docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny
This repository profile is provided by osrepos.com, an open source repository discovery platform.
Summary
docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.
Repository Information
Topics
Click on any tag to explore related repositories
Use at your own risk
OSRepos shares public repositories for knowledge and discovery only. Any installation, execution, configuration, or use of code from these repositories is the user's own responsibility. Always review the repository, source code, dependencies, licenses, and security implications before running or installing anything. OSRepos is not responsible for issues, damages, or losses resulting from third-party repositories.
Introduction
docker-tinyauth provides a highly optimized and secure Docker image for TinyAuth, a simple yet powerful authentication middleware. TinyAuth is designed to add a login screen or integrate OAuth with providers like Google and GitHub to your Docker applications. It seamlessly supports popular proxies such as Traefik, Nginx, and Caddy, making it a versatile solution for securing access to your services. This repository focuses on delivering TinyAuth in a rootless, distroless, and truly tiny container, prioritizing security and efficiency.
Installation
To get started with docker-tinyauth, you can pull the image from various registries. It's recommended to use a specific version tag for stability, for example, 4.0.0.
docker pull 11notes/tinyauth:4.0.0
# Or from other registries:
docker pull ghcr.io/11notes/tinyauth:4.0.0
docker pull quay.io/11notes/tinyauth:4.0.0
For a basic setup using Docker Compose, you can define the tinyauth service as follows. Remember to replace placeholder values like ${FQDN_TINYAUTH}, ${SECRET}, and the default USERS password with your own secure configurations.
services:
tinyauth:
image: "11notes/tinyauth:4.0.0"
read_only: true
environment:
APP_URL: "https://${FQDN_TINYAUTH}"
# secret must be a 32 Byte long string (32 characters)
SECRET: ${SECRET}
# admin / admin, please do not use in production!
USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
labels:
- "traefik.enable=true"
- "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
- "traefik.http.routers.tinyauth.entrypoints=https"
- "traefik.http.routers.tinyauth.tls=true"
- "traefik.http.routers.tinyauth.service=tinyauth"
- "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
- "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
networks:
- backend
For more details on changing the default UID/GID, consult the how-to.changeUIDGID section of the RTFM.
Examples
The provided docker-compose.yml in the repository demonstrates a comprehensive setup integrating tinyauth with Traefik, socket-proxy, and a whoami service to showcase its functionality. The tinyauth service is configured with Traefik labels to enable forward authentication, securing access to other services like whoami.
services:
tinyauth:
image: "11notes/tinyauth:4.0.0"
read_only: true
environment:
APP_URL: "https://${FQDN_TINYAUTH}"
SECRET: ${SECRET}
USERS: "admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6"
labels:
- "traefik.enable=true"
- "traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)"
- "traefik.http.routers.tinyauth.entrypoints=https"
- "traefik.http.routers.tinyauth.tls=true"
- "traefik.http.routers.tinyauth.service=tinyauth"
- "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
- "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
networks:
backend:
whoami:
image: "traefik/whoami:latest"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.middlewares=tinyauth" # This line applies tinyauth middleware
- "traefik.http.routers.whoami.service=whoami"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
backend:
In this example, the whoami service is protected by the tinyauth middleware, meaning users must authenticate via TinyAuth before accessing whoami.
Why use docker-tinyauth?
This Docker image stands out due to its extreme focus on security, simplicity, and optimization. Here are the key reasons to choose 11notes/tinyauth:
- Rootless Execution: Runs as user
1000:1000, significantly reducing potential attack surfaces. - Distroless: The image has no shell and is built on a minimal
scratchbase with only essential components, further enhancing security by removing unnecessary binaries. - Truly Tiny: At just 12MB, it's remarkably small, leading to faster downloads and reduced resource consumption compared to other images (e.g.,
steveiliop56/tinyauthat 35MB). - Automated Updates: Continuously updated to the latest version via CI/CD, ensuring you always have the most recent features and security patches.
- Health Checks: Includes a built-in health check for reliable service monitoring.
- Read-Only Operation: Designed to run in read-only mode for enhanced security.
- CVE Scanning: Automatically scanned for Common Vulnerabilities and Exposures (CVEs) both before and after publishing.
- Secure CI/CD: Created via a secure and pinned CI/CD process, guaranteeing integrity from build to deployment.
If you prioritize robust security, minimal footprint, and streamlined operations for your authentication middleware, docker-tinyauth is an excellent choice.
Links
- GitHub Repository: https://github.com/11notes/docker-tinyauth
- Docker Hub: https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0
- GitHub Container Registry (GHCR):
ghcr.io/11notes/tinyauth:4.0.0 - Quay.io:
quay.io/11notes/tinyauth:4.0.0 - Original TinyAuth Project: https://github.com/steveiliop56/tinyauth
- Parent Image (distroless): https://github.com/11notes/docker-distroless
Related repositories
Similar repositories that may be relevant next.

Soketi: A Fast, Pusher-Compatible WebSockets Server for Real-Time Apps
May 15, 2026
Soketi is a next-generation, open-source WebSockets server designed for real-time applications. It offers Pusher compatibility, making it easy to integrate into existing projects. Built for speed and resilience, Soketi provides a cost-effective and scalable solution for handling thousands of active connections.
Cruise: Intuitive TUI for Container Management with Go and Bubbletea
May 14, 2026
Cruise is a powerful, intuitive, and fully-featured TUI (Terminal User Interface) for managing containers, built with Go and Bubbletea. It offers a visually rich, keyboard-first experience for managing containers, images, volumes, networks, logs, and more, all from your terminal. This tool simplifies repetitive tasks and enhances your development workflow by providing a centralized, interactive management service.

immich-drop: A Zero-Login Web App for Collecting Photos to Immich
May 10, 2026
immich-drop is a lightweight web application designed to simplify collecting photos and videos from various sources directly into your Immich server. It provides a secure, zero-login interface for guests to upload media via invite links, ensuring privacy and efficient organization. This tool is ideal for anyone looking to gather media from friends, family, or events without requiring them to have an Immich account.
reubah: A Web-Based Universal File Converter and Image Processor
March 4, 2026
reubah is an intuitive web-based tool designed for efficient image processing and document conversion. It offers a simple interface to handle a wide array of file formats, providing features like dark mode and batch processing. This versatile application ensures isolated processing and immediate delivery without storing user files.
Source repository
Open the original repository on GitHub.