Authelia logo

Authelia

Authelia is an open source authentication and authorization server providing multi-factor authentication and single sign-on for applications behind a reverse proxy. It supports OpenID Connect 1.0, OAuth 2.0, TOTP, WebAuthn, and Duo Push as authentication methods. Authelia exposes a REST API documented with an OpenAPI specification and integrates with nginx, Traefik, Caddy, and other reverse proxies.

2 APIs 7 Features
AuthenticationAuthorizationLDAPMFAOpen SourceOpenID ConnectSelf-HostedSSO

APIs

Authelia REST API

The Authelia REST API provides endpoints for authentication flows including first-factor login, MFA challenges, password reset, session management, and authorization verificatio...

Authelia OpenID Connect 1.0 Provider

Authelia acts as an OpenID Certified OpenID Connect 1.0 Provider supporting Authorization Code, Implicit, and Hybrid flows with PKCE, PAR, and various token endpoint authenticat...

Features

Multi-Factor Authentication

Supports TOTP, WebAuthn/FIDO2, Duo Push, and mobile authenticator apps as second factors.

OpenID Connect 1.0 Provider

OpenID Certified identity provider supporting Authorization Code, Implicit, and Hybrid flows.

Single Sign-On

Session-based SSO across all applications behind the reverse proxy with configurable session lifetime.

LDAP/Active Directory Integration

User authentication against LDAP, Active Directory, and OpenLDAP directories with group-based access control.

Access Control Rules

Fine-grained access control policies based on domain, path, user, group, and network for precise authorization.

Reverse Proxy Integration

Native integration with nginx, Traefik, Caddy, HAProxy, Envoy, and Skipper via forward-auth and ExtAuthz endpoints.

Passwordless Authentication

Support for WebAuthn/FIDO2 passwordless login using hardware security keys and platform authenticators.

Use Cases

Self-Hosted SSO

Deploy a self-hosted SSO solution for internal web applications and services without relying on cloud identity providers.

Homelab Security

Protect self-hosted homelab applications with MFA and access control without exposing them to the internet unprotected.

Small Business Identity

Provide centralized authentication for small business web applications using LDAP and access control policies.

OIDC Provider

Act as an OpenID Connect provider for applications requiring OAuth 2.0 and OIDC-based authentication flows.

Integrations

Nginx

Integration with nginx-based proxies including nginx, nginx-proxy-manager, and Swag via auth_request module.

Traefik

Native Traefik middleware integration via ForwardAuth for seamless authentication in Docker and Kubernetes environments.

Caddy

Caddy forward-auth integration for protecting applications behind the Caddy web server.

LDAP/Active Directory

User directory integration with LDAP, Active Directory, and FreeIPA for enterprise user management.

Helm

Official Helm chart available at the authelia/chartrepo GitHub repository for Kubernetes deployment.

Solutions

Self-Hosted Identity

Complete self-hosted identity and access management solution for privacy-conscious deployments.

Zero Trust Security

Enforce zero trust network access policies for internal applications with per-request authentication verification.

Resources

🔗
Website
Website
🔗
Documentation
Documentation
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
📄
ChangeLog
ChangeLog
💬
Support
Support
🔗
Community
Community

Sources

Raw ↑ 
aid: authelia
name: Authelia
description: |
  Authelia is an open source authentication and authorization server providing multi-factor authentication and single sign-on for applications behind a reverse proxy. It supports OpenID Connect 1.0, OAuth 2.0, TOTP, WebAuthn, and Duo Push as authentication methods. Authelia exposes a REST API documented with an OpenAPI specification and integrates with nginx, Traefik, Caddy, and other reverse proxies.
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Authentication
- Authorization
- LDAP
- MFA
- Open Source
- OpenID Connect
- Self-Hosted
- SSO
url: >-
  https://raw.githubusercontent.com/api-evangelist/authelia/refs/heads/main/apis.yml
created: '2026-03-25'
modified: '2026-04-19'
specificationVersion: '0.19'
apis:
- aid: authelia:authelia-rest-api
  name: Authelia REST API
  description: |
    The Authelia REST API provides endpoints for authentication flows including first-factor login, MFA challenges, password reset, session management, and authorization verification for reverse proxy integration.
  humanURL: https://www.authelia.com/reference/
  baseURL: https://your-authelia-instance.example.com/api
  tags:
  - Authentication
  - Authorization
  - MFA
  - REST
  - SSO
  properties:
  - type: Documentation
    url: https://www.authelia.com/reference/
  - type: OpenAPI
    url: https://raw.githubusercontent.com/authelia/authelia/master/api/openapi.yml
  - type: GitHubRepository
    url: https://github.com/authelia/authelia
- aid: authelia:authelia-oidc-provider
  name: Authelia OpenID Connect 1.0 Provider
  description: |
    Authelia acts as an OpenID Certified OpenID Connect 1.0 Provider supporting Authorization Code, Implicit, and Hybrid flows with PKCE, PAR, and various token endpoint authentication methods.
  humanURL: https://www.authelia.com/configuration/identity-providers/openid-connect/provider/
  baseURL: https://your-authelia-instance.example.com
  tags:
  - Authentication
  - OAuth
  - OIDC
  - OpenID Connect
  properties:
  - type: Documentation
    url: https://www.authelia.com/configuration/identity-providers/openid-connect/provider/
common:
- type: Website
  url: https://www.authelia.com
- type: Documentation
  url: https://www.authelia.com/configuration/prologue/introduction/
- type: GitHubOrganization
  url: https://github.com/authelia
- type: GitHubRepository
  url: https://github.com/authelia/authelia
- type: ChangeLog
  url: https://github.com/authelia/authelia/releases
- type: Support
  url: https://github.com/authelia/authelia/discussions
- type: Community
  url: https://discord.gg/authelia
- type: Features
  data:
  - name: Multi-Factor Authentication
    description: Supports TOTP, WebAuthn/FIDO2, Duo Push, and mobile authenticator apps as second factors.
  - name: OpenID Connect 1.0 Provider
    description: OpenID Certified identity provider supporting Authorization Code, Implicit, and Hybrid flows.
  - name: Single Sign-On
    description: Session-based SSO across all applications behind the reverse proxy with configurable session lifetime.
  - name: LDAP/Active Directory Integration
    description: User authentication against LDAP, Active Directory, and OpenLDAP directories with group-based access control.
  - name: Access Control Rules
    description: Fine-grained access control policies based on domain, path, user, group, and network for precise authorization.
  - name: Reverse Proxy Integration
    description: Native integration with nginx, Traefik, Caddy, HAProxy, Envoy, and Skipper via forward-auth and ExtAuthz endpoints.
  - name: Passwordless Authentication
    description: Support for WebAuthn/FIDO2 passwordless login using hardware security keys and platform authenticators.
- type: UseCases
  data:
  - name: Self-Hosted SSO
    description: Deploy a self-hosted SSO solution for internal web applications and services without relying on cloud identity providers.
  - name: Homelab Security
    description: Protect self-hosted homelab applications with MFA and access control without exposing them to the internet unprotected.
  - name: Small Business Identity
    description: Provide centralized authentication for small business web applications using LDAP and access control policies.
  - name: OIDC Provider
    description: Act as an OpenID Connect provider for applications requiring OAuth 2.0 and OIDC-based authentication flows.
- type: Integrations
  data:
  - name: Nginx
    description: Integration with nginx-based proxies including nginx, nginx-proxy-manager, and Swag via auth_request module.
  - name: Traefik
    description: Native Traefik middleware integration via ForwardAuth for seamless authentication in Docker and Kubernetes environments.
  - name: Caddy
    description: Caddy forward-auth integration for protecting applications behind the Caddy web server.
  - name: LDAP/Active Directory
    description: User directory integration with LDAP, Active Directory, and FreeIPA for enterprise user management.
  - name: Helm
    description: Official Helm chart available at the authelia/chartrepo GitHub repository for Kubernetes deployment.
- type: Solutions
  data:
  - name: Self-Hosted Identity
    description: Complete self-hosted identity and access management solution for privacy-conscious deployments.
  - name: Zero Trust Security
    description: Enforce zero trust network access policies for internal applications with per-request authentication verification.
maintainers:
- FN: Kin Lane
  email: [email protected]