DEV.co
Open-Source DevOps · pocket-id

pocket-id

Pocket ID is a self-hosted OAuth 2.0 and OpenID Connect provider that uses passkeys (rather than passwords) for user authentication. It aims to be simpler than enterprise alternatives like Keycloak while supporting secure, phishing-resistant sign-in across your services.

Source: GitHub — github.com/pocket-id/pocket-id
8.3k
GitHub stars
268
Forks
Go
Primary language
BSD-2-Clause
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypocket-id/pocket-id
Ownerpocket-id
Primary languageGo
LicenseBSD-2-Clause — OSI-approved
Stars8.3k
Forks268
Open issues91
Latest releasev2.9.0 (2026-06-16)
Last updated2026-07-08
Sourcehttps://github.com/pocket-id/pocket-id

What pocket-id is

A Go-based OIDC/OAuth 2.0 identity provider with passkey-only authentication, designed for self-hosted deployment. It implements standard OIDC flows and can be deployed via Docker, offering a lighter alternative to full-featured IAM platforms.

Quickstart

Get the pocket-id source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/pocket-id/pocket-id.gitcd pocket-id# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Self-hosted SaaS with passkey-first auth

Ideal for teams building internal tools or SaaS platforms that want to eliminate passwords and adopt passkey authentication without the complexity of Keycloak.

Microservice authentication in private networks

Suitable for federated authentication across microservices in containerized environments where simplicity and fast setup are prioritized over enterprise feature richness.

Security-conscious organizations piloting WebAuthn/FIDO2

Organizations evaluating passkey adoption can deploy Pocket ID as a low-barrier proof-of-concept OIDC provider without learning complex IAM platforms.

Implementation considerations

  • Passkey-only model assumes all users and applications support FIDO2/WebAuthn; legacy or constrained clients (older browsers, non-standard devices) may not be compatible.
  • Docker-based deployment is recommended; ensure container orchestration, persistent storage, and database configuration are prepared before rollout.
  • No evidence of built-in multi-tenancy or service-level isolation; single instance may serve only one organization or set of services.
  • Requires careful planning for session management, token expiration, and logout workflows across client applications.
  • Early project maturity (created Aug 2024, v2.9.0 as of Jun 2026); production use should include thorough testing and monitoring of edge cases.

When to avoid it — and what to weigh

  • Require extensive user provisioning and directory sync — No mention of LDAP, Active Directory, SAML, or bulk user import. Enterprise directory integration is not evident.
  • Need fine-grained role-based access control (RBAC) or policy engine — Pocket ID focuses on passkey authentication; detailed RBAC, attribute-based access, or policy evaluation is not described.
  • Require multi-factor authentication (MFA) beyond passkeys — Passkeys are the sole authentication mechanism. No mention of TOTP, SMS, or other secondary factors.
  • Compliance-heavy environments (HIPAA, SOC 2, FedRAMP) — No documented compliance certifications, audit logs, or security certifications mentioned. Requires verification for regulated workloads.

License & commercial use

Released under BSD 2-Clause (Simplified) License, which is a permissive, OSI-approved open-source license.

BSD 2-Clause is permissive and allows commercial use, modification, and distribution with minimal conditions (retain license and copyright notice, include disclaimer). No evidence of dual licensing or proprietary restrictions. Requires review of your internal commercial use policy and any warranty expectations.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceMedium
Security considerations

Passkey-only authentication is cryptographically modern and phishing-resistant. No security certifications, audit logs, rate limiting, or threat model documentation are mentioned. No details on TLS enforcement, secret management, or protection against account enumeration. Self-hosted deployment requires operator responsibility for infrastructure security. Source code is available for review; cryptographic implementation should be audited before production use.

Alternatives to consider

Keycloak

Mature, feature-rich OIDC/SAML provider with extensive directory integration, RBAC, and multi-tenancy. Considerably more complex and resource-intensive; suitable for enterprise deployments requiring advanced identity governance.

ORY Hydra

Lightweight OAuth 2.0/OIDC server with emphasis on simplicity. Does not mandate passkeys; supports traditional credentials. Better for minimal deployments but lacks passkey-first UX and Pocket ID's password-elimination philosophy.

Auth0 (managed service)

Commercial, fully managed OIDC/OAuth provider with extensive integrations and compliance certifications. Eliminates self-hosting overhead but introduces vendor lock-in and ongoing costs; does not align with self-hosted architecture.

Software development agency

Build on pocket-id with DEV.co software developers

Evaluate Pocket ID for your self-hosted identity needs. Review the documentation, test the demo, and assess integration requirements with your service architecture. Consult our team if you need guidance on passkey implementation or OIDC deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

pocket-id FAQ

Can I use Pocket ID if my users do not have passkey-capable devices?
Pocket ID supports passkeys only. Users require devices or browsers with FIDO2/WebAuthn support (most modern smartphones, Windows Hello, YubiKey, etc.). Fallback to passwords is not provided.
Is Pocket ID suitable for enterprise single sign-on (SSO)?
Pocket ID provides OIDC/OAuth 2.0 and can federate authentication. However, it lacks advanced enterprise features like SAML, directory sync, and fine-grained policy engines. Medium-to-large enterprises typically require Keycloak or similar platforms.
How does Pocket ID scale?
Not explicitly stated. Typical constraints: database throughput, stateless or session-aware horizontal scaling, and connection pooling. Requires load testing and capacity planning; no benchmarks or scaling guidance provided.
What is the warranty or support model?
Pocket ID is open-source with no commercial support mentioned. Community support via GitHub issues and documentation; vendor support is not available. Use at own risk in critical systems.

Work with a software development agency

Need help beyond evaluating pocket-id? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to adopt passkey authentication?

Evaluate Pocket ID for your self-hosted identity needs. Review the documentation, test the demo, and assess integration requirements with your service architecture. Consult our team if you need guidance on passkey implementation or OIDC deployment.