Authelia is a full-featured authentication server with SSO, 2FA, and LDAP integration. Gate is a lightweight auth proxy for internal tools that gets out of the way. Here's when each makes sense.
| Gate | Authelia | |
|---|---|---|
| Setup complexity | ~60 seconds, 2 env vars | Significant — config files, Redis, LDAP/SMTP |
| Dependencies | Zero (embedded SQLite) | Redis, SMTP server, optional LDAP |
| Auth methods | API keys, session login | Username/password, 2FA, SSO, LDAP, OAuth2 |
| SSO / 2FA | No | Yes |
| Access logs | Built-in | Yes (via file/syslog) |
| Per-route rules | Basic (Pro) | Yes, fine-grained |
| Rate limiting | Yes | Basic |
| API key auth | Yes — first-class | Not natively |
| Dashboard | Built-in at /ui | No admin UI |
| License | Apache 2.0 | Apache 2.0 |
| Target user | Developer, small/mid team | Sysadmin, enterprise team |
Gate is designed for the common case: you have an internal service with no auth, and you need to add it without a project. Two environment variables and you're done. No config files, no database migrations, no Redis cluster.
It's particularly strong for API key auth. If your users are developers or services rather than humans logging in with SSO, Gate's bearer token model is a natural fit. Issue a key per consumer, revoke it when needed, see who's calling what in the access log.
For small teams running a handful of internal tools — Grafana, an admin panel, a private API — Gate covers the need cleanly. The free tier handles 1 upstream and 5 users, which is enough for most solo dev setups. Pro ($2.99/mo) removes those limits.
If your organization needs SSO across dozens of services, LDAP/Active Directory integration, hardware 2FA tokens, or fine-grained authorization policies at the path level — Authelia is built for that. Gate is not.
Authelia also integrates with identity providers like Google Workspace or Azure AD via OIDC. If your team already has a corporate identity provider and you need all internal tools to use it, Authelia's integration model is the right approach.
The tradeoff is real: Authelia requires Redis, an SMTP server, and careful configuration to get right. For teams that have dedicated platform engineers and need enterprise-grade auth, that's an appropriate investment. For a three-person dev team protecting an internal Grafana instance, it's usually overkill.
Gate: self-hosted auth proxy · Guide: protect internal tools · Gate overview
Before choosing between Gate and Authelia, consider what happens when you need to leave. Authelia exports vary in completeness — some fields, some history, some metadata may not come with you. Gate stores everything in a single SQLite file. Leaving means copying that file. This is not a hypothetical concern: the average team changes tools every 18 to 24 months.
Gate runs as a single static binary with an embedded SQLite database. There is no application server, no cache layer, no background worker. One process handles HTTP requests and reads from and writes to the database file directly. This simplicity is the entire point — fewer moving parts means fewer things that can break at 2 AM.
Authelia can be self-hosted, but the experience differs significantly from Gate. Requires Docker, Postgres/MySQL, Redis, and a reverse proxy (Traefik/Nginx) With Gate, self-hosting means downloading one file and running it. The gap in operational complexity matters most for small teams without dedicated DevOps staff.
The migration path from Authelia depends on how much history you need to bring over. If you only need active records, a manual re-entry through Gate's dashboard might be faster than writing a migration script. If you need full history, export from Authelia and use Gate's POST API to import records. Either way, the process is measured in hours, not weeks.
Single binary. No config files. No Redis. Free to start.