pocket-id
Pocket ID is a self-hosted OAuth 2.0 and OpenID Connect provider that uses passkeys (rather than passwords) for user authentication. It aims to be simpler than enterprise alternatives like Keycloak while supporting secure, phishing-resistant sign-in across your services.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | pocket-id/pocket-id |
| Owner | pocket-id |
| Primary language | Go |
| License | BSD-2-Clause — OSI-approved |
| Stars | 8.3k |
| Forks | 268 |
| Open issues | 91 |
| Latest release | v2.9.0 (2026-06-16) |
| Last updated | 2026-07-08 |
| Source | https://github.com/pocket-id/pocket-id |
What pocket-id is
A Go-based OIDC/OAuth 2.0 identity provider with passkey-only authentication, designed for self-hosted deployment. It implements standard OIDC flows and can be deployed via Docker, offering a lighter alternative to full-featured IAM platforms.
Get the pocket-id source
Clone the repository and explore it locally.
git clone https://github.com/pocket-id/pocket-id.gitcd pocket-id# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Passkey-only model assumes all users and applications support FIDO2/WebAuthn; legacy or constrained clients (older browsers, non-standard devices) may not be compatible.
- Docker-based deployment is recommended; ensure container orchestration, persistent storage, and database configuration are prepared before rollout.
- No evidence of built-in multi-tenancy or service-level isolation; single instance may serve only one organization or set of services.
- Requires careful planning for session management, token expiration, and logout workflows across client applications.
- Early project maturity (created Aug 2024, v2.9.0 as of Jun 2026); production use should include thorough testing and monitoring of edge cases.
When to avoid it — and what to weigh
- Require extensive user provisioning and directory sync — No mention of LDAP, Active Directory, SAML, or bulk user import. Enterprise directory integration is not evident.
- Need fine-grained role-based access control (RBAC) or policy engine — Pocket ID focuses on passkey authentication; detailed RBAC, attribute-based access, or policy evaluation is not described.
- Require multi-factor authentication (MFA) beyond passkeys — Passkeys are the sole authentication mechanism. No mention of TOTP, SMS, or other secondary factors.
- Compliance-heavy environments (HIPAA, SOC 2, FedRAMP) — No documented compliance certifications, audit logs, or security certifications mentioned. Requires verification for regulated workloads.
License & commercial use
Released under BSD 2-Clause (Simplified) License, which is a permissive, OSI-approved open-source license.
BSD 2-Clause is permissive and allows commercial use, modification, and distribution with minimal conditions (retain license and copyright notice, include disclaimer). No evidence of dual licensing or proprietary restrictions. Requires review of your internal commercial use policy and any warranty expectations.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | Medium |
Passkey-only authentication is cryptographically modern and phishing-resistant. No security certifications, audit logs, rate limiting, or threat model documentation are mentioned. No details on TLS enforcement, secret management, or protection against account enumeration. Self-hosted deployment requires operator responsibility for infrastructure security. Source code is available for review; cryptographic implementation should be audited before production use.
Alternatives to consider
Keycloak
Mature, feature-rich OIDC/SAML provider with extensive directory integration, RBAC, and multi-tenancy. Considerably more complex and resource-intensive; suitable for enterprise deployments requiring advanced identity governance.
ORY Hydra
Lightweight OAuth 2.0/OIDC server with emphasis on simplicity. Does not mandate passkeys; supports traditional credentials. Better for minimal deployments but lacks passkey-first UX and Pocket ID's password-elimination philosophy.
Auth0 (managed service)
Commercial, fully managed OIDC/OAuth provider with extensive integrations and compliance certifications. Eliminates self-hosting overhead but introduces vendor lock-in and ongoing costs; does not align with self-hosted architecture.
Build on pocket-id with DEV.co software developers
Evaluate Pocket ID for your self-hosted identity needs. Review the documentation, test the demo, and assess integration requirements with your service architecture. Consult our team if you need guidance on passkey implementation or OIDC deployment.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
pocket-id FAQ
Can I use Pocket ID if my users do not have passkey-capable devices?
Is Pocket ID suitable for enterprise single sign-on (SSO)?
How does Pocket ID scale?
What is the warranty or support model?
Work with a software development agency
Need help beyond evaluating pocket-id? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.
Ready to adopt passkey authentication?
Evaluate Pocket ID for your self-hosted identity needs. Review the documentation, test the demo, and assess integration requirements with your service architecture. Consult our team if you need guidance on passkey implementation or OIDC deployment.