os-alt

self-host the SaaS you're paying for

← all SaaS

Self-host Auth0

Identity / SSO / authentication-as-a-service · Category: auth, SSO & secrets

Auth0 (now part of Okta) is the default hosted identity layer for B2B and B2C apps. The self-host replacements are mature and free at any scale; the trade-off is operating an OIDC server yourself.

Auth0 pricing anchor: $240/mo at 1k MAU on B2C Essentials; jumps fast at scale.

Keycloak keycloak/keycloak alive

GitHub
★ 34.3k · last commit today · 2810 open issues
License
Apache-2.0
Setup time
20-30min docker-compose (Keycloak + Postgres)
Monthly cost
$10 VPS for a small team; $20+ for production with HA Postgres.
Migration sketch. Auth0 → Tenant → Export users (JSON, including hashed passwords if on bcrypt). Keycloak → Admin Console → realm-import via JSON or the Keycloak `kcadm.sh` CLI. Bcrypt hashes import directly — users keep their passwords. Map Auth0 Rules / Actions to Keycloak event listeners or authentication-flow scripts.
Good fit forB2B apps that want SAML + OIDC + LDAP federation in one server, and don't mind Java footprint.
Weak atJava-heavy; theming and UX out of the box are dated vs Auth0.

Authentik goauthentik/authentik alive

GitHub
★ 21.4k · last commit today · 1033 open issues
License
MIT
Setup time
15min docker-compose
Monthly cost
$10 VPS — Python + Postgres + Redis stack.
Migration sketch. Auth0 export gives you user JSON + bcrypt hashes. Authentik's `ak users_import` (admin CLI) accepts a JSON manifest; bcrypt hashes are accepted directly. Application config (clients, audiences) is reauthored in the Authentik admin UI as Providers + Applications.
Good fit forModern apps that want OIDC + SAML with a clean web UI and a less heavyweight runtime than Keycloak.
Weak atSmaller community than Keycloak; fewer pre-built SAML integrations to enterprise IDPs.

Zitadel zitadel/zitadel alive

GitHub
★ 13.7k · last commit 6d ago · 1015 open issues
License
Apache-2.0
Setup time
20min docker-compose
Monthly cost
$10-15 VPS — Go binary + CockroachDB or Postgres.
Migration sketch. Zitadel ships a Go-based migration tool that consumes Auth0's user export. Run `zitadel-tools migrate auth0 --tenant <yours>` against the export; users + bcrypt hashes import. Action scripts in Auth0 map to Zitadel Actions (JS via Goja runtime).
Good fit forMulti-tenant SaaS that wants per-tenant orgs as a first-class concept.
Weak atYounger ecosystem; fewer tutorial articles than Keycloak.

In a terminal? npx os-alt auth0 prints this table — how the CLI works →