
Open-source alternatives to Auth0 and Okta in 2026 — Keycloak for identity you host
TL;DR
Auth0 and Okta price identity by the person who logs in. Auth0's free tier covers 25,000 monthly active users, but proper MFA, enterprise single sign-on, and a support SLA sit behind paid plans. Okta's Customer Identity platform starts at $3,000/month.
Keycloak is the open-source identity server most teams reach for when they leave. It speaks OIDC, SAML, and social login, federates an existing user directory, and includes MFA. It carries about 33,000 GitHub stars under an Apache 2.0 licence.
Keycloak's licence is free. Running it in production is not. You own patching, uptime, and the backup of your user database. Identity is the front door to everything you run, so that blast radius is real.
Managed Keycloak on DANIAN is €9/month, flat, with no per-active-user fee. We patch it, monitor it, and back it up. You keep your realm, your users, and the export.
The honest catch: Auth0 and Okta are quicker to switch on and ship a far wider set of SDKs. Keycloak is heavier to configure. Managed hosting removes the operational burden, not the learning curve.
Why teams are leaving Auth0 and Okta in 2026
Auth0 and Okta price identity per active user. Auth0's paid plans start at $35/month and rise with every additional monthly active user. Okta's Customer Identity platform starts at $3,000/month before usage. The features a production app actually needs — enterprise SSO, proper MFA, a real support SLA — sit on the higher tiers.
The friction is the model, not any single price. When the meter runs on monthly active users, the identity bill grows with the product rather than with the value identity adds. A login is a login. Charging more for it as you succeed is a tax on growth.
Auth0's pricing page shows the shape clearly. The free tier is genuinely generous on raw count: up to 25,000 monthly active users. What it leaves out is what a real deployment needs. You get one enterprise connection, community support only, no separate development and production environments, and limited multi-factor options. The moment you need those, you move to Essentials at $35/month or Professional at $240/month, each metered above a 500-user base.
For business software, the jump is sharper. Auth0's B2B plans start higher — independent pricing trackers put Essentials for B2B near $150/month and Professional near $800/month — and they cap the number of enterprise SSO connections, commonly three and five. Sign your fourth or sixth enterprise customer, each of whom mandates SAML single sign-on, and you can be pushed into a custom Enterprise contract.
Okta sells two separate products, and both meter. Its Workforce Identity suites, for signing in your own staff, run from $6 per user per month to $17 per user per month, with a $1,500 annual minimum. Its Customer Identity platform, for your app's end users, starts at a $3,000/month base, billed annually, with add-ons priced on monthly active users on top. For a small team, that is a floor that has little to do with its actual size.
None of this makes Auth0 or Okta bad software. It makes them metered software. The teams leaving in 2026 are not unhappy with the login box. They are unhappy with a bill that scales with their user count and gates the basics behind tiers.
What "alternative" actually means here
"Alternative" splits three ways. You can move to a cheaper hosted identity service and keep the per-user meter. You can self-host an open-source identity server and own the operations. Or you can run that open-source server on managed hosting — open-source underneath, someone else on call. This guide covers the third path, with Keycloak.
The first path is the easy swap and the weakest one. A cheaper hosted service still meters logins and still keeps your users on someone else's platform. You have traded a bigger invoice for a smaller one, not changed the model.
The second path changes the model. An open-source identity server has no per-user licence. Download it, run it, and a thousand users cost the same in software as ten do: nothing. What you take on instead is the server, the patch cycle, the upgrades, and the backups. For identity, that responsibility is heavier than it looks, and the next sections are honest about why.
The third path keeps the open-source model and hands the operations to someone else. The software is still open, your data is still yours and still exportable, and there is still no per-user meter. The difference is that patching, monitoring, uptime, and backups become a managed service rather than your weekend.
The open-source shortlist
Four open-source identity servers cover most of what Auth0 and Okta do. Keycloak is the most complete and the one we run managed. Authentik, Zitadel, and Authelia each fit a narrower shape. All four are free to download. The cost is the server they run on and the time to operate them.
Keycloak — start here
Keycloak is a full identity server, built originally inside Red Hat and now a Cloud Native Computing Foundation project under an Apache 2.0 licence. It speaks OIDC, OAuth 2.0, and SAML, federates LDAP and Active Directory, handles social login through dozens of providers, and includes multi-factor authentication with one-time codes and WebAuthn. It carries about 33,000 GitHub stars and ships from a project with more than 1,400 contributors.
It is the right pick when you want one server doing the whole job: OIDC and SAML for your apps, social login for your users, directory federation for the accounts you already have, and MFA across all of it. The current release line runs on Quarkus and starts fast. The official site at keycloak.org has the downloads and documentation.
The honest part: Keycloak's model has a learning curve. Realms, clients, mappers, and authentication flows are powerful and not self-explanatory on day one. We run it for customers as managed Keycloak hosting at €9/month, which removes the patching and uptime work and gives you a human to ask when a flow or a mapper does not behave.
See managed Keycloak hosting →
Authentik
Authentik is a newer identity provider written in Python and Go, with its core under an MIT licence and roughly 21,000 GitHub stars. It covers OIDC, SAML, and LDAP, and its proxy mode can put a login in front of apps that have no native single sign-on of their own. It suits self-hosters who want flexibility and a deep catalogue of integrations.
One caution from the field: major version upgrades have broken integrations for some users, so a database backup before each upgrade is not optional. Authentik also leans on PostgreSQL, which adds a moving part to a single-host setup.
Zitadel
Zitadel is a cloud-native identity server written in Go, under an AGPL 3.0 licence, with around 13,000 GitHub stars. It is built for multi-tenant business software, with clean OIDC, strong organisation modelling, and a Terraform provider that is among the better ones in this space. It is the strongest fit when you sell software to other businesses and want tenancy designed in from the start.
Two things to weigh: the AGPL licence carries obligations if you modify Zitadel and offer it to others as a service, and its gRPC APIs expect HTTP/2 on your reverse proxy, which not every setup provides by default.
Authelia
Authelia is a lightweight authentication and authorisation portal under an Apache 2.0 licence, with roughly 25,000 GitHub stars. It adds MFA and single sign-on in front of a reverse proxy, from a container under 20 MB with a small memory footprint. It is the right tool when you mainly need two-factor and SSO for a handful of self-hosted apps rather than a full identity server with its own directory.
The boundary to understand: Authelia pairs with a reverse proxy rather than standing alone as a complete identity provider, though it now ships an OIDC provider of its own. For directory federation and SAML across many applications, a full server like Keycloak is the better fit.
Three more are worth knowing if your needs are developer-first: Ory offers a modular, API-first identity stack; SuperTokens focuses on embedding auth into your own app; and Casdoor pairs authentication with a fine-grained authorisation engine. The table below sets the four main options side by side.
| Identity server | GitHub stars (approx.) | Licence | Covers OIDC, SAML, MFA, directory federation | Managed by DANIAN | Switching effort |
|---|---|---|---|---|---|
| Keycloak | ~33,000 | Apache 2.0 | Yes — all four | Yes, €9/month | Moderate; concepts to learn, no per-user limits |
| Authentik | ~21,000 | MIT (core) | OIDC, SAML, LDAP, MFA; proxy mode for apps without SSO | Self-host | Moderate; upgrades need care |
| Zitadel | ~13,000 | AGPL 3.0 | OIDC, SAML, LDAP, MFA; built for multi-tenant SaaS | Self-host | Moderate; HTTP/2 proxy required |
| Authelia | ~25,000 | Apache 2.0 | MFA and SSO portal; OIDC provider; pairs with a proxy | Self-host | Light for its scope; not a full directory |
Star counts are approximate and reflect mid-2026. They measure attention, not suitability — the right pick is the one whose shape matches your job.
The cost at 1,000 and 10,000 monthly active users
A monthly active user is anyone who signs in during the month, counted once. On Auth0 and Okta, that number drives the bill. On Keycloak, it does not — you pay for the server, not the headcount. Here is the math at two common sizes, using the published prices.
| Monthly active users | Auth0 (Customer Identity, B2C production) | Okta (Customer Identity) | Self-hosted Keycloak (your VPS) | Managed Keycloak (DANIAN) |
|---|---|---|---|---|
| ~1,000 | ~$70–$275/mo (Essentials to Professional) | from $3,000/mo (base platform) | ~$44/mo server + your time | €9/mo, flat |
| ~10,000 | ~$700–$900+/mo (Professional + per-user overage) | $3,000+/mo (base + usage add-ons) | ~$44/mo server + your time | €9/mo, flat (larger instance if you want headroom) |
A few honest notes on that table. The Auth0 figures assume a real production setup — MFA, a support SLA, and separate development and production environments — not the free tier; independent trackers put the per-user overage above the 500-user base at roughly $0.07 per monthly active user, which is what carries the 10,000-user column toward four figures. Okta's Customer Identity platform is built for larger organisations, so its $3,000/month floor is less a quote for a 1,000-user app than a sign that the hosted incumbents price for scale. The self-hosted column is a $24/month production-class VPS plus about $5 for off-site backup storage and about $15 for monitoring, before any of your own time. That time — patching, upgrades, backup checks, and on-call — is the real cost of the self-host path, and a freelance sysadmin rate puts it at €60 to €240 a month.
The managed column is the one that does not move. Keycloak has no per-user licence, so on DANIAN you pay €9/month for the instance and nothing per person who logs in. A busy identity service may want more memory and CPU for headroom; on DANIAN that is a flat resource upgrade, not a per-user charge. Whether a thousand people sign in or ten thousand do, the line item is the box, not the headcount.
The honest trade — you own the blast radius
Self-hosting identity means you own the blast radius. Identity is the front door to every app behind it, so an unpatched flaw, a delayed upgrade, downtime, or a lost user database is not contained to one service. That is the real weight of the second path, and why a free licence is not the same as free to run.
Managed hosting changes which of those risks are yours. On DANIAN, we handle patching, monitoring, uptime, and daily off-site backups of the instance. A new Keycloak release with a security fix is our job to roll out, not a task waiting in your tracker. You still own your realm, your users, and your configuration, and you can export all of it whenever you want. What you hand over is the operational burden, not the data.
Fairness cuts the other way too. Auth0 and Okta earn their price on two fronts. They are quicker to switch on — a polished hosted dashboard and a setup measured in an afternoon — and they ship a far wider set of SDKs, quickstarts, and pre-built integrations than any self-hosted server. If your team values that breadth and is happy to pay the meter, staying is a reasonable call.
There is one more honest reason to stay. If your customer's procurement team requires a hosted provider's formal, third-party security attestations on paper today, the large incumbents carry those, and that is a genuine reason some teams do not move. For a deal that hinges on that paperwork right now, a provider built around it is the better fit. For most small and mid-sized teams, the question is simpler: do you want identity you control without a per-user meter, and do you want the operations handled?
How to pick: three questions to ask yourself
Three questions sort most teams onto the correct path. They are about your real constraints — your budget and who is available to run the server — not about which identity server happens to have the most GitHub stars. Answer them honestly and the choice tends to make itself.
1. Do you need enterprise SSO and MFA without paying per user? If SAML single sign-on and multi-factor are requirements and you do not want a meter that climbs with every active user, an open-source server like Keycloak gives you both with no per-user line. If you only need basic login for a tiny app under a free MAU cap, a hosted free tier may genuinely be enough.
2. Do you have someone to own patching and uptime, or do you want it handled? If you have an engineer who is happy to own the patch cycle, the upgrades, the backups, and the on-call, self-hosting Keycloak on a VPS is a sound, low-cost path. If you do not, managed hosting trades a small flat fee for the work you would otherwise carry.
3. Do you need a full identity server, or just two-factor in front of a few apps? If you need OIDC, SAML, directory federation, and MFA across many applications, Keycloak is the complete server. If you mainly want 2FA and SSO in front of a handful of self-hosted tools, Authelia is lighter and quicker to stand up.
FAQ
Is Keycloak really free?
Yes. Keycloak is open-source under an Apache 2.0 licence, with no per-user or per-active-user fee. The software costs nothing to download and run. The real cost is the server it runs on and the time to operate it — or a flat managed fee if you would rather not run it yourself.
How much does it cost to self-host Keycloak?
The software is free; the running cost is the server and your time. A production-class setup is roughly a $24/month server, about $5 for off-site backup storage, and about $15 for monitoring — near $44 a month before any of your own time. That time, for patching, upgrades, and on-call, is the larger cost: a freelance sysadmin rate puts it between €60 and €240 a month. Managed Keycloak on DANIAN is €9/month, with that operational work handled.
Is Auth0 still free in 2026?
Auth0 still has a free tier, and on raw count it is generous — up to 25,000 monthly active users. The limits are in the features, not the headcount. The free tier gives one enterprise connection, community-only support, no separate development and production environments, and limited multi-factor options. A real production deployment needs those, which moves you onto a paid plan that meters above a 500-user base.
Is Keycloak a good Okta alternative?
For most teams, yes. Okta charges per user — its workforce plans run by the seat with an annual minimum, and its customer-identity platform starts in the thousands per month. Keycloak gives you the same protocols, OIDC and SAML single sign-on with MFA, on software you run yourself with no per-user fee. Okta is the easier on-ramp and ships more pre-built integrations; Keycloak is the better fit when you want to own identity and drop the per-seat meter.
What's the difference between Auth0's hosted platform and self-hosted Keycloak?
Auth0 runs the identity service for you and charges per monthly active user, with key features on higher tiers. Keycloak is software you run yourself, with no per-user licence and every protocol included. Auth0 trades cost and control for hosted simplicity; Keycloak trades that simplicity for ownership and a flat cost base.
Does Keycloak support SAML and OIDC?
Yes, both. Keycloak speaks OIDC and OAuth 2.0 for modern apps and SAML 2.0 for enterprise single sign-on, from the same server. It can also act as an identity broker, letting users sign in through Google, GitHub, or another provider, and federate accounts from LDAP or Active Directory.
What about multi-factor authentication?
MFA is built in. Keycloak supports one-time passwords from apps like Google Authenticator and hardware-backed WebAuthn and passkeys, configurable per realm and per authentication flow. There is no separate tier or add-on charge for it, unlike the hosted incumbents where stronger MFA factors sit on paid plans.
Does Keycloak support passkeys and passwordless login?
Yes. Keycloak supports WebAuthn natively, and passkeys are built into the login form from the 26.4 release. You can let people sign in with a platform authenticator like Touch ID or Windows Hello, or a hardware key like a YubiKey, as a first factor or a second one. There is no separate add-on or tier for it, a contrast with hosted providers that put stronger factors on paid plans.
Can Keycloak connect to my existing users and social logins?
Yes. Keycloak federates an existing LDAP or Active Directory so your current accounts keep working, and it brokers social login through providers like Google, GitHub, Microsoft, and Apple. Users can sign in with what they already have, while you keep one place to manage access.
Can Keycloak handle multiple tenants or customer organizations?
Yes. Keycloak's primary boundary is the realm: each realm is a separate space with its own users, clients, roles, and login flows, which suits keeping tenants apart. For business software that needs lighter tenancy inside one realm, the Organizations feature added in the 26.x line groups users and identity providers per organisation. For heavy multi-tenant software with strict separation, you weigh realms against a platform built organisations-first.
Can I customise and brand the Keycloak login pages?
Yes. Keycloak uses themes, so you can match the login, account, and email pages to your own branding. Themes are standard files you can version and reuse across realms, so the look stays consistent as you grow. On managed hosting you keep the same theming control; the instance is yours to configure, and only the patching and uptime are handled for you.
Is Keycloak hard to set up?
Keycloak has a learning curve. Its core ideas — realms, clients, mappers, and authentication flows — are powerful and take time to learn on a first deployment. The software itself installs in minutes from a container; the work is in configuring it correctly and keeping it patched. Managed hosting removes the patching and uptime work, and gives you someone to ask when a flow does not behave, but it does not remove the concepts you need to understand.
What database does Keycloak need?
Keycloak stores its data in a relational database. PostgreSQL is the common choice for production, and MariaDB, MySQL, Oracle, and Microsoft SQL Server are supported as well. The database holds your users, configuration, and sessions, which is why backing it up is the core of any self-hosting plan. On managed hosting, the database and its daily off-site backups are part of the service.
Is self-hosted Keycloak secure?
Keycloak is built for security and is used by large organisations for exactly that. It ships modern password hashing, multi-factor authentication, and WebAuthn out of the box. Self-hosting does shift responsibility to you: an unpatched identity server is a serious risk, because identity is the front door to everything behind it. The security of a self-hosted instance rests on keeping it patched and backed up, which is the part managed hosting takes on.
How many users can Keycloak handle?
Large numbers. The project's own 26.4 benchmark runs against a database of 100,000 users and shows performance scaling almost linearly as you add CPU. There is no per-user cap in the software; the practical limit is your database and the resources you give the server. Login throughput is governed mostly by password-hashing work, so you add memory, CPU, or more instances as your login volume grows.
Is Keycloak ready for production, and who uses it?
Yes. Keycloak began inside Red Hat as the engine behind its commercial single sign-on product, and it is now a Cloud Native Computing Foundation project with more than 1,400 contributors. It is used in production by large companies, public-sector bodies, and software vendors. That maturity is one reason it is the most common open-source identity server, and the one we run managed.
How does managed Keycloak compare to running it on my own VPS?
The software is identical; the operational load is not. On your own VPS, you own a roughly $44/month server plus the time to patch, upgrade, monitor, and back it up. On DANIAN, that is €9/month with the patching, monitoring, and daily off-site backups handled, and a human on chat when a flow needs attention.
Keycloak vs Authentik — which should I choose?
Both are strong open-source identity servers. Authentik has a visual flow designer and a lighter footprint, and many teams find it quicker to approach. Keycloak is more established, with a deeper feature set, SAML as both provider and consumer, and the larger ecosystem of the two. A practical caution on Authentik: some major version upgrades have broken integrations, so a backup before each upgrade matters. Choose Keycloak for breadth and SAML; choose Authentik for a simpler day-one experience.
When should I choose Zitadel instead of Keycloak?
Choose Zitadel when you are building multi-tenant business software and want tenants kept fully separate and an API-first design from the start. Zitadel is built organisations-first, with a clean modern API. Keycloak covers multi-tenancy too — through realms, and the Organizations feature added in the 26.x line — and it is the stronger choice when you need SAML as both provider and consumer, deep customisation, or the larger ecosystem. Zitadel's AGPL licence also carries obligations if you modify it and offer it as a service.
How do I migrate from Auth0 to Keycloak?
Export your users, clients, and connections from Auth0, then recreate them in Keycloak. The safer path is gradual: run Keycloak as an identity broker in front of Auth0 and move one application at a time, rather than switching everything at once. Most teams keep Auth0 running for about a month afterwards as a rollback. A migration across several applications usually takes two to four weeks.
Can I keep my users' passwords when moving from Auth0 to Keycloak?
In most cases, yes. Auth0 can provide a bcrypt export of your database users on request, and Keycloak imports pre-hashed passwords through its Admin API, so people log in with the same password after the move. Keycloak handles PBKDF2 natively and bcrypt through a small password-hash plugin. Users who sign in only with Google or another social login have no password to move; you re-link those accounts to the same provider.
What happens to my user data if I leave?
It is yours and it is portable. Keycloak stores users and configuration in a standard database, and on DANIAN you can export your realm and your user data whenever you want. There is no lock-in beyond the work of pointing your apps at a new endpoint. The open-source server is yours; we operate it.
Where does my identity data live?
On managed Keycloak, your instance runs in the region you choose, from 21 datacenter locations across six continents. Your user database stays with your instance, and you can export it at any time. You pick the location that fits your users; the data is not spread across someone else's metered platform.
What to do this week
Pick the path that matches your answers above. If you have an engineer who wants to own the operations, download Keycloak from keycloak.org and stand it up on a VPS. If you would rather skip the patching, the upgrades, and the backups, run it managed and keep your team on the product instead of the plumbing.
If managed is the call, start a trial and deploy a Keycloak instance in the region closest to your users. Wire one app to it over OIDC, turn on MFA, and see how the flow feels before you commit. Seven days is enough to know.
One more piece tends to follow identity. Once you run your own login, your secrets — client secrets, API keys, and signing keys — want a proper home rather than a config file. Managed Vault for secrets management handles that, on the same flat €9 footing.
Pair it with managed Vault for secrets →
Sources:Auth0 pricing; Okta pricing; Keycloak project site; Keycloak on GitHub. Auth0 and Okta prices read June 2026; per-user overage figures from independent pricing trackers. Star counts approximate as of mid-2026. This is operational guidance, not legal advice.
