Keycloak vs Hanko for Solo Developers
Comparing Keycloak and Hanko for solo developers.
Both Keycloak and Hanko are open-source, self-hostable authentication solutions. But they could not be more different in scope, philosophy, and complexity. Keycloak is an enterprise identity platform built over a decade. Hanko is a modern, passkey-first authentication service built for the post-password era. For solo developers, the choice depends on whether you need power or simplicity.
Keycloak Overview
Keycloak is an identity and access management server originally developed by Red Hat. It supports OAuth 2.0, OpenID Connect, SAML 2.0, LDAP, Active Directory, user federation, identity brokering, and fine-grained role-based access control. Enterprise organizations use it to manage authentication and authorization across dozens of internal and external applications.
You deploy Keycloak as a standalone Java application (usually via Docker) with its own database. The admin console is extensive, offering control over realms, clients, users, roles, groups, authentication flows, and session policies. Custom authentication flows can be built through a visual editor, and themes allow branding the login experience.
The cost of all this capability is operational complexity. Keycloak requires a dedicated server, database management, TLS configuration, Java tuning, and regular security updates. The learning curve is steep, and debugging configuration issues often means diving deep into OIDC specifications.
Hanko Overview
Hanko is an open-source authentication platform focused on passkeys and passwordless login. It ships as a single Go binary that you can self-host or use through Hanko Cloud. The product provides web components (<hanko-auth> and <hanko-profile>) that render a complete, customizable login UI in your frontend.
Hanko's philosophy is that passwords are a problem to be eliminated, not managed. Passkeys (WebAuthn) are the primary login method. Email passcodes serve as the fallback. Traditional passwords are supported but disabled by default. OAuth social providers are available as well.
Self-hosting Hanko is lightweight compared to most auth servers. The Go binary has minimal dependencies, starts quickly, and consumes far less memory than a Java application. Hanko Cloud offers a free tier with 10,000 MAU for developers who prefer managed hosting.
Comparison Table
| Feature | Keycloak | Hanko |
|---|---|---|
| Type | Identity platform | Auth service |
| Latest version | 26.6.2 (May 2026) | 2.5 (Mar 2026) |
| Language | Java | Go |
| GitHub stars | ~34.6K | ~8.9K |
| Self-host complexity | High | Low |
| Resource usage | Heavy (JVM, ~1.25 GB base per pod) | Lightweight |
| Passkey support | Native since 26.4 (enable in policy) | Core feature, on by default |
| SAML 2.0 | Yes (built in) | Cloud Pro add-on ($49/mo per connection) |
| LDAP/AD | Yes | No |
| RBAC | Built-in, fine-grained | Not included |
| Multi-tenancy | Realms | Cloud projects (2 free, 5 on Pro) |
| Custom auth flows | Visual flow editor | Limited |
| UI components | Themed login pages | Drop-in web components |
| Admin console | Comprehensive | Minimal |
| OAuth providers | Unlimited (manual) | Growing list |
| Free tier (cloud) | N/A (self-host only) | 10,000 MAU, 2 projects |
| Community maturity | Very mature (10+ years) | Young, growing |
| Learning curve | High | Low |
By the Numbers (2026)
Specs, prices, and adoption signals, all checked on 2026-05-28.
Releases and language. Keycloak's latest release is 26.6.2, published 19 May 2026, written in Java and running on Quarkus. Hanko's latest backend release is 2.5, published 3 March 2026, written in Go. Keycloak ships frequent point releases on a roughly monthly cadence, while Hanko cuts a numbered backend release every one to two months.
Adoption. Keycloak carries about 34,600 GitHub stars against Hanko's roughly 8,900. The npm picture tells the same story from the client side. The keycloak-js adapter pulled about 822,900 weekly downloads, while @teamhanko/hanko-elements (the drop-in web components) pulled about 4,400. Keycloak is the more entrenched, more widely deployed project by an order of magnitude or more. Hanko is younger but growing, and its star count for a passkey-first newcomer is healthy.
Resource footprint. Keycloak's own high-availability sizing guidance puts the base memory at about 1,250 MB of RAM per pod, including caches of realm data and 10,000 cached sessions, with roughly 70 percent of the container limit going to JVM heap and another 300 MB or so to non-heap memory. That figure climbs with concurrent load. Hanko's Go binary has no JVM to feed and starts in well under that envelope, which is the practical reason it fits comfortably next to your app on a small VPS.
Pricing. Keycloak is free and open source, self-hosted only. There is no managed Keycloak Cloud from the project itself, so your only cost is the infrastructure you run it on. Hanko is also open source and self-hostable for free, and it additionally offers Hanko Cloud:
- Starter (free): 10,000 monthly active users and 2 projects, with passkeys, passwords, passwordless, social SSO, MFA, custom domain, and the admin dashboard included.
- Pro: 29 dollars per month base, including 10,000 MAU and 5 projects, then 0.01 dollars per MAU above 10,000. Adds webhooks, Admin API, custom SMTP, team invites, and support. SAML SSO is a 49 dollars per month add-on per connection.
- Enterprise: custom pricing with unlimited MAU and projects, a 99.99 percent uptime SLA, and private cloud options.
Passkeys. Hanko is passkey-first by design. Keycloak gained native passkey support as a more first-class feature in 26.4 (September 2025), where passkeys integrate into the login forms via conditional and modal UI, though you still enable it through the WebAuthn Passwordless Policy rather than getting it on by default.
When to Pick Keycloak
Keycloak is justified when your project has enterprise-level identity requirements that a simpler tool cannot satisfy:
- You need SAML 2.0 for integrating with enterprise SSO systems.
- LDAP or Active Directory federation is a requirement.
- Your architecture involves multiple applications that need centralized auth with complex role hierarchies.
- Custom authentication flows (conditional MFA, step-up authentication, kerberos) are part of your product.
- Multi-tenancy with isolated realms is essential.
For a solo developer, these requirements are uncommon. If you are building a B2B SaaS that sells to enterprises requiring SAML, Keycloak might be necessary. Otherwise, it is almost certainly more than you need.
When to Pick Hanko
Hanko is the better choice for solo developers in nearly every non-enterprise scenario:
- You want modern, passwordless authentication with minimal setup.
- Drop-in web components save you from building login UI from scratch.
- Self-hosting should be simple, not a DevOps project.
- Passkeys are important to your product experience.
- You prefer a focused tool that does authentication well over a platform that does everything.
The lightweight Go binary means you can run Hanko alongside your app on a small VPS without worrying about memory or CPU. Compare that to Keycloak, which routinely consumes 512MB to 1GB of RAM just sitting idle.
Real Cost at Solo-Dev Scale
The headline numbers do not tell you what you will actually pay, so here is a worked example for a realistic solo project. Assume a small SaaS with 2,000 monthly active users, one production environment, and you running everything yourself.
Keycloak (self-hosted). Keycloak itself is free, but it needs to live somewhere. Its own sizing guidance asks for about 1,250 MB of RAM per pod as a baseline before concurrent load, which rules out the smallest 1 GB droplets if you want headroom for the JVM plus your database. A realistic home for it is a 2 GB or 4 GB VPS, plus a managed or self-run Postgres. Call it roughly 12 to 24 dollars per month for a 2 GB to 4 GB instance, more if you put the database on its own box. There is no per-user fee, so 2,000 MAU and 200,000 MAU cost the same in licensing. What scales is your server bill and your time spent on patching the 16 CVEs that a release like 26.6.2 closes, TLS renewal, and JVM tuning.
Hanko (two paths). Self-hosting the Go binary follows the same logic but with a lighter footprint. It fits on a 1 GB VPS next to your app, so you are looking at the low end of that VPS range, around 5 to 12 dollars per month, again with no per-user fee. If instead you take Hanko Cloud, 2,000 MAU sits comfortably inside the free Starter tier (10,000 MAU, 2 projects), so your direct cost is zero dollars per month with no server to manage. You only start paying when you cross 10,000 MAU on Cloud, at which point the Pro plan is 29 dollars per month plus 0.01 dollars per MAU over the included 10,000. At 25,000 MAU that is 29 plus 150 dollars, so about 179 dollars per month, before any SAML connection add-on at 49 dollars per month each.
The honest read. At true solo-dev scale (single-digit-thousands of users), Hanko Cloud's free tier is the cheapest path because it removes the server and the maintenance entirely. Self-hosting either tool trades a few dollars of VPS for full control, and Hanko self-hosted is cheaper to host than Keycloak purely because the JVM baseline is heavier. Keycloak only "wins on cost" in the narrow case where you are already running large infrastructure and want zero per-user fees at very high MAU, which is rarely the solo-dev situation.
Verdict
Hanko wins for solo developers by a wide margin. The operational simplicity alone makes it the obvious choice. A single Go binary versus a Java application server with a complex admin console is not a close contest when you are the only person managing infrastructure.
Hanko also aligns better with where authentication is heading. Passkeys are becoming the standard. Apple, Google, and Microsoft are all pushing WebAuthn adoption. Building with passkeys now means your auth experience improves as the ecosystem matures.
Keycloak remains the right choice for enterprise identity management. If your project genuinely requires SAML, LDAP, or multi-tenant realm isolation, Keycloak is the proven solution. But if you are a solo developer building a web app and considering Keycloak because it seems more "serious," reconsider. The time you spend configuring and maintaining it would be better spent building the product your users actually care about. Hanko gives you modern, secure auth with a fraction of the overhead.
Sources
All figures checked on 2026-05-28.
- Keycloak GitHub repository (stars, language): https://github.com/keycloak/keycloak
- Keycloak 26.6.2 release announcement (version, date, CVE count): https://www.keycloak.org/2026/05/keycloak-2662-released
- Keycloak passkeys support in 26.4 (native passkey integration): https://www.keycloak.org/2025/09/passkeys-support-26-4
- Keycloak CPU and memory sizing concepts (~1,250 MB base RAM per pod): https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing
- keycloak-js weekly npm downloads: https://api.npmjs.org/downloads/point/last-week/keycloak-js
- Hanko GitHub repository (stars, language): https://github.com/teamhanko/hanko
- Hanko Cloud pricing (Starter, Pro, Enterprise tiers and MAU limits): https://www.hanko.io/pricing
- Hanko passkeys feature page: https://www.hanko.io/features/passkeys
- @teamhanko/hanko-elements weekly npm downloads: https://api.npmjs.org/downloads/point/last-week/@teamhanko/hanko-elements
Like this? You'll like what I'm building too.
Two ways to support and get more of this work.
HEARTH
A privacy-first Life OS for your desktop. Journal, tasks, and notes that stay on your machine. Coming soon, direct download from this site.
Read moreMY TOOLKITS
Receipts-first toolkits for shipping after hours, building Claude agents, publishing on Amazon, and more. The exact methods I used, not theory.
Browse on WhopRelated Articles
Angular vs HTMX for Solo Developers
Comparing Angular and HTMX for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs Qwik for Solo Developers
Comparing Angular and Qwik for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs SolidJS for Solo Developers
Comparing Angular and SolidJS for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.