VoidAuth

Single sign-on for self-hosters, honestly reviewed. Built by a developer who got tired of configuring Authelia.

TL;DR

• What it is: Open-source (AGPL-3.0) single sign-on provider that sits in front of your self-hosted apps and handles authentication via OpenID Connect and ForwardAuth proxy [1][2].
• Who it’s for: Home lab operators and small self-hosters who want unified login across their services without fighting through Authelia configs or Authentik’s complexity. Not designed for multi-tenant SaaS or enterprise deployments [1].
• Cost savings: Enterprise SSO like Okta or Auth0 starts at hundreds per month. VoidAuth is $0 in licensing — you pay only for the VPS it runs on, typically $5–10/mo [1][3].
• Key strength: Genuinely the fastest self-hosted SSO to get running. One real-world user switched from Authelia and had VoidAuth operational in under 2 minutes from a cold Docker Compose file [2].
• Key weakness: No security audit has been completed — the README says this explicitly. For a tool that gates access to everything you run, that’s a caveat you need to weigh seriously before deploying it in any production context [1][README].

---

What is VoidAuth

VoidAuth is a self-hosted authentication and user management provider. You deploy it alongside your reverse proxy (Caddy, Traefik, nginx), point your services at it via ForwardAuth, and suddenly every service in your stack shares one login. Users authenticate once and get passed through to whatever service they’re accessing via HTTP headers.

The project started as a passion project. The developer describes the frustration directly in the r/selfhosted launch post: “The ones that I tried were either challenging to setup, hard to admin, or had limitations (or even paywalls) that made them difficult to use.” [1] The name comes from the developer’s black cat. This is not a venture-backed company — it’s a solo developer scratching their own itch and sharing the result.

At the time of writing it has 1,909 GitHub stars and 58 forks, has been pulled from Docker Hub 93,300 times total with 15,200 pulls in the last week alone, and ships as a 49.63 MB image [3]. The repository is about a year old. These are solid traction numbers for a young, solo-maintained project in a competitive category.

The license is AGPL-3.0, which is free for self-hosting but means any modifications you distribute must be open-sourced. That matters if you’re embedding VoidAuth into a product — for personal or internal company use, it’s a non-issue [1].

---

Why people choose it

The comparison that keeps appearing in the community is VoidAuth versus Authelia. Stephen O’Toole [2] makes the case plainly: he ran Authelia for a while, it worked, but setup took an afternoon of reading and it wasn’t easy to replicate. He found VoidAuth, followed the sample Docker Compose from the GitHub README, and had it running in about 2 minutes. The Caddy ForwardAuth configuration he ended up with is a few lines:

(voidauth) {
  forward_auth 192.168.100.4:3000 {
    uri /api/authz/forward-auth
    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
  }
}

That’s the entire Caddy snippet for protecting a service. Compare that to Authelia’s middleware config, which requires separate YAML files, session provider configuration, and ACL rules before you get a working setup.

The other reason people choose it over alternatives is that the existing options in the free tier often gate features behind paid plans. The developer specifically calls this out as motivation — paywalls on open-source auth tools are a real frustration in the self-hosting community, and VoidAuth ships as 100% free with no feature gating [1].

The r/selfhosted thread [1] shows the reception: it’s a positive community response, with the developer actively responding to questions. That engagement matters for a young project — you’re betting on the maintainer’s continued interest, and active thread participation is a good signal.

---

Features

Based on the README and first-hand accounts:

Authentication protocols:

• OpenID Connect (OIDC) — the standard protocol for delegated authentication. Works with any service that supports OIDC clients [README][1].
• Proxy ForwardAuth — the reverse proxy integration mode where VoidAuth gates requests at the proxy level before they reach your services [2][README].

User management:

• Admin panel for managing users and groups [README]
• User invitation system — admins generate invite links; users follow them to register [2][README]
• User self-registration (configurable) [1]
• Group-based access management [README]

Security features:

• Multi-factor authentication (MFA) [README][1]
• Passkeys and passkey-only accounts — you can require hardware key or device authentication [README][1]
• Secure password reset via email verification [README]
• Encryption at rest for both PostgreSQL and SQLite databases [README][1]

Customization:

• Custom logo, title, theme color [README]
• Custom email templates [README][1]

Deployment:

• Docker and Docker Compose [README][2]
• PostgreSQL (recommended) or SQLite [README]
• SMTP integration for invite emails and password resets [2][README]

The feature set is deliberately focused. VoidAuth does not try to be an identity platform, a developer authorization SDK, or a compliance layer. It does one thing: handle who can log into your self-hosted apps. If you want SAML enterprise federation, machine-to-machine tokens, or multi-tenant organizations, you’re in the wrong place.

What it does not have:

• LDAP/Active Directory integration — not mentioned anywhere in the documentation
• SAML 2.0 — OIDC only
• Audit logs
• Role-based access control beyond group assignment
• No security audit has been completed [README]

---

Pricing: SaaS vs self-hosted math

VoidAuth has no paid tier and no cloud version. It is self-hosted only.

VoidAuth:

• Software: $0 (AGPL-3.0) [1]
• Hosting: ~$5–10/mo for a VPS with 1–2GB RAM

What you’re replacing — SaaS SSO pricing for context:

• Okta: starts around $2/user/month for workforce identity; $150+/mo for a 50-person team
• Auth0: free up to 7,500 MAU, then $35+/mo for B2C plans; enterprise SSO features gated behind custom pricing
• JumpCloud: $11/user/month with SSO add-on

For a home lab or small internal team, none of those SaaS products make sense — they’re priced for enterprises. The real comparison is against other free self-hosted options: Authentik, Authelia, Pocket ID, ZITADEL community edition. All of them are free. The cost differentiation is your time — setup complexity is where you pay.

Concrete estimate: if you value your time at $50/hr and Authelia costs you 4 hours to set up vs VoidAuth costing 30 minutes, VoidAuth saves you ~$175 in setup cost. Ongoing maintenance is harder to price, but simpler software typically means fewer hours debugging edge cases.

---

Deployment reality check

The fastest real-world setup report is 2 minutes via Docker Compose [2]. That’s not a benchmark — that’s a genuine user account of following the README sample, filling in environment variables, and running docker compose up -d. The initial admin credentials appear in the container logs; you log in, change them, and you’re administrating.

What you actually need:

• A Linux VPS or home server with Docker and docker-compose
• A domain name (VoidAuth needs an APP_URL)
• A reverse proxy (Caddy, Traefik, or nginx) — VoidAuth doesn’t ship one
• PostgreSQL (bundled in the sample compose) or SQLite for lighter setups
• An SMTP provider for invite emails and password resets

On SMTP: O’Toole [2] notes a useful behavior — VoidAuth warns you when email settings can’t be verified before you try to send an invite. That kind of early feedback saves debugging time.

What can go sideways:

The most significant caveat is the one the developer puts in the README themselves: “VoidAuth has not been audited and uses 3rd party packages for much of its functionality, use at your own risk.” [README] For an authentication layer that controls access to everything behind it, running unaudited code is a real risk. This isn’t an obscure warning buried in a changelog — it’s in the main README. If you’re running sensitive services behind VoidAuth, factor that in.

The second caveat is the solo maintainer reality. VoidAuth is one developer’s project, about a year old [3]. It’s actively maintained and the developer is responsive in the GitHub discussions [1], but it has the bus factor of any solo project. Authelia and Authentik have larger contributor bases.

ForwardAuth coverage is also proxy-dependent. The docs and community examples focus heavily on Caddy. Traefik and nginx configurations are possible but you’ll spend more time piecing together community examples.

Realistic time estimates:

• Technical user comfortable with Docker: 15–30 minutes to working setup
• User following guides carefully, less Docker experience: 1–2 hours
• Someone who has never configured a reverse proxy: budget a full afternoon

---

Pros and Cons

Pros

• Fastest setup in the category. Real-world user was running from zero in 2 minutes [2]. The Docker Compose sample in the README is production-ready with minor env variable fills.
• Genuinely free, no gated features. No “Pro” tier that unlocks MFA or passkeys. What’s in the README is what you get, and it’s everything [1].
• Passkey support. Hardware key and device-based passkey authentication is included, not an add-on [README][1]. Most competitors charge for or don’t include this.
• Clean, user-friendly interface. The developer explicitly prioritized being “inviting for end-users” [1]. The login portal and admin panel look like a modern web app, not a 2014 enterprise admin UI.
• Encryption at rest. Both PostgreSQL and SQLite options include encryption at rest [README][1] — not a given for self-hosted auth tools.
• SQLite option. For small setups, running without an external database reduces infrastructure complexity [README].
• Active developer. The GitHub discussions are monitored; the developer says “I will likely respond quickly” [README] and the launch post engagement confirms that [1].
• Docker Hub traction is real. 93K total pulls, 15K in the last week [3] — this isn’t vaporware, people are running it.

Cons

• No security audit. This is the headline con for an auth tool. The developer discloses it themselves [README]. Unless or until a third-party audit happens, you’re running trust-on-faith security for your gatekeeper layer.
• Solo maintainer. One person. No company, no funding mentioned, no contributor bus factor protection. If the developer loses interest, this becomes a community-fork situation or you migrate [1][README].
• AGPL-3.0, not MIT. Can’t embed in a commercial product without open-sourcing your modifications. Not a problem for personal use or internal company use, but worth knowing [1].
• No LDAP, no SAML. If your services or existing infrastructure use LDAP directory sync or require SAML federation, VoidAuth won’t cover those cases [README].
• Invite-only user creation by default. Users can’t sign themselves up without an admin generating an invite link [2]. This is good security hygiene but means some admin overhead for anything with more than a handful of users.
• Limited documentation. The Getting Started page exists, but the docs don’t cover advanced configurations in depth. Traefik and nginx users will piece together setups from community posts.
• No audit logs. There’s no record of who authenticated when, which matters if you’re troubleshooting access problems or running any kind of compliance requirement.
• Young project. About one year old [3]. Fewer edge cases found and fixed compared to Authelia (years older) or Authentik.

---

Who should use this / who shouldn’t

Use VoidAuth if:

• You run a home lab with a handful of services and want unified login without fighting YAML configuration for an afternoon.
• Setup time is the thing that’s kept you from adding SSO to your stack at all — VoidAuth removes that friction.
• You want passkeys and MFA for free, without a commercial upsell.
• You’re already using Caddy as your reverse proxy — the ForwardAuth integration is clean and well-documented for Caddy specifically [2][README].
• You’re comfortable accepting the no-audit caveat for personal or non-sensitive infrastructure.

Skip it (consider Authelia) if:

• You need a mature, widely-deployed auth proxy with LDAP support, detailed access control rules per-service, and a larger contributor pool.
• Your services are sensitive enough that you need audited software.
• You want extensive configuration flexibility even at the cost of setup complexity.

Skip it (consider Authentik) if:

• You need SAML 2.0, LDAP, SCIM, or a full identity platform.
• You have a team of users who need self-service onboarding flows.
• You’re willing to trade setup complexity for a feature-complete enterprise-grade tool.
• You need audit logs.

Skip it (consider Pocket ID) if:

• You want passkey-only authentication and nothing else — Pocket ID does exactly that with similar simplicity [3].

Skip it (look elsewhere) if:

• You’re building a multi-tenant SaaS and need developer identity APIs.
• Your compliance requirements include audit trails, SOC 2, or SAML federation with enterprise IdPs.
• You need a security audit before deploying your auth layer.

---

Alternatives worth considering

The awesome-docker-compose listing [3] surfaces the natural comparisons:

• Authelia — the incumbent for self-hosted ForwardAuth. Harder to set up, more mature, larger community, LDAP support. If you need proven stability over easy setup, this is the call.
• Authentik — the most feature-complete self-hosted identity platform. OIDC, SAML, LDAP, SCIM, detailed flows, enterprise features. Has a commercial enterprise tier. Significantly more complex to configure. The tool you graduate to when VoidAuth doesn’t cover your use case.
• Pocket ID — similar “simple self-hosted OIDC provider” positioning, but passkey-only by design. 7,100 GitHub stars [3]. Pick it if you want to mandate hardware/device authentication and don’t need password login at all.
• ZITADEL — API-first, developer-focused identity platform. 13,300 GitHub stars [3]. Significantly more powerful but built for application developers embedding auth, not home lab operators protecting services.
• Logto — multi-tenancy, enterprise SSO, RBAC. 11,700 GitHub stars [3]. Same category as ZITADEL — overkill for home lab, appropriate for SaaS builders.
• Keycloak — the enterprise open-source option (Red Hat backed). Full featured, Java-based, resource-heavy. Runs fine but feels like enterprise software because it is enterprise software.

For a home lab operator choosing between these, the realistic shortlist is VoidAuth vs Pocket ID vs Authelia. VoidAuth if you want speed and a modern UX with standard password/passkey options. Pocket ID if you want to go passwordless entirely. Authelia if you’ve already invested time there or need LDAP.

---

Bottom line

VoidAuth is the answer to a specific question: what’s the fastest path from “no SSO” to “all my services have unified login”? The answer, based on real deployments, is roughly 30 minutes from a cold server to a working ForwardAuth setup [2][1]. That’s genuinely impressive in a category where the standard advice is to budget an afternoon.

The trade-offs are equally clear. This is a young, solo-maintained project with no security audit on the auth layer. For a home lab, that’s a reasonable risk to accept. For anything protecting genuinely sensitive data, it isn’t — and the developer says so themselves in the README. The AGPL license and the absence of LDAP/SAML close off enterprise and commercial embedding use cases entirely.

If you’ve been avoiding SSO because every option felt like a weekend project, VoidAuth changes that calculus. If you need a battle-tested, audited auth layer for real-stakes infrastructure, Authelia or Authentik are the safer bets.

---

Sources

1. r/selfhosted — “VoidAuth is an Open Source, Easy to Use Single-Sign-On Provider” (developer launch post, community discussion). https://www.reddit.com/r/selfhosted/comments/1q1zram/voidauth_is_an_open_source_easy_to_use/
2. Stephen O’Toole — “VoidAuth for authentication of services (SSO)” (Jul 30, 2025, real-world deployment review). https://o-toole.com/voidauth-for-authentication-of-services-sso/
3. Awesome Docker Compose — VoidAuth listing (Docker Hub stats, GitHub metadata, similar tools). https://awesome-docker-compose.com/voidauth
4. Self-Host Weekly (22 August 2025) — selfh.st. https://selfh.st/weekly/2025-08-22/

Primary sources:

• GitHub repository and README: https://github.com/voidauth/voidauth (1,909 stars, AGPL-3.0 license)
• Official website and documentation: https://voidauth.app