Authentik Drops Redis, Migrates Entire Stack to PostgreSQL – What It Means for Identity Providers
Share this article
A Quiet Revolution in Identity Management
When Authentik announced that the 2025.10 release would no longer require Redis, the announcement was brief but packed with implications. The open‑source Identity Provider had long relied on Redis for session storage, locks, caching, and inter‑process communication—an architecture that mirrored the industry’s preference for in‑memory speed.
“Redis has for a long while been the obvious choice for frequently accessed data for performance reasons.” – Authentik blog
The decision to pivot to PostgreSQL was not born out of a single incident but rather a confluence of technical, operational, and market factors. Cloud providers are re‑examining Redis after the 2024 licensing shift, and the cost of large in‑memory datasets has become prohibitive for many. Moreover, the complexity of maintaining high‑availability Redis clusters—especially across polyglot stacks—proved a maintenance drag for a product that prides itself on simplicity.
Why Redis? Why Not Now?
Redis’s sub‑millisecond latency made it the natural choice for Authentik’s authentication flows: a user logging in triggers multiple back‑end queries, and the system must quickly cache tokens, session states, and lock flags. However, the 2024 licensing change and the emergence of Valkey (an open‑source fork) fractured the ecosystem. Even after Redis reverted to an open‑source license, the trust erosion and the high cost of large‑scale deployments left many in the community looking for alternatives.
From an operational standpoint, Redis required:
- Custom HA configurations per environment
- Separate client libraries for Go and Python
- Sharding logic for distributed workloads
All of which added layers of complexity that Authentik’s mission—“simplify for self‑hosted users”—directly contradicted.
The Migration Blueprint
The migration was a staged, four‑release effort:
| Release | Milestone |
|---|---|
| 2024.6 | Switched to PostgreSQL advisory locks, eliminating Redis locks |
| 2025.4 | Moved session storage from cache to database |
| 2025.8 | Revamped worker and background tasks for better observability |
| 2025.10 | Migrated caching, embedded outpost, and WebSocket IPC to PostgreSQL, fully removing Redis |
This incremental approach mirrors best practices in database migration: start with non‑critical components, validate performance, then tackle core stateful services.
Performance Trade‑offs
Gains
- Session handling: By joining rows and reducing round‑trips, Authentik now performs 2–3 fewer queries per request, speeding up login flows.
- Observability: Background tasks now emit metrics directly from PostgreSQL, giving operators richer insight without an external queue.
- Simplified lock management: PostgreSQL advisory locks are application‑level and avoid the overhead of a separate Redis cluster.
Losses
- RAC provider latency: Remote Access Control sees a slight performance hit due to disk‑based reads.
- WebSocket throughput: Without Redis Pub/Sub, the system experiences higher disk I/O, which could affect real‑time features.
Despite these, the overall impact is modest. The trade‑off favors reduced operational complexity and lower costs.
Security & Compliance
All data remains in PostgreSQL, with media files still stored on the filesystem. Authentik now requires TLS 1.3 (or the Extended Master Secret extension) for PostgreSQL connections, tightening the security posture for self‑hosted deployments.
Community Reaction & Future Outlook
The Authentik team emphasizes that the move was community‑driven: “The authentik community is the most valuable part of authentik, we believe, so with every move we make we think of what's best for our community and users.”
Developers who have struggled with Redis HA setups or who run Authentik in constrained environments will likely welcome the change. Meanwhile, those who rely heavily on WebSocket‑intensive workloads may need to evaluate performance impacts.
“Let us know your thoughts.” – Authentik blog
Bottom Line
By consolidating its data stack into PostgreSQL, Authentik aligns itself with a broader industry trend toward open‑source, single‑database architectures. The decision reduces operational friction, lowers costs, and preserves the core identity‑management functionality that developers rely on.
Source: https://goauthentik.io/blog/2025-11-13-we-removed-redis/