GateKeeper

GateKeeper is a self-hosted authentication server. It runs as a single Docker container, stores everything in SQLite, and is configured entirely through its admin UI - no config files or restarts needed.

What it does

• OIDC identity provider - any app that supports OIDC can delegate login to GateKeeper. Users authenticate once and apps receive a verified identity token. Works with Grafana, Jellyfin, Portainer, Traefik Manager, or any standard OIDC client.
• ForwardAuth middleware - protect apps at the reverse proxy level without touching their code. GateKeeper sits in front and verifies every request. Works with Traefik.
• Multiple sign-in methods - password + email OTP, passwordless email OTP, TOTP (authenticator app), and passkeys (fingerprint, face, hardware key).
• Admin UI - manage users, OIDC clients, settings, and the audit log from a browser. No CLI or config files required.

Key features

• First-run setup page - no env vars needed for the admin account
• Trusted device tokens - users skip 2FA for 30 days after first verification on a device
• Passkeys (WebAuthn) on both admin and user accounts
• TOTP with recovery codes
• Passwordless email OTP mode per user
• Append-only audit log with filtering
• Embedded schema migrations - database is created and updated automatically
• Single binary, single SQLite file, single Docker container