Pocket ID - Lightweight Passkey-Only OIDC Provider

Summary

Pocket ID is a self-hosted OIDC (OpenID Connect) provider that uses passkeys as its only authentication method, eliminating passwords entirely. It offers LDAP sync, user group restrictions, audit logs, and a REST API - all in a lightweight package designed for homelab and small-org use cases.

Key Insight

• Passkey-only approach is the key differentiator - no password fallback at all. This simplifies the security model but means all users need passkey-capable devices.
• Supports one-time login codes as a workaround when a passkey device is unavailable, which addresses the main objection to passkey-only auth.
• LDAP integration means it can sit in front of an existing directory without duplicating user management - useful as a modern auth facade over legacy infrastructure.
• User registration flexibility covers three models: admin-created, invite links, or open registration. This makes it viable for both locked-down teams and community-facing services.
• Built-in audit logging per user and globally, plus email alerts for unknown device sign-ins - features usually missing from lightweight self-hosted auth solutions.
• Competes with Authelia, Authentik, and Keycloak but targets simplicity over feature breadth. Good fit when you only need OIDC and don’t want to manage a complex IdP.