Authelia
February 22, 2026
What it is
Authelia is a forward authentication service that sits in front of your apps (behind a reverse proxy such as Traefik, Nginx, or Caddy). It adds login and 2FA before requests reach the application. It is not a full identity provider (no SAML); it protects existing apps with a single sign-on layer.
Usage
- Homelab / internal dashboards — One login for Grafana, Plex, admin UIs.
- 2FA in front of legacy apps — Add MFA without app changes.
- Reverse-proxy auth — Works with Traefik, Nginx, Caddy via headers or redirect.
Pros and cons
| Pros | Cons |
|---|---|
| Very lightweight (~20–50MB RAM) | No SAML; not a full IdP |
| YAML configuration; simple to run | Apps must sit behind the proxy |
| 2FA (TOTP, Duo, etc.) | Less suitable for large enterprise SSO |
| Runs well on Raspberry Pi |
Alternatives
- Keycloak / Authentik / Zitadel — Full IdPs with OIDC/SAML; use when apps support them.
- OAuth2 Proxy — Simpler; fewer features than Authelia.
Why choose Authelia
Best when you want minimal footprint, config-file–driven auth, and to add 2FA in front of existing apps (dashboards, homelab) without running a full IdP.
Suggested tech stack
- Reverse proxy: Traefik, Nginx, or Caddy with forward auth to Authelia.
- Storage: File or Redis for session/store; optional LDAP for user source.
When to use it
- You have a handful of internal apps behind one reverse proxy.
- You prefer YAML and low resource use over a full IdP.
- You don’t need SAML or app-native OIDC integration.
Links
- Homepage: https://www.authelia.com/
- Documentation: https://www.authelia.com/overview/
- Source: https://github.com/authelia/authelia