
Deploy Keycloak — Self-Hosted Auth0 Alternative with SSO
Self-host Keycloak: SSO, OIDC, SAML. No per-MAU fees. Apple & Discord login
Just deployed
/var/lib/postgresql/data
Keycloak
Just deployed
Deploy and Host Keycloak on Railway
Keycloak is the enterprise-grade open-source identity and access management platform — backed by Red Hat and the CNCF, powering authentication at Fortune 500 companies and government agencies. Single sign-on, OIDC, OAuth 2.0, SAML 2.0, LDAP/Active Directory federation, MFA, identity brokering, and fine-grained authorization — every protocol Auth0 charges enterprise prices for, with no per-MAU fees. This template ships Keycloak with a modern keywind theme plus Apple and Discord identity providers pre-configured, backed by a private PostgreSQL.
Auth0 bills $2,000–$5,000/month at 50,000 MAU. At 100,000 users the gap versus self-hosted runs past 100x. Keycloak on Railway costs flat compute — no per-user pricing, no feature gates, and your user store on infrastructure you own.
What This Template Deploys
| Service | Purpose |
|---|---|
| Keycloak | The IAM server — realms, clients, SSO, MFA, and the admin console, with a keywind theme and Apple + Discord identity providers pre-wired |
| PostgreSQL | Keycloak's datastore — realms, users, sessions, and configuration. Private-only by default, never exposed externally |
Both services connect over Railway's private network. PostgreSQL is not exposed publicly — you can optionally enable TCP proxying from the database settings if external access is ever needed. Set an admin username and password and the stack is ready.
About Hosting Keycloak
Keycloak is a stateful Java service (Quarkus-based) backed by a database — PostgreSQL is the standard. Running it means a persistent server, a wired database, secrets, HTTPS, and theming work. Keycloak is powerful but heavy: it idles around 1–2 GB RAM before the database.
Railway handles the wiring. This template connects Keycloak to a private PostgreSQL instance, serves admin and login over HTTPS, and ships with a keywind theme plus Apple + Discord social login already configured — the setup that usually takes hours is done.
Typical cost: ~$10–20/month on Railway depending on RAM. Auth0 charges per monthly active user — roughly $2,000–$5,000/month at 50,000 MAU, escalating into six figures annually once SAML, organizations, and log streaming are bundled. Keycloak self-hosted has no per-MAU ceiling.
Deploy in Under 5 Minutes
- Click Deploy on Railway — Keycloak and PostgreSQL build automatically (~3–4 minutes)
- Set
KEYCLOAK_ADMINandKEYCLOAK_ADMIN_PASSWORDin the Variables tab - Open your Railway URL and log into the admin console with those credentials
- Create a realm, add a client for your app, and grab the OIDC discovery URL
- Apple and Discord identity providers are pre-configured — add your provider credentials to enable social login
No Java setup. No database wiring. No theme installation.
Common Use Cases
- Self-hosted alternative to Auth0 — replace per-MAU billing that hits $2,000–$5,000/month at 50k users with flat Railway compute; SAML, LDAP, and organizations are included, not add-ons
- Self-hosted alternative to Okta and Clerk — enterprise SSO, MFA, and identity brokering without per-connection SSO fees or a per-seat ceiling
- Single sign-on across your apps — centralize login for internal tools, dashboards, and customer-facing products behind one OIDC/SAML identity provider
- Social login with Apple and Discord — this template pre-wires both providers; add your credentials and users sign in with Apple or Discord out of the box
- Enterprise federation (LDAP / Active Directory) — bridge existing corporate directories, a feature Auth0 gates behind Enterprise plans and Keycloak includes free
- Data-residency and compliance-driven auth — keep your user store, credentials, and session data in your own PostgreSQL for GDPR, HIPAA, or sovereignty requirements
Configuration
| Variable | Required | Description |
|---|---|---|
KEYCLOAK_ADMIN | ✅ Required | Initial admin console username |
KEYCLOAK_ADMIN_PASSWORD | ✅ Required | Initial admin password — set a strong value before deploying |
KC_DB | ✅ Pre-set | postgres — Keycloak's database vendor |
KC_DB_URL | ✅ Auto-injected | PostgreSQL JDBC URL via Railway reference variable |
KC_DB_USERNAME | ✅ Auto-injected | Database user from the Railway PostgreSQL service |
KC_DB_PASSWORD | ✅ Auto-injected | Database password via Railway reference variable |
KC_HOSTNAME | ✅ Required | Your Railway public domain — Keycloak needs its external hostname for correct URLs |
KC_PROXY_HEADERS | Pre-set | xforwarded — required so Keycloak trusts Railway's proxy for HTTPS |
KC_HTTP_ENABLED | Pre-set | true — Railway terminates TLS at the edge; Keycloak listens on HTTP internally |
KC_HOSTNAMEmust match your Railway public domain, andKC_PROXY_HEADERS=xforwardedmust be set, or Keycloak generates wrong redirect URLs and login loops. This template pre-configures the proxy settings — just set the hostname to your domain after the first deploy.
Keycloak vs. Identity Platforms
| Keycloak (Railway) | Auth0 | Okta | Clerk | |
|---|---|---|---|---|
| Cost at 50k MAU | ~$10–20/mo flat | $2,000–5,000/mo | Enterprise contract | Per-MAU + add-ons |
| Per-MAU pricing | ✅ None | ❌ Yes | ❌ Yes | ❌ Yes |
| SAML 2.0 | ✅ Included | ❌ Higher tiers | ✅ Yes | ❌ Not on Pro |
| LDAP / AD federation | ✅ Included | ❌ Enterprise | ✅ Yes | ❌ No |
| Identity brokering | ✅ Yes | ✅ Yes | ✅ Yes | ⚠️ Limited |
| Self-hostable | ✅ Yes | ❌ No | ❌ No | ❌ No |
| Data ownership | ✅ Your PostgreSQL | ❌ Okta cloud | ❌ Okta cloud | ❌ Clerk cloud |
| Open source | ✅ Apache-2.0 | ❌ No | ❌ No | ❌ No |
Dependencies for Keycloak Hosting
- Railway account — allocate 2 GB+ RAM for Keycloak's JVM (~$10–20/month with PostgreSQL)
- Apple Developer and/or Discord Developer credentials if you enable those social logins
- Your applications configured as OIDC or SAML clients pointing at this Keycloak instance
Deployment Dependencies
- Keycloak GitHub Repository — source and releases
- Keycloak Documentation — realms, clients, and federation
- Keycloak Server Guides — production configuration reference
- keywind Theme — the Tailwind-based Keycloak theme this template uses
Implementation Details
This template deploys Keycloak connected to a private PostgreSQL instance over Railway's internal
network, with KC_PROXY_HEADERS=xforwarded and KC_HTTP_ENABLED=true pre-set so Keycloak works
correctly behind Railway's TLS-terminating proxy. The database is not exposed externally by
default; TCP proxying can be enabled from the database settings if you need direct access, and
removed at any time to close it off.
The build includes the keywind Tailwind theme and pre-configured Apple and Discord identity providers — add your provider credentials in the admin console to activate them. Keycloak is a heavy Java service: give it at least 2 GB RAM, and expect a 30–60 second JVM startup on deploy. All realm and user data persists in PostgreSQL across redeploys.
Frequently Asked Questions
How much does Keycloak save versus Auth0? Auth0 bills per monthly active user — roughly $2,000–$5,000/month at 50,000 MAU, and the gap versus self-hosted exceeds 100x at 100,000 users. Keycloak on Railway costs flat compute (~$10–20/month) with no per-MAU fees. Once you cross a few thousand active users, the economics flip hard in Keycloak's favor.
What does the keywind theme and Apple/Discord setup add? Vanilla Keycloak login pages are functional but plain, and configuring social providers takes manual setup. This template ships the Tailwind-based keywind theme for modern login pages and pre-wires Apple and Discord identity providers — you just add your provider credentials to activate them, saving the theming and configuration work.
Is Keycloak hard to run? Keycloak is powerful but heavy — a Java service that idles around 1–2 GB RAM with a steeper learning curve than lighter tools. This template removes the infrastructure setup (database, proxy, theme), but configuring realms, clients, and flows still rewards reading the docs. For enterprise federation (LDAP/AD, complex SAML), that depth is exactly why teams choose Keycloak.
Do I lose users and realms if Railway redeploys? No. All realms, users, clients, sessions, and configuration are stored in the Railway-managed PostgreSQL database, not in the Keycloak container. Redeploys and version updates don't affect your identity data.
Can I migrate from Auth0 or Okta? Yes. Keycloak imports users and supports gradual cutover, and can act as an identity broker that delegates to an existing Auth0/Okta IdP during transition. Each Auth0 application maps to a Keycloak client; password hashes and social connections need reconfiguration per the migration guide.
Why do I need to set KC_HOSTNAME?
Keycloak builds redirect and token URLs from its configured hostname. If it doesn't match your
Railway public domain, logins fail or loop. Set KC_HOSTNAME to your Railway domain after the
first deploy — the proxy headers are already configured in this template.
Why Deploy and Host Keycloak on Railway?
Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.
By deploying Keycloak on Railway, you get enterprise-grade identity and access management — SSO, OIDC, SAML, LDAP federation, and MFA with a modern theme and Apple + Discord login pre-wired — at flat ~$10–20/month with no per-MAU fees and full ownership of your user store.
Template Content
Keycloak
leonardochappuis/keycloak-dockerKEYCLOAK_ADMIN
Your default admin username
