docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny

This repository profile is provided by osrepos.com, an open source repository discovery platform.

docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny

Summary

docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.

Repository Information

Analyzed by OSRepos on October 12, 2025

Topics

Click on any tag to explore related repositories

Use at your own risk

OSRepos shares public repositories for knowledge and discovery only. Any installation, execution, configuration, or use of code from these repositories is the user's own responsibility. Always review the repository, source code, dependencies, licenses, and security implications before running or installing anything. OSRepos is not responsible for issues, damages, or losses resulting from third-party repositories.

Introduction

docker-tinyauth provides a highly optimized and secure Docker image for TinyAuth, a simple yet powerful authentication middleware. TinyAuth is designed to add a login screen or integrate OAuth with providers like Google and GitHub to your Docker applications. It seamlessly supports popular proxies such as Traefik, Nginx, and Caddy, making it a versatile solution for securing access to your services. This repository focuses on delivering TinyAuth in a rootless, distroless, and truly tiny container, prioritizing security and efficiency.

Installation

To get started with docker-tinyauth, you can pull the image from various registries. It's recommended to use a specific version tag for stability, for example, 4.0.0.

docker pull 11notes/tinyauth:4.0.0
# Or from other registries:
docker pull ghcr.io/11notes/tinyauth:4.0.0
docker pull quay.io/11notes/tinyauth:4.0.0

For a basic setup using Docker Compose, you can define the tinyauth service as follows. Remember to replace placeholder values like ${FQDN_TINYAUTH}, ${SECRET}, and the default USERS password with your own secure configurations.

services:
  tinyauth:
    image: "11notes/tinyauth:4.0.0"
    read_only: true
    environment:
      APP_URL: "https://${FQDN_TINYAUTH}"
      # secret must be a 32 Byte long string (32 characters)
      SECRET: ${SECRET}
      # admin / admin, please do not use in production!
      USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
      - "traefik.http.routers.tinyauth.entrypoints=https"
      - "traefik.http.routers.tinyauth.tls=true"
      - "traefik.http.routers.tinyauth.service=tinyauth"
      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
    networks:
      - backend

For more details on changing the default UID/GID, consult the how-to.changeUIDGID section of the RTFM.

Examples

The provided docker-compose.yml in the repository demonstrates a comprehensive setup integrating tinyauth with Traefik, socket-proxy, and a whoami service to showcase its functionality. The tinyauth service is configured with Traefik labels to enable forward authentication, securing access to other services like whoami.

services:
  tinyauth:
    image: "11notes/tinyauth:4.0.0"
    read_only: true
    environment:
      APP_URL: "https://${FQDN_TINYAUTH}"
      SECRET: ${SECRET}
      USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
      - "traefik.http.routers.tinyauth.entrypoints=https"
      - "traefik.http.routers.tinyauth.tls=true"
      - "traefik.http.routers.tinyauth.service=tinyauth"
      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
    networks:
      backend:

  whoami:
    image: "traefik/whoami:latest"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.middlewares=tinyauth" # This line applies tinyauth middleware
      - "traefik.http.routers.whoami.service=whoami"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      backend:

In this example, the whoami service is protected by the tinyauth middleware, meaning users must authenticate via TinyAuth before accessing whoami.

Why use docker-tinyauth?

This Docker image stands out due to its extreme focus on security, simplicity, and optimization. Here are the key reasons to choose 11notes/tinyauth:

  • Rootless Execution: Runs as user 1000:1000, significantly reducing potential attack surfaces.
  • Distroless: The image has no shell and is built on a minimal scratch base with only essential components, further enhancing security by removing unnecessary binaries.
  • Truly Tiny: At just 12MB, it's remarkably small, leading to faster downloads and reduced resource consumption compared to other images (e.g., steveiliop56/tinyauth at 35MB).
  • Automated Updates: Continuously updated to the latest version via CI/CD, ensuring you always have the most recent features and security patches.
  • Health Checks: Includes a built-in health check for reliable service monitoring.
  • Read-Only Operation: Designed to run in read-only mode for enhanced security.
  • CVE Scanning: Automatically scanned for Common Vulnerabilities and Exposures (CVEs) both before and after publishing.
  • Secure CI/CD: Created via a secure and pinned CI/CD process, guaranteeing integrity from build to deployment.

If you prioritize robust security, minimal footprint, and streamlined operations for your authentication middleware, docker-tinyauth is an excellent choice.

Links

Related repositories

Similar repositories that may be relevant next.

Soketi: A Fast, Pusher-Compatible WebSockets Server for Real-Time Apps

Soketi: A Fast, Pusher-Compatible WebSockets Server for Real-Time Apps

May 15, 2026

Soketi is a next-generation, open-source WebSockets server designed for real-time applications. It offers Pusher compatibility, making it easy to integrate into existing projects. Built for speed and resilience, Soketi provides a cost-effective and scalable solution for handling thousands of active connections.

TypeScriptWebSocketsPusher
Cruise: Intuitive TUI for Container Management with Go and Bubbletea

Cruise: Intuitive TUI for Container Management with Go and Bubbletea

May 14, 2026

Cruise is a powerful, intuitive, and fully-featured TUI (Terminal User Interface) for managing containers, built with Go and Bubbletea. It offers a visually rich, keyboard-first experience for managing containers, images, volumes, networks, logs, and more, all from your terminal. This tool simplifies repetitive tasks and enhances your development workflow by providing a centralized, interactive management service.

GoTUIContainer Management
immich-drop: A Zero-Login Web App for Collecting Photos to Immich

immich-drop: A Zero-Login Web App for Collecting Photos to Immich

May 10, 2026

immich-drop is a lightweight web application designed to simplify collecting photos and videos from various sources directly into your Immich server. It provides a secure, zero-login interface for guests to upload media via invite links, ensuring privacy and efficient organization. This tool is ideal for anyone looking to gather media from friends, family, or events without requiring them to have an Immich account.

ImmichPhoto ManagementSelf-hosted
reubah: A Web-Based Universal File Converter and Image Processor

reubah: A Web-Based Universal File Converter and Image Processor

March 4, 2026

reubah is an intuitive web-based tool designed for efficient image processing and document conversion. It offers a simple interface to handle a wide array of file formats, providing features like dark mode and batch processing. This versatile application ensures isolated processing and immediate delivery without storing user files.

HTMLWeb ToolImage Processing

Source repository

Open the original repository on GitHub.

View on GitHub
OS
OSRepos

Analysis and discovery of open source repositories. Find interesting projects and follow their updates.

Monitor your website with YourWebsiteScore

OSRepos shares public repositories for knowledge and discovery only. Any installation, execution, configuration, or use of third-party repository code is at your own risk. Always review source code, dependencies, licenses, and security implications before running anything.

© 2025 OSRepos. Built with Nuxt 3 and lots of ❤️