availability, backups, and secret rotation.

AuthPortal is intended for self-hosting in home-lab and media community environments. It emphasizes a small runtime footprint, containerized deployment, and extensible provider support while requiring operators to follow security best practices and manage secrets and backups carefully.

FusionAuth is a full-featured authentication and identity platform for adding login, registration, and access control to web, mobile, and API-driven applications. It provides standards-based auth flows and an admin UI for managing users, applications, and security settings.

Key Features

• Standards-based authentication and authorization using OAuth 2.0 and OpenID Connect
• SAML v2 support for enterprise SSO integrations
• Multi-factor authentication (MFA) and passwordless authentication options
• User, group, and role management with application-specific configuration
• Admin dashboard and APIs for identity management and automation

Use Cases

• Centralized login and SSO across multiple internal and customer-facing applications
• Add OAuth/OIDC-based authentication for APIs and microservices
• Enterprise integrations requiring SAML-based identity federation

FusionAuth is a practical choice for teams needing a self-hosted IAM solution with modern auth standards, multiple authentication methods, and an administrative interface for ongoing identity operations.