---
title: "Deploy Keycloak Self-Hosted (Docker)"
description: "Step-by-step guide to self-hosting Keycloak with Docker Compose. "
---

# Deploy Keycloak

Open source identity and access management for modern applications and services.

<div className="deploy-hero">
  <span className="deploy-hero-item">⭐ 23.0k stars</span>
  <span className="deploy-hero-item">📜 Apache 2.0</span>
  <span className="deploy-hero-item">🔴 Advanced</span>
  <span className="deploy-hero-item">⏱ ~20 minutes</span>
  
</div>

<div className="mt-8 mb-4">
  <a 
    href="https://m.do.co/c/2ed27757a361" 
    target="_blank" 
    rel="noopener noreferrer"
    className="flex items-center justify-center w-full px-6 py-4 text-lg font-bold text-white transition-all bg-blue-600 rounded-xl hover:bg-blue-700 hover:scale-[1.02] shadow-lg shadow-blue-500/30"
  >
    🚀 Deploy on DigitalOcean ($200 Free Credit)
  </a>
</div>


## What You'll Get

A fully working Keycloak instance running on your server. Your data stays on your hardware — no third-party access, no usage limits, no surprise invoices.

## Prerequisites

- A server with Docker and Docker Compose installed ([setup guide](/quick-start/choosing-a-server))
- A domain name pointed to your server (optional but recommended)
- Basic terminal access (SSH)

## The Config

Create a directory for Keycloak and add this `docker-compose.yml`:

```yaml
# -------------------------------------------------------------------------
# 🚀 Created and distributed by The AltStack
# 🌍 https://thealtstack.com
# -------------------------------------------------------------------------

version: '3.8'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    restart: unless-stopped
    command: start-dev
    depends_on:
      - db
    ports:
      - "8080:8080"
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://db:5432/keycloak
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=keycloak

  db:
    image: postgres:15-alpine
    container_name: keycloak-db
    restart: unless-stopped
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=keycloak
    volumes:
      - keycloak_db_data:/var/lib/postgresql/data

volumes:
  keycloak_db_data:
```

## Let's Ship It

```bash
# Create a directory
mkdir -p /opt/keycloak && cd /opt/keycloak

# Create the docker-compose.yml (paste the config above)
nano docker-compose.yml

# Pull images and start
docker compose up -d

# Watch the logs
docker compose logs -f
```

## Environment Variables

| Variable | Default | Required |
|---|---|---|
| `KEYCLOAK_ADMIN` | `admin` | No |
| `KEYCLOAK_ADMIN_PASSWORD` | `admin` | No |
| `KC_DB` | `postgres` | No |
| `KC_DB_URL` | `jdbc:postgresql://db:5432/keycloak` | No |
| `KC_DB_USERNAME` | `keycloak` | No |
| `KC_DB_PASSWORD` | `keycloak` | No |
| `POSTGRES_DB` | `keycloak` | No |
| `POSTGRES_USER` | `keycloak` | No |
| `POSTGRES_PASSWORD` | `keycloak` | No |


## Post-Deployment Checklist

- [ ] Service is accessible on the configured port
- [ ] Admin account created (if applicable)
- [ ] Reverse proxy configured ([Caddy guide](/concepts/reverse-proxies))
- [ ] SSL/HTTPS working
- [ ] Backup script set up ([backup guide](/concepts/backups))
- [ ] Uptime monitor added ([Uptime Kuma](/deploy/uptime-kuma))

## The "I Broke It" Section

**Container won't start?**
```bash
docker compose logs keycloak | tail -50
```

**Port already in use?**
```bash
# Find what's using the port
lsof -i :PORT_NUMBER
```

**Need to start fresh?**
```bash
docker compose down -v  # ⚠️ This deletes volumes/data!
docker compose up -d
```

## Going Further

- [Keycloak on AltStack Directory](https://thealtstack.com/alternative-to/keycloak)
- [Keycloak Self-Hosted Guide](https://thealtstack.com/self-hosted/keycloak)
- [Official Documentation](https://www.keycloak.org)
- [GitHub Repository](https://github.com/keycloak/keycloak)