# Pocket ID - Lightweight Passkey-Only OIDC Provider

> Pocket ID is a self-hosted passkey-only OIDC provider with LDAP sync, user group restrictions, audit logs, and a REST API for homelab and small-org use.

Published: 2026-03-29
URL: https://daniliants.com/insights/pocket-id-simple-oidc-provider/
Tags: oidc, passkeys, authentication, self-hosted, passwordless, ldap, identity-provider

---

## Summary

Pocket ID is a self-hosted OIDC (OpenID Connect) provider that uses passkeys as its only authentication method, eliminating passwords entirely. It offers LDAP sync, user group restrictions, audit logs, and a REST API - all in a lightweight package designed for homelab and small-org use cases.

## Key Insight

- **Passkey-only approach** is the key differentiator - no password fallback at all. This simplifies the security model but means all users need passkey-capable devices.
- Supports **one-time login codes** as a workaround when a passkey device is unavailable, which addresses the main objection to passkey-only auth.
- **LDAP integration** means it can sit in front of an existing directory without duplicating user management - useful as a modern auth facade over legacy infrastructure.
- **User registration flexibility** covers three models: admin-created, invite links, or open registration. This makes it viable for both locked-down teams and community-facing services.
- Built-in **audit logging** per user and globally, plus email alerts for unknown device sign-ins - features usually missing from lightweight self-hosted auth solutions.
- Competes with Authelia, Authentik, and Keycloak but targets simplicity over feature breadth. Good fit when you only need OIDC and don't want to manage a complex IdP.