Homelab

Unified Identity for Your Homelab: Using Pocket ID to Authenticate Every Self-Hosted Service

Replace scattered logins with a single passkey-based identity provider. A practical guide to deploying Pocket ID and connecting it to Immich, Proxmox, Grafana, and more.

Yassine Fathi

06 Apr 2026 — 3 min read

Photo by Redd Francisco / Unsplash

If you self-host more than a handful of services, you’ve probably hit the same wall: a different username and password for Immich, another for Proxmox, yet another for Grafana, and so on. Each service has its own user database, its own password-reset flow, and its own session management. It doesn’t scale, and it’s a security liability.

Pocket ID solves this by acting as a lightweight, self-hosted OpenID Connect (OIDC) identity provider built entirely around passkeys. No passwords, no TOTP codes, no external dependencies—just a single source of truth for authentication across your entire homelab.

Why Pocket ID Over Keycloak or Authelia?

The self-hosted identity space already has established players. Here’s why Pocket ID is worth considering:

Passkey-first design — Authentication uses WebAuthn/FIDO2 exclusively. There are no passwords to leak, phish, or brute-force.
Minimal footprint — A single container with SQLite by default. No Java runtime, no external database required. Starts in seconds.
Standard OIDC — Any service that supports OpenID Connect works out of the box. Pocket ID already has documented integrations for 80+ services.
Simple admin UI — Create OIDC clients, manage users, and configure groups from a clean web interface.

If you run a large organization with complex RBAC, SAML requirements, or federation across multiple IdPs, Keycloak is still the right choice. But for a homelab or small team, Pocket ID gives you SSO in minutes, not hours.

Deploying Pocket ID

Pocket ID requires HTTPS (WebAuthn mandates a secure context). If you already run a reverse proxy like Traefik or Caddy, you’re set.

Docker Compose

services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:latest
    restart: unless-stopped
    ports:
      - "80:80"
    environment:
      - APP_URL=https://id.example.com
      - TRUST_PROXY=true
    volumes:
      - pocket-id-data:/data

volumes:
  pocket-id-data:

Spin it up, then navigate to https://id.example.com/setup to register your first admin passkey. That’s the entire installation.

Integrating with Your Services

The pattern is always the same: create an OIDC client in Pocket ID, then point your service to the discovery URL. Let’s walk through three common homelab services.

Immich (Photo Management)

In Pocket ID, create a new OIDC client named immich and set the callback URLs:

https://photos.example.com/auth/login
https://photos.example.com/user-settings
app.immich:///oauth-callback

The third callback enables the Immich mobile app to complete the OAuth flow.

In Immich, go to Administration → Settings → Authentication Settings → OAuth and configure:

Issuer URL: your Pocket ID OIDC discovery URL
Client ID and Client Secret: from the OIDC client you just created
Button Text: "Login with Pocket ID" (optional)

Save, and your Immich instance now authenticates through Pocket ID.

Proxmox VE (Virtualization)

Create an OIDC client named proxmox in Pocket ID. Set the callback URL to your Proxmox host (e.g., https://proxmox.example.com).

In Proxmox, navigate to Datacenter → Permissions → Realms and add a new OpenID Connect Server realm:

Issuer URL: https://id.example.com
Realm: PocketID
Client ID and Client Key: from Pocket ID
Username Claim: username
Autocreate Users: enabled

For group-based permissions, set the scope to openid profile email groups and the groups claim to groups. Then map Pocket ID groups (e.g., "Proxmox Admins") to Proxmox roles.

Grafana (Monitoring)

Create an OIDC client named grafana with the callback URL https://grafana.example.com/login/generic_oauth.

Add the following to your Grafana configuration:

[auth.generic_oauth]
enabled = true
name = Pocket ID
client_id = <your-client-id>
client_secret = <your-client-secret>
auth_url = https://id.example.com/authorize
token_url = https://id.example.com/api/oidc/token
api_url = https://id.example.com/api/oidc/userinfo
scopes = openid profile email

Restart Grafana, and the login page will show a "Login with Pocket ID" button.

Beyond Individual Services: Protecting Any App with OAuth2 Proxy

Not every service supports OIDC natively. For those, you can place an OAuth2 Proxy in front of them. This gives you Pocket ID authentication for applications that have no built-in auth at all—dashboards, internal tools, static sites, you name it.

The setup is straightforward: deploy OAuth2 Proxy as a sidecar or standalone container, point it at your Pocket ID instance, and configure your reverse proxy to require authentication through it before forwarding requests to the upstream service.

The Full Picture

With Pocket ID at the center of your homelab, your authentication topology looks like this:

One identity provider — Pocket ID manages all users and passkeys.
One login flow — Tap your fingerprint or hardware key, and you’re in.
Per-service OIDC clients — Each service gets its own client ID/secret pair with scoped callback URLs.
Group-based access control — Define groups once in Pocket ID, map them to roles in each service.
No passwords anywhere — Nothing to rotate, nothing to leak.

Pocket ID currently supports integrations with 80+ services out of the box, including Nextcloud, Portainer, Gitea, Jellyfin, Paperless-ngx, Vaultwarden, Outline, and many more. Check the full list in the official docs.

Wrapping Up

Managing identity across self-hosted services doesn’t have to involve a heavyweight IdP. Pocket ID gives you passwordless SSO with minimal operational overhead: one container, passkey-only auth, and standard OIDC that works with virtually everything.

If you’re tired of juggling credentials across your homelab, give it a try. You can be up and running in under ten minutes.