Pocket ID - simple passkey-only OIDC provider for self-hosted services

Summary

Pocket ID is a lightweight, self-hosted OIDC provider that uses passkeys as the only authentication method - no passwords at all. It fills the gap between complex identity solutions like Keycloak/ORY Hydra and having no SSO for self-hosted services, deploying easily via Docker.

Key Insight

• Passkey-only by design - deliberately eliminates passwords entirely, betting on passkeys as the future of auth. This is an opinionated but forward-looking choice that removes password management, reuse, and phishing risks in one move.
• Targets the self-hosting sweet spot - Keycloak and ORY Hydra are enterprise-grade and complex to configure. Pocket ID is purpose-built for homelab/small-scale use where you want one login across services without spending days on IdP setup.
• Hardware key friendly - explicitly supports YubiKey and similar physical security keys as passkey devices, making it practical for environments where you want strong physical authentication across all services.
• Standard OIDC - any service that supports OIDC as an auth provider can integrate with it, giving broad compatibility without vendor-specific plugins.