How do I deploy Authelia | Lightweight Open Source Keycloak Alternative on Railway?

You can deploy Authelia | Lightweight Open Source Keycloak Alternative on Railway by clicking the "Deploy Now" button on this page. Railway will automatically set up all the necessary services and configurations for you.

What are the system requirements?

Railway handles all the infrastructure requirements. You only need a web browser to deploy and manage your application.

Is this template free to use?

Yes, this template is free to use within your existing Railway account.

Can I customize this template?

Yes, you can fully customize this template. After deployment, you will have full control of what you've deployed in your Railway project.

How do I get support for this template?

You can get support through our community forum: authelia-613ae153, or click "Get template help" for this template for more assistance.

Authelia logo

Deploy and Host Authelia

Authelia is an open-source authentication and authorization server that adds single sign-on (SSO) and two-factor authentication (2FA) to your web applications via a forward-auth middleware. It's built for developers who want to protect self-hosted services without shipping auth code — supporting TOTP, WebAuthn, and an OpenID Connect provider that is OpenID Certified™.

Self-host Authelia on Railway with this one-click deploy template. It pre-wires Authelia with a PostgreSQL database for persistent schema storage and a Redis instance for session caching — all connected over Railway's private network with no manual networking or Docker configuration required.

Getting Started with Authelia on Railway

After deploying, set AUTHELIA_DOMAIN to your domain and AUTHELIA_AUTH_URL to the full public HTTPS URL of this service. Visit the URL in your browser to reach the Authelia login portal and sign in with the credentials you set in AUTHELIA_INIT_USERNAME and AUTHELIA_INIT_PASSWORD. On first login, Authelia will prompt you to register a TOTP device — scan the QR code with any authenticator app (Google Authenticator, Authy, 1Password). Once registered, configure your reverse proxy to forward authentication requests to https:///api/authz/forward-auth to start protecting applications.

About Hosting Authelia

Authelia is a lightweight IAM gateway — not a full identity provider. It sits in front of your applications and delegates auth via forward auth, so your reverse proxy checks with Authelia before serving any request.

Key features:

Single Sign-On across all subdomains with one session cookie
Two-factor authentication: TOTP, WebAuthn (YubiKey, passkeys), Duo push
OpenID Connect provider (OpenID Certified™) — use as an IdP for Gitea, Grafana, Nextcloud
Fine-grained access control per domain, subdomain, or path
Brute-force protection with configurable lockouts and ban times
File-based user database — no LDAP required

Architecture: Authelia stores its schema in PostgreSQL (sessions, TOTP secrets, OIDC tokens) and uses Redis as a distributed session cache. On Railway, both services connect to Authelia over .railway.internal private hostnames.

Why Deploy Authelia on Railway

One-click deploy Authelia with its full stack — no Docker configs, volume management, or networking to wire up manually:

Private networking between Authelia, Postgres, and Redis out of the box
Fully env-var driven — change any setting, redeploy, done
Auto-generated secrets via Railway's ${{secret(32)}} syntax
Managed TLS and custom domain support
One-click redeploys from Git

Common Use Cases

Protect homelab services — add login + 2FA to Grafana, Portainer, Jellyfin, Home Assistant without modifying each app
SSO across subdomains — one login session valid across all *.yourdomain.com services
OIDC provider — use Authelia as the identity provider for OAuth2/OIDC-compatible apps
Lock staging environments — gate internal dev URLs behind 2FA without shipping auth code

Dependencies for Authelia

Authelia — authelia/authelia:4.38 (GitHub, Docker Hub)
PostgreSQL — Railway-managed Postgres (persistent schema and OIDC token storage)
Redis — Railway-managed Redis (distributed session cache)

Environment Variables Reference

Variable	Description	Required
`AUTHELIA_DOMAIN`	Root domain cookies are scoped to (e.g. `example.com`)	Yes
`AUTHELIA_AUTH_URL`	Full public HTTPS URL of this Authelia instance	Yes
`AUTHELIA_SESSION_SECRET`	Secret for signing session cookies (min 64 chars)	Yes
`AUTHELIA_STORAGE_ENCRYPTION_KEY`	Key for encrypting storage data (min 20 chars)	Yes
`AUTH_JWT_SECRET`	JWT secret for password reset tokens	Yes
`AUTHELIA_INIT_USERNAME`	First admin username (default: `admin`)	First boot
`AUTHELIA_INIT_PASSWORD`	First admin password — can remove after first deploy	First boot
`ACCESS_CONTROL_DEFAULT_POLICY`	Default policy: `bypass`, `one_factor`, `two_factor`, `deny`	No
`AUTHELIA_LOG_LEVEL`	Log verbosity: `trace`, `debug`, `info`, `warn`, `error`	No
`SMTP_HOST`	Enables SMTP notifier for 2FA and password reset emails	No
`OIDC_CLIENT_ID`	Enables OpenID Connect provider when set with `OIDC_CLIENT_SECRET`	No

Deployment Dependencies

Runtime: Alpine Linux, Bash (via authelia/authelia:4.38)
Authelia upstream: https://github.com/authelia/authelia
Template repo: https://github.com/praveen-ks-2001/authelia-railway-template

Minimum Hardware Requirements for Authelia

Authelia is one of the most resource-efficient auth solutions available — it runs on a Raspberry Pi.

Resource	Minimum	Recommended
CPU	0.1 vCPU	0.25 vCPU
RAM	64 MB	256 MB
Storage	100 MB	500 MB (for Postgres data)

Unlike Authentik (2 cores + 2 GB RAM minimum) or Keycloak (512 MB+ RAM), Authelia typically uses 20–25 MB of memory at runtime.

Self-Hosting Authelia

To run Authelia on your own VPS using Docker Compose:

# docker-compose.yml
services:
  authelia:
    image: authelia/authelia:4.38
    volumes:
      - ./config:/config
    ports:
      - "9091:9091"
    depends_on:
      - postgres
      - redis

  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: authelia
      POSTGRES_USER: authelia
      POSTGRES_PASSWORD: changeme

  redis:
    image: redis:7-alpine
    command: redis-server --requirepass changeme

Minimal ./config/configuration.yml to get started:

server:
  address: tcp://0.0.0.0:9091/
authentication_backend:
  file:
    path: /config/users_database.yml
session:
  secret: changeme
  cookies:
    - domain: example.com
      authelia_url: https://auth.example.com
storage:
  encryption_key: changeme
  postgres:
    address: tcp://postgres:5432
    database: authelia
    username: authelia
    password: changeme
notifier:
  filesystem:
    filename: /config/notifications.txt

Authelia vs Authentik vs Keycloak

Feature	Authelia	Authentik	Keycloak
Open source	✅ Apache 2.0	✅ MIT	✅ Apache 2.0
Self-hostable	✅	✅	✅
Memory usage	~25 MB	~500 MB+	~512 MB+
Full IdP (SAML, LDAP)	❌	✅	✅
Forward auth	✅	✅	❌ native
Best for	Homelabs, lightweight SSO	Growing teams, full IdP	Enterprise

Authelia wins on resource usage and simplicity. Choose Authentik or Keycloak if you need SAML, LDAP, or enterprise-scale user management.

How Much Does Authelia Cost?

Authelia is 100% free and open-source under the Apache 2.0 license — no paid tiers, no licensing fees, no feature paywalls. On Railway, you pay only for the infrastructure (Authelia, Postgres, Redis). There is no official Authelia cloud offering; self-hosting is the only deployment model.

FAQ

What is Authelia? Authelia is an open-source forward authentication server that adds SSO and 2FA to web applications. It works as middleware alongside a reverse proxy (Traefik, NGINX, Caddy) — the proxy asks Authelia to verify identity before forwarding a request to the upstream app.

What does this Railway template deploy? Three services: Authelia (the auth portal on port 9091), a PostgreSQL database (schema, TOTP secrets, OIDC tokens), and a Redis instance (session cache). All three are connected over Railway's private network using .railway.internal hostnames.

Why does this template include PostgreSQL and Redis? Authelia requires a relational database for persistent storage and Redis for distributed session caching. Without both, Authelia will refuse to start.

Can I use this in production? Yes. Authelia is used in production across IT, healthcare, and financial services. For production: use a strong AUTHELIA_STORAGE_ENCRYPTION_KEY, configure SMTP for real email notifications, and point a custom domain at the service.

Does Authelia support OpenID Connect? Yes — Authelia is OpenID Certified™ and can act as an OIDC provider for Gitea, Grafana, Nextcloud, Outline, and Portainer. Set OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI, and AUTHELIA_OIDC_HMAC_SECRET to enable it. An RSA key pair is auto-generated on first boot.

How do I protect an app with Authelia? Configure your reverse proxy to forward auth requests to https:///api/authz/forward-auth. Authelia handles login, 2FA, and redirects — your app only receives authenticated requests.

What 2FA methods are supported? TOTP (Google Authenticator, Authy, 1Password), WebAuthn (YubiKey, passkeys, hardware security keys), and Duo mobile push notifications.