The self-hosted universe has an age-old and inevitable problem: the more services you set up, the more credentials you end up managing. Today it’s a Grafana panel, tomorrow a Nextcloud, the next day an internal wiki, and in the end, you have a growing collection of logins that doesn’t scale — not for you… nor for your team.
In this context appears VoidAuth, an open-source project that positions itself as a authentication and user management provider designed to sit “in front” of your self-hosted applications, centralizing login and access control. Its idea is straightforward: a single sign-on portal, support for OpenID Connect (OIDC), ForwardAuth mode as a proxy, along with modern features like passkeys and MFA, with easy deployment (for example, via Docker Compose) and without turning your homelab into an IAM consultancy.
What voidAuth proposes (in practice)
VoidAuth is defined as “SSO for your self-hosted universe.” Functionally, the project stands out by:
- OIDC provider so compatible apps can delegate login and receive tokens in a standard way.
- ForwardAuth / proxy to protect services that don’t natively support OIDC, acting as an authentication “layer” in front of the reverse proxy.
- User and group management, with invitations and self-registration (based on configuration).
- Passkeys and MFA, including the option for accounts to be “passkey-only.”
- Password reset by email with customizable templates (branding and messages).
- At-rest encryption using Postgres or SQLite databases.
All this with an appealing promise for technical profiles: set it up quickly, integrate with your proxy (Caddy/Traefik/Nginx, etc.), and start protecting services without reconfiguring each login individually.
There’s also an important point the project itself recognizes: it has not been audited and relies on third-party packages for some functionality. That doesn’t invalidate its usefulness but does require handling it as what it is: young software that should be deployed thoughtfully (network segmentation, backups, minimum privileges, monitoring).
Comparison: VoidAuth vs. “Other common methods”
In the real world, the choice is rarely “VoidAuth yes or no,” but rather “what makes sense for my case?” These are the most common routes and how VoidAuth fits in:
1) The “quick” method: Basic Auth, IP allowlists, and app passwords
This is the typical starting point. It works… until:
- You have multiple users,
- You need to revoke access without breaking everything,
- You want MFA or passkeys,
- Or you require traceability and consistency.
VoidAuth wins here by centralizing identities and adopting a “guard at the gate” approach in front of multiple apps with a coherent login experience.
2) “Directory + LDAP” (FreeIPA / LDAP / AD)
LDAP/AD is very powerful but isn’t always user-friendly if you’re just looking for SSO for self-hosted web tools. Plus, many modern apps speak better OIDC than LDAP.
VoidAuth can be more straightforward if your goal is web SSO and access control without deploying (or maintaining) a full directory.
3) Authelia (lightweight, popular in homelab settings)
Authelia is often appreciated for being minimalist, integrating well as a “layer” in front of your proxy, and covering 80% of web access cases. It can also act as an OIDC provider and is widely used in Kubernetes/homelab.
Where VoidAuth competes: in the feature pack: portal/login, user/group management, passkeys, invitations, aiming for a more “all-in-one” experience for admins and users.
4) Keycloak (enterprise standard, but heavier)
Keycloak is a robust IAM solution: mature, extendable, with extensive OIDC/SAML integrations and a vast ecosystem (at the cost of complexity).
VoidAuth’s niche: when you want something lighter and more focused to protect self-hosted apps without adopting a full “corporate” deployment.
5) Authentik (very comprehensive, mid-way between homelab and enterprise)
Authentik is notable for its visual flow interface, its role as an IdP, and integration with many apps. But it also entails a learning curve and a “heavier” platform.
VoidAuth might have an advantage if you prioritize operational simplicity and a clear set of functions for “everyday SSO.”
6) Managed SSO (Okta, Entra ID, Google, etc.)
The “pay” alternative has an unbeatable argument: outsourcing the problem, SLAs, audits, support. The cost is double: money and dependence.
In this case, the advantage of VoidAuth is clear for the self-hosted world: open source + self-hosted, with full control over data, deployment, and policies (as long as you’re the one managing it).
The key advantage: truly self-hosted open source
In practice, the “open source” label only matters if it enables tangible benefits. With VoidAuth, that translates into:
- Deployment sovereignty: run it wherever you want (your server, your datacenter, your private cloud).
- Predictable costs: no user/MAU fees that grow with your stack.
- Inspection and customization: review, audit by third parties if needed, or extend for your case.
- Avoid vendor lock-in in your authentication system, one of the most sensitive points in any architecture.
Moreover, in a time when local agents, self-hosted tools, and privacy concerns are rising, having your own SSO becomes an increasingly fitting piece of the puzzle.
What to watch out for before adoption
For responsible adoption (and to avoid surprises), three questions deserve attention:
- Maturity and auditing: if your environment is critical or regulated, look for a clear roadmap, security reviews, or external audits.
- Real integration with your apps: OIDC and ForwardAuth cover much but always have exceptions.
- Operation and backups: centralizing login makes this component “core” infrastructure. High availability, backups, and restore are not optional anymore.
FAQs
Does VoidAuth work if my applications don’t support OIDC?
Yes, the ForwardAuth mode is specifically designed to protect apps without native OIDC by placing authentication in front of the service via the reverse proxy.
What benefits do passkeys provide in a self-hosted environment?
They reduce reliance on reused passwords, improve resistance to phishing, and simplify access for non-technical users (if implemented properly).
When should I prefer Keycloak or Authentik over VoidAuth?
When you need a more comprehensive IAM solution (SAML, complex flows, federation, corporate policies, extensive integrations) and are willing to accept operational complexity.
Does open sourcing automatically make it more secure?
Not necessarily. Open source facilitates auditing and inspection, but true security depends on design, maintenance, updates, configuration, and ideally external reviews.