Lucia vs Keycloak for Solo Developers
Comparing Lucia and Keycloak for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Quick Comparison
| Feature | Lucia | Keycloak |
|---|---|---|
| Type | Lightweight auth library (JS/TS) | Full identity server (Java, self-hosted) |
| Latest version | v3.2.2 (Oct 2024, npm package now deprecated) | 26.6.2 (May 19, 2026, actively released) |
| Pricing | Free and open source (MIT) | Free and open source (Apache 2.0, you pay for hosting) |
| GitHub stars | ~10.5K | ~34.6K |
| Footprint | npm package, negligible runtime overhead | ~1250 MB base RAM per pod (10K cached sessions) |
| Learning Curve | Moderate-High | High |
| Best For | JS/TS apps wanting custom auth logic | Apps needing SSO, SAML, and user federation |
| Solo Dev Rating | 7/10 | 5/10 |
Lucia Overview
Lucia is an open-source auth library for JavaScript and TypeScript. It provides session management, token generation, and cookie handling as functions you call from your code. You build the rest: registration forms, login logic, OAuth flows, and authorization rules. Lucia is a library in your codebase, not a separate service.
The approach is minimal by design. Lucia handles the cryptographically sensitive parts and trusts you with the application logic. Your database, your schema, your UI, your rules. No external servers, no dashboards, no APIs to call during authentication.
I used Lucia in a Next.js project where I needed sessions with custom expiry logic and embedded metadata. Because Lucia is just a library, I extended it exactly how I needed. The tradeoff was more code upfront, but the result matched my requirements perfectly.
Keycloak Overview
Keycloak is an enterprise-grade identity and access management server from Red Hat. It runs as a standalone Java application (or Docker container) and provides a full admin console for managing users, roles, clients, identity providers, and authentication flows. It supports OIDC, SAML 2.0, LDAP/AD federation, social login, MFA, and fine-grained authorization.
Keycloak is what large organizations use when they need SSO across multiple applications. You deploy it on your infrastructure, configure realms and clients, and your applications authenticate against Keycloak's endpoints. The admin console is a full web UI for managing everything.
I deployed Keycloak for a project with multiple internal apps that needed unified login. The OIDC integration worked well, and the admin console made user management straightforward. But the initial deployment and configuration consumed an entire weekend.
Key Differences
Scope. Lucia is a library. It manages sessions and gives you tools to build auth. Keycloak is a full identity server. It manages users, sessions, roles, social connections, SSO flows, and provides an admin console. They're solving different problems at different scales.
Deployment complexity. Lucia is an npm package. You install it, import it, use it. Keycloak is a Java application that needs its own server, database, TLS certificates, and configuration. For a solo developer, adding Lucia to your app is trivial. Adding Keycloak means operating another service.
SSO and federation. Keycloak excels at SSO across multiple applications. If you have three apps that need the same login, Keycloak handles that natively. Lucia doesn't do cross-application SSO. It manages sessions for a single application. If SSO is a requirement, Keycloak is the answer.
Resource consumption. Lucia runs as part of your application. It adds negligible overhead. Keycloak is a Java server that needs at minimum 512MB-1GB of RAM, more in production. On a small VPS, Keycloak's memory footprint matters. If you're on a $5/month server, Keycloak might not fit.
Language ecosystem. Lucia is JavaScript/TypeScript only. Keycloak speaks OIDC and SAML, so any application in any language can authenticate against it. If your stack includes Python, Go, Ruby, or Java services alongside JavaScript, Keycloak provides a language-agnostic identity layer. Lucia only works within JS/TS.
Admin interface. Keycloak gives you a full web-based admin console for managing users, resetting passwords, configuring social providers, and monitoring sessions. Lucia has no admin interface. User management is done through your application code or directly in the database.
Important: Lucia the Library Is Deprecated
Before you reach for npm install lucia, you should know that the situation changed since this comparison was first written. The Lucia npm package is now marked deprecated, and its last release was v3.2.2 on October 20, 2024. The npm deprecation notice points to the official migration guide at lucia-auth.com/lucia-v3/migrate.
The maintainer did not abandon the project so much as reframe it. The migration guide explains the reasoning plainly. They concluded "it'd be easier and faster to just implement sessions from scratch," and that "the database adapter model wasn't flexible enough for such a low-level library and severely limited the library design." Lucia is now positioned on its homepage as "an open source project to provide resources on implementing authentication using JavaScript and TypeScript." In other words, Lucia is now a learning resource and a copy-paste reference for owning your own session code, not a package you keep as a dependency.
This does not invalidate the Lucia philosophy. The whole point of Lucia was always that auth should live in your codebase under your control. The deprecation pushes that philosophy to its logical end. You read the guide, you write the session table and the validation functions yourself, and you ship without a runtime dependency that can break. If you prefer a maintained package that follows the same spirit, the Lucia author's lower-level building blocks (the Oslo set of utilities and the Arctic OAuth client) are still actively published, and a separate project called Better Auth has become the most-downloaded full-featured successor in the TypeScript auth space.
By the Numbers (2026)
Checked on 2026-05-28.
Lucia
- Latest version: v3.2.2, published 2024-10-20 on npm, now deprecated as a package (registry metadata).
- GitHub: roughly 10,500 stars and 525 forks on lucia-auth/lucia. No tagged GitHub releases; versioning happened through npm.
- npm downloads: about 203,700 in the last week and about 782,300 in the last 30 days for the
luciapackage, which reflects existing apps that still depend on it rather than fresh adoption. - License: MIT.
- Status: maintained as a guide, not as an installed dependency.
Lucia ecosystem (active successors from the same author)
- Arctic (OAuth 2.0 clients): v3.7.0, roughly 593,000 weekly npm downloads.
- @oslojs/crypto (the crypto primitives Lucia v3 itself depends on): roughly 884,600 weekly npm downloads.
- Better Auth (the most-downloaded TypeScript auth framework, same own-your-code spirit): v1.6.11, roughly 3,081,000 weekly npm downloads.
Keycloak
- Latest version: 26.6.2, released 2026-05-19 (GitHub releases). The 26.6.x line shipped multiple point releases through April and May 2026, so this is an actively maintained server.
- GitHub: roughly 34,600 stars and 8,400 forks on keycloak/keycloak, primary language Java.
- Base memory: the official sizing guidance states "the base memory usage for a Pod including caches of Realm data and 10,000 cached sessions is 1250 MB of RAM." Plan on at least 1.25 GB before load.
- CPU: the same guidance allocates 1 vCPU per 15 password-based logins per second, and 1 vCPU per 120 refresh-token requests per second.
- Protocols and features: OpenID Connect, OAuth 2.0, SAML 2.0, LDAP and Active Directory federation, identity brokering and social login, plus a full admin console (official homepage).
- License: Apache 2.0. The software is free; the hosting is not.
Which One Ships Faster for a Solo Dev
Both options are free, so the real cost is not money. It is time and operational weight. Here is a grounded way to decide, given the 2026 reality that Lucia is now a reference rather than a package.
If you are one person building one JavaScript or TypeScript app, the Lucia path ships faster. You are not deploying anything. You add a session table to the database you already run, copy the session-management pattern from the Lucia guide (or pull in the maintained Oslo and Arctic helpers), and you are authenticating users the same afternoon. There is no second service to monitor, no JVM heap to tune, and no 1.25 GB of RAM reserved before your first user signs in. The honest catch in 2026 is that you should not treat npm install lucia as a long-term dependency anymore. Either own the code from the guide or reach for an actively maintained successor like Better Auth, which carries the same own-your-auth philosophy with current downloads in the millions per week.
Keycloak ships faster only when its built-in features would otherwise be a project of their own. If you genuinely need SSO across three apps, SAML for an enterprise customer, or LDAP and Active Directory federation, Keycloak hands you all of that through the admin console on day one. Rebuilding even one of those by hand in a Lucia-style codebase is days of work, so the weekend you spend deploying Keycloak 26.6.2 pays for itself. But if you do not need those features, that same weekend, plus the ongoing 1.25 GB of RAM and a Java server to patch, is pure overhead. A $5 per month VPS that comfortably runs a Lucia-style app does not have the headroom for Keycloak's baseline footprint without crowding out your actual application.
The fast-ship test is one question. Do you need cross-application SSO, SAML, or directory federation right now? If yes, Keycloak earns its weight. If no, the Lucia approach gets you to a logged-in user with the least code and zero new infrastructure.
When to Choose Lucia
- You're building a single JavaScript/TypeScript application
- You want auth as a library in your codebase, not a separate service
- Minimal resource overhead matters (shared hosting, small VPS)
- You need custom session logic that standard tools don't support
- You prefer writing code over configuring admin consoles
When to Choose Keycloak
- You need SSO across multiple applications
- SAML or LDAP/AD integration is required
- You want a full admin console for user management
- Your stack includes non-JavaScript services
- You're comfortable managing an additional server
The Verdict
These tools serve different needs. Lucia is for solo developers building a single JavaScript app who want lightweight, custom auth. Keycloak is for developers who need an identity server that multiple applications authenticate against.
For a typical solo developer building one web app, Lucia is the more appropriate choice. It adds auth to your app without the overhead of running a separate Java server. You get exactly the auth behavior you need without the complexity of enterprise identity management.
Keycloak makes sense when you have multiple applications sharing user identities, or when you need SAML/LDAP for enterprise integrations. But for most solo projects, it's overkill. The deployment and maintenance overhead doesn't justify the features unless you specifically need cross-app SSO.
My recommendation: use Lucia if you're building a single JS/TS app and want custom auth. Use Keycloak if you need SSO across multiple services. For everything in between, consider managed solutions like Clerk or Supabase Auth that give you more features than Lucia with less ops work than Keycloak.
One 2026 footnote on that recommendation. Since Lucia the package is now deprecated, "use Lucia" in practice means follow the Lucia approach. Own the session code from its guide, or pick a maintained successor in the same spirit such as Better Auth. The decision logic above does not change. Keycloak is still the answer when you need real SSO, SAML, or directory federation, and the lightweight own-your-auth path is still the faster ship for a single app.
Sources
All figures checked on 2026-05-28.
- Lucia GitHub repository (stars, forks, status): https://github.com/lucia-auth/lucia
- Lucia npm package metadata and deprecation notice (v3.2.2, published 2024-10-20): https://registry.npmjs.org/lucia/latest
- Lucia npm download counts (weekly and last 30 days): https://api.npmjs.org/downloads/point/last-month/lucia
- Lucia homepage (now positioned as a learning resource): https://lucia-auth.com/
- Lucia v3 migration and deprecation guide (reasoning quotes): https://lucia-auth.com/lucia-v3/migrate
- Arctic and Better Auth npm metadata and download counts: https://registry.npmjs.org/better-auth/latest
- Keycloak GitHub repository (stars, forks, language): https://github.com/keycloak/keycloak
- Keycloak release 26.6.2 (released 2026-05-19): https://github.com/keycloak/keycloak/releases/tag/26.6.2
- Keycloak memory and CPU sizing (1250 MB base RAM, vCPU-per-login figures): https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing
- Keycloak feature list (OIDC, OAuth 2.0, SAML, LDAP/AD federation, admin console): https://www.keycloak.org/
Like this? You'll like what I'm building too.
Two ways to support and get more of this work.
HEARTH
A privacy-first Life OS for your desktop. Journal, tasks, and notes that stay on your machine. Coming soon, direct download from this site.
Read moreMY TOOLKITS
Receipts-first toolkits for shipping after hours, building Claude agents, publishing on Amazon, and more. The exact methods I used, not theory.
Browse on WhopRelated Articles
Angular vs HTMX for Solo Developers
Comparing Angular and HTMX for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs Qwik for Solo Developers
Comparing Angular and Qwik for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs SolidJS for Solo Developers
Comparing Angular and SolidJS for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.