Pocket ID, a simple self hosted OIDC provider that signs your users in with passkeys instead of passwords.
Pocket ID is a self hosted OpenID Connect provider built around a single idea: people should sign in with passkeys, not passwords. You point your existing applications at it as their identity provider, and users authenticate to all of them with the fingerprint reader, face unlock or hardware security key they already carry. Nothing is left to choose, rotate, leak or phish.
It runs as one self contained service that embeds its own web interface and stores everything in an embedded database, so the entire identity plane is a single process. That makes it a practical alternative to a full identity suite for teams who want passwordless single sign on across a handful of self hosted applications without operating heavy infrastructure to get it.
cloudimg delivers Pocket ID fully installed behind an nginx reverse proxy, listening on loopback so it is never exposed directly, with an unauthenticated health endpoint for load balancer probes. Because this image is the identity plane itself, it is secure by default in a way that matters: no user, no passkey, no signing key and no secret ship in it. Pocket ID's initial administrator route is open to whoever reaches it first while no user exists, so on the first boot of every instance a sole administrator is created for that instance alone, which closes that route before the machine is ever reachable and removes the window in which someone else could claim your identity provider. That administrator has no password and no passkey: entry is a one time sign in link written to a file only the root user can read, so your SSH key is the root of trust. The encryption key is generated per instance too. The base OS is fully patched, the release is pinned, and every image is paired with a step by step deploy guide and 24/7 support.
Real screenshots taken while testing this image against its deployment guide.