Authelia website screenshot

Authelia

Authelia is an open source authentication and authorization server providing multi-factor authentication and single sign-on for applications behind a reverse proxy. It supports OpenID Connect 1.0, OAuth 2.0, TOTP, WebAuthn, and Duo Push as authentication methods. Authelia exposes a REST API documented with an OpenAPI specification and integrates with nginx, Traefik, Caddy, and other reverse proxies.

2 APIs 7 Features
AuthenticationAuthorizationLDAPMFAOpen SourceOpenID ConnectSelf-HostedSSO

APIs

Authelia REST API

The Authelia REST API provides endpoints for authentication flows including first-factor login, MFA challenges, password reset, session management, and authorization verificatio...

Authelia OpenID Connect 1.0 Provider

Authelia acts as an OpenID Certified OpenID Connect 1.0 Provider supporting Authorization Code, Implicit, and Hybrid flows with PKCE, PAR, and various token endpoint authenticat...

Collections

Pricing Plans

Authelia Plans Pricing

3 plans

PLANS

Rate Limits

Authelia Rate Limits

5 limits

RATE LIMITS

FinOps

Features

Multi-Factor Authentication

Supports TOTP, WebAuthn/FIDO2, Duo Push, and mobile authenticator apps as second factors.

OpenID Connect 1.0 Provider

OpenID Certified identity provider supporting Authorization Code, Implicit, and Hybrid flows.

Single Sign-On

Session-based SSO across all applications behind the reverse proxy with configurable session lifetime.

LDAP/Active Directory Integration

User authentication against LDAP, Active Directory, and OpenLDAP directories with group-based access control.

Access Control Rules

Fine-grained access control policies based on domain, path, user, group, and network for precise authorization.

Reverse Proxy Integration

Native integration with nginx, Traefik, Caddy, HAProxy, Envoy, and Skipper via forward-auth and ExtAuthz endpoints.

Passwordless Authentication

Support for WebAuthn/FIDO2 passwordless login using hardware security keys and platform authenticators.

Use Cases

Self-Hosted SSO

Deploy a self-hosted SSO solution for internal web applications and services without relying on cloud identity providers.

Homelab Security

Protect self-hosted homelab applications with MFA and access control without exposing them to the internet unprotected.

Small Business Identity

Provide centralized authentication for small business web applications using LDAP and access control policies.

OIDC Provider

Act as an OpenID Connect provider for applications requiring OAuth 2.0 and OIDC-based authentication flows.

Integrations

Nginx

Integration with nginx-based proxies including nginx, nginx-proxy-manager, and Swag via auth_request module.

Traefik

Native Traefik middleware integration via ForwardAuth for seamless authentication in Docker and Kubernetes environments.

Caddy

Caddy forward-auth integration for protecting applications behind the Caddy web server.

LDAP/Active Directory

User directory integration with LDAP, Active Directory, and FreeIPA for enterprise user management.

Helm

Official Helm chart available at the authelia/chartrepo GitHub repository for Kubernetes deployment.

Solutions

Self-Hosted Identity

Complete self-hosted identity and access management solution for privacy-conscious deployments.

Zero Trust Security

Enforce zero trust network access policies for internal applications with per-request authentication verification.

Resources

🔗
Website
Website
🔗
Documentation
Documentation
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
📄
ChangeLog
ChangeLog
💬
Support
Support
🔗
Community
Community

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Authelia OpenID Connect 1.0 Endpoints
  version: '1.0'
request:
  auth:
    type: oauth2
    flow: authorization_code
    authorizationUrl: https://auth.example.com/api/oidc/authorization
    accessTokenUrl: https://auth.example.com/api/oidc/token
    credentials:
      clientId: '{{clientId}}'
      clientSecret: '{{clientSecret}}'
items:
- info:
    name: Discovery
    type: folder
  items:
  - info:
      name: OpenID Connect discovery document
      type: http
    http:
      method: GET
      url: https://{authelia_host}/.well-known/openid-configuration
    docs: OpenID Connect discovery document
  - info:
      name: OAuth 2.0 Authorization Server metadata
      type: http
    http:
      method: GET
      url: https://{authelia_host}/.well-known/oauth-authorization-server
    docs: OAuth 2.0 Authorization Server metadata
- info:
    name: OIDC
    type: folder
  items:
  - info:
      name: JSON Web Key Set
      type: http
    http:
      method: GET
      url: https://{authelia_host}/jwks.json
    docs: Public keys used to verify signatures of issued tokens.
  - info:
      name: Authorization endpoint
      type: http
    http:
      method: GET
      url: https://{authelia_host}/api/oidc/authorization
    docs: Initiates the authentication flow and handles authorization requests.
  - info:
      name: Authorization endpoint (POST form)
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/authorization
    docs: Authorization endpoint (POST form)
  - info:
      name: Token endpoint
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/token
    docs: Issues access, ID and refresh tokens after code exchange.
  - info:
      name: UserInfo endpoint
      type: http
    http:
      method: GET
      url: https://{authelia_host}/api/oidc/userinfo
    docs: Returns claims about the authenticated end user.
  - info:
      name: UserInfo endpoint (POST)
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/userinfo
    docs: UserInfo endpoint (POST)
  - info:
      name: Token introspection
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/introspection
    docs: Validates and returns metadata about an issued token.
  - info:
      name: Token revocation
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/revocation
    docs: Invalidates an issued token.
  - info:
      name: Device Authorization endpoint
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/device-authorization
    docs: OAuth 2.0 Device Authorization Grant for constrained devices.
  - info:
      name: Pushed Authorization Request (PAR)
      type: http
    http:
      method: POST
      url: https://{authelia_host}/api/oidc/pushed-authorization-request
    docs: Enables secure pre-registration of authorization requests.
bundled: true