This stack combines the best open-source identity tools for building a complete self-hosted authentication platform. Authentik serves as the primary Identity Provider, handling SSO across applications with SAML, OAuth2, OIDC, LDAP, and proxy authentication. Its modern UI and customizable flow system make it the most accessible self-hosted IdP for teams that want enterprise capabilities without Keycloak's operational complexity.
Ory Hydra provides the OAuth2 and OpenID Connect authorization server for applications that need certified protocol compliance. Deployed alongside Authentik or independently, Hydra handles token issuance, client management, and consent flows with a Go-based runtime that delivers excellent performance. The separation of the authorization server from the identity provider enables clean architectural boundaries.
OpenBao manages the secrets, certificates, and API keys that the authentication infrastructure depends on. As the Linux Foundation fork of HashiCorp Vault, it provides secrets management, encryption as a service, and PKI certificate lifecycle management under truly open-source governance. This eliminates the licensing concerns that Vault's BSL change introduced for infrastructure-critical secrets management.
FusionAuth handles customer-facing identity management for applications that serve external users rather than internal employees. Its no-per-user pricing model makes it economically viable for applications with large user bases, and the self-hosted deployment option ensures user data stays within organizational boundaries. The drag-and-drop theme builder enables branded login experiences without custom CSS development.
The entire stack runs on self-hosted infrastructure under permissive open-source licenses, giving organizations complete sovereignty over their identity data and authentication logic. There are no per-user fees, no vendor lock-in, and no third-party data processing. The tradeoff is operational responsibility for deployment, updates, monitoring, and security patching across the component services.
Integration between components follows standard identity protocols. Authentik federates with FusionAuth through OIDC for unified SSO. Ory Hydra delegates authentication to either platform based on the application's requirements. OpenBao stores and rotates the secrets, certificates, and API keys that all components use. Each tool can be adopted independently as needs evolve rather than requiring full-stack commitment from day one.