Self-hosting Keycloak the easy way
Yulei ChenKeycloak is an open-source Identity and Access Management (IAM) solution backed by Red Hat. It gives you single sign-on (SSO), OAuth2, OpenID Connect, SAML, and user federation out of the box. Many companies use managed identity providers like Auth0 or Okta, but the pricing can get steep once your user count grows.
Sliplane is a managed container platform that makes self-hosting painless. With one-click deployment, you can get Keycloak up and running in minutes - no server setup, no reverse proxy config, no infrastructure to maintain.
Prerequisites
Before deploying, ensure you have a Sliplane account (free trial available).
Quick start
Sliplane provides one-click deployment with presets.
Deploy Keycloak >- Click the deploy button above
- Select a project
- Select a server (If you just signed up you get a 48-hour free trial server)
- Click Deploy!
About the preset
The one-click deploy above uses Sliplane's Keycloak preset. Here's what it includes:
- Official Keycloak image from
quay.io/keycloak/keycloak - Specific version tag (26.6.2) for stability
- Persistent storage mounted to
/opt/keycloak/datafor realm configs, users, and sessions - Pre-configured for running behind a reverse proxy with
KC_PROXY_HEADERS=xforwarded - HTTP enabled (
KC_HTTP_ENABLED=true) since Sliplane handles SSL termination - Health endpoint enabled (
KC_HEALTH_ENABLED=true) for monitoring - Random admin password generated automatically
Next steps
Once Keycloak is running on Sliplane, access it using the domain Sliplane provided (e.g. keycloak-xxxx.sliplane.app).
Default credentials
The preset generates a random admin password. You can find it in your service's environment variables on the Sliplane dashboard:
- Username:
admin(fromKC_BOOTSTRAP_ADMIN_USERNAME) - Password: check
KC_BOOTSTRAP_ADMIN_PASSWORDin your service settings
Log in at https://your-domain/admin to access the admin console.
Creating your first realm
Keycloak uses realms to manage sets of users, credentials, roles, and groups. The default master realm is meant for admin purposes only. Create a new realm for your application:
- Log into the admin console
- Click the dropdown in the top-left corner (it says "master")
- Click Create realm
- Give it a name and click Create
Key environment variables
You can customize your Keycloak instance by adding environment variables in the Sliplane dashboard:
| Variable | Description |
|---|---|
KC_BOOTSTRAP_ADMIN_USERNAME | Admin username (default: admin) |
KC_BOOTSTRAP_ADMIN_PASSWORD | Admin password (auto-generated) |
KC_HOSTNAME | Public hostname (auto-set to your Sliplane domain) |
KC_PROXY_HEADERS | Proxy header mode (default: xforwarded) |
KC_LOG_LEVEL | Log level: info, debug, warn, error |
KC_FEATURES | Enable preview features (e.g. docker,token-exchange) |
See the Keycloak server configuration docs for the full list of options.
Logging
Keycloak logs to STDOUT by default, which works well with Sliplane's built-in log viewer. If you need more detail for debugging, set KC_LOG_LEVEL to debug. For production, info or warn is recommended.
Troubleshooting
If Keycloak takes a while to start, that's normal - it needs to initialize its embedded database on first boot. Give it a minute or two. If it stays unhealthy, check the logs in your Sliplane dashboard for errors. Common issues:
- Redirect loops: Make sure
KC_HOSTNAMEmatches your actual domain (the preset sets this automatically) - Can't access admin console: Verify that
KC_BOOTSTRAP_ADMIN_USERNAMEandKC_BOOTSTRAP_ADMIN_PASSWORDare set correctly
Cost comparison
You can also self-host Keycloak with other cloud providers. Here is a pricing comparison for the most common ones:
| Provider | vCPU | RAM | Disk | Monthly Cost | Note |
|---|---|---|---|---|---|
| Sliplane | 2 | 2 GB | 40 GB | €9 (~$10.65) | Flat rate, 1 TB bandwidth, SSL included |
| Fly.io | 2 | 2 GB | 40 GB | ~$18 | Disk and bandwidth billed separately |
| Render | 1 | 2 GB | 40 GB | ~$35 | 100 GB bandwidth, Disk billed separately |
| Railway | 2 | 2 GB | 40 GB | ~$67 + $20 plan | Pro plan floor, usage-based, bandwidth billed separately |
Click here to see how these numbers were calculated.
(Assuming an always-on instance running 730 hrs/month)
- Sliplane: flat €9/month for the Base server. Unlimited services on the same server, 1 TB egress and SSL included.
- Fly.io:
shared-cpu-2x2 GB = $11.83/mo + 40 GB volume × $0.15/GB = $6 -> ~$17.83/mo. Egress billed separately ($0.02/GB in EU). - Render: closest match is Standard ($25, 1 vCPU / 2 GB) plus 40 GB disk × $0.25/GB = $10 -> ~$35/mo. Stepping up to Pro (2 vCPU / 4 GB) costs $85/mo + disk.
- Railway (Pro plan): CPU 2 × $0.00000772/s × 2,628,000 s = $40.57; RAM 2 × $0.00000386/s × 2,628,000 s = $20.29; volume 40 × $0.00000006/s × 2,628,000 s = $6.31 -> ~$67/mo compute, plus the $20/mo Pro plan floor and $0.05/GB egress.
Bandwidth costs can add up fast on usage-based providers. Use our bandwidth cost comparison tool to see what your egress would cost on each platform.
FAQ
What can I use Keycloak for?
Keycloak handles authentication and authorization for your apps. Common use cases include adding SSO across multiple applications, social login (Google, GitHub, etc.), user registration and management, two-factor authentication, and LDAP/Active Directory integration. It supports OAuth2, OpenID Connect, and SAML protocols.
How do I connect my app to Keycloak?
Create a new client in your realm's admin console. Set the client protocol (usually OpenID Connect), configure the valid redirect URIs to point to your app, and use the client ID and secret in your application's auth library. Keycloak provides adapter libraries for Java, JavaScript, Node.js, and many other frameworks.
How do I update Keycloak?
Change the image tag in your service settings on the Sliplane dashboard and redeploy. Check the Keycloak downloads page for the latest stable version. Always review the release notes before upgrading, as major versions may include breaking changes.
Can I use an external database with Keycloak?
Yes. By default, the preset uses Keycloak's embedded H2 database, which is fine for small to medium setups. For production workloads with many users, you can connect an external PostgreSQL or MySQL database by setting the KC_DB, KC_DB_URL, KC_DB_USERNAME, and KC_DB_PASSWORD environment variables. You can deploy a PostgreSQL instance on Sliplane on the same server and connect them internally.
Does Keycloak support multi-factor authentication?
Yes. Keycloak has built-in support for TOTP (Time-based One-Time Password) using apps like Google Authenticator or Authy. You can enable MFA per realm or per user under Authentication > Flows in the admin console. WebAuthn (passkeys, security keys) is also supported.
