03 / Scorecard / Auth & Identity

authentik

Name: authentik Agent Readiness Scorecard
Item: authentik
Rating: 68
Author: Headless Index pipeline (auto)

Headless Index

68/100

JAIRF

75.5/100

AI-Ready

Verified

MAY 21, 2026

Methodology v1 · JAIRF v1.0.0

Editorial verdict

authentik is solidly built for programmatic consumption. The Headless Index thesis-fit score of 68/100 lands it in the upper-middle of the index, and JAIRF v1.0.0 puts it at 75.5/100 (Level 3, AI-Ready). In practice, vendors at this tier ship most of the primitives agents need, with one or two surfaces still leaning on documentation rather than discovery, and the rest of this verdict explains where authentik lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. authentik auto-generates an OpenAPI schema published at goauthentik.io/schema.yaml. The Python and Go SDKs are spec-generated. Open-source IdP with OIDC, SAML, LDAP, RADIUS, and an extensible flow-stage architecture that is itself code-defined.^[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? Public OpenAPI URL at goauthentik.io/schema.yaml gives agents the complete schema by direct fetch. This is reference-class schema discoverability for open-source identity.^[2] An agent can drive this product across most practical workflows, with a handful of edges where documentation reading still beats schema discovery. On headless operability: Every Console action is reachable through the auto-generated API. Blueprints YAML provides declarative config-as-code for entire authentik deployments. Terraform provider is community-maintained and reasonably complete. Common Keycloak alternative for self-hosters who want a more modern stack.^[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: No first-party authentik MCP server has been published. The team focuses on identity primitives rather than agent integration; the comprehensive API surface makes downstream wrappers tractable.^[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. Events and notifications framework supports webhook transports with HMAC verification. Coverage is strong for identity events including login, logout, application access, and policy decisions. Payload depth is comprehensive. Net assessment: authentik can be operated by agents for the majority of practical workflows. The closest thing to a gap is MCP posture^[5], which integrators should sanity-check against their own use case before committing. Strong fit for agent-driven use cases.

Verdict by Headless Index pipeline (auto)

// AI-drafted from the evidence layer. Editorial review pending.

Scores

Scorecard detail

Headless Index · 5 sub-criteria

API-first design intent16/20

scored

authentik auto-generates an OpenAPI schema published at goauthentik.io/schema.yaml. The Python and Go SDKs are spec-generated. Open-source IdP with OIDC, SAML, LDAP, RADIUS, and an extensible flow-stage architecture that is itself code-defined.

signals (6)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPI specPublished, 1139 operations
−GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
+SDKs maintained4 (go, python, rust, typescript); top by stars: goauthentik/client-go (21 stars)
+SDK recency4 of 4 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-13)
·npm weekly downloads7.4k across published packages; top: @goauthentik/api @ 7.4k/week

cite (2)

github.sdks@2026-05-20
openapi.discovered@2026-05-20

Headless operation18/20

scored

Every Console action is reachable through the auto-generated API. Blueprints YAML provides declarative config-as-code for entire authentik deployments. Terraform provider is community-maintained and reasonably complete. Common Keycloak alternative for self-hosters who want a more modern stack.

signals (9)

+AI review appliedReviewer: Editorial review on 2026-05-20
+API operations exposed1139 operations in OpenAPI spec
·Docs pages crawled0 pages (crawler: none)
·Auth schemes documentedAuth documentation page not reached by crawler
·Setup / quickstart docsNot reached by crawler
·Billing docsNot reached by crawler
·Teams / org docsNot reached by crawler
·CLI docsNot reached by crawler
·Schema / data model docsNot reached by crawler

cite (2)

github.sdks@2026-05-20
ai_review_browser.sdks@2026-05-20

MCP & agent posture4/20

scored

No first-party authentik MCP server has been published. The team focuses on identity primitives rather than agent integration; the comprehensive API surface makes downstream wrappers tractable.

signals (4)

+AI review appliedReviewer: Editorial review on 2026-05-20
−Official MCP serverNone found in vendor's GitHub org or the official MCP registry
−Community MCP serversNone found
+Agent-friendly SDKs1 TS/JS SDKs available; top: @goauthentik/api (7.4k/week downloads)

cite (1)

mcp.found@2026-05-20

Schema observability18/20

scored

Public OpenAPI URL at goauthentik.io/schema.yaml gives agents the complete schema by direct fetch. This is reference-class schema discoverability for open-source identity.

signals (3)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPIPublished at https://goauthentik.io/schema.yaml (OpenAPI 3.0.3, 1139 operations)
−GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)

cite (2)

openapi.url@2026-05-20
ai_review_browser.schema@2026-05-20

Webhooks & events12/20

scored

Events and notifications framework supports webhook transports with HMAC verification. Coverage is strong for identity events including login, logout, application access, and policy decisions. Payload depth is comprehensive.

signals (2)

+AI review appliedReviewer: Editorial review on 2026-05-20
·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.

cite (1)

ai_review_browser.webhooks@2026-05-20

JAIRF · 6 dimensions

FCFoundational Compliance

100/100

Structural validity, standards conformance, and parsability of the OpenAPI specification.

DXJDeveloper Experience & Tooling Compatibility

35.2/100

Documentation clarity, example coverage, response completeness, and ingestion health.

ARAXAI-Readiness & Agent Experience

69.1/100

Semantic clarity, intent expression, datatype specificity, and error standardization.

AUAgent Usability

90/100

Operational composability, complexity comfort, navigation affordances, and safety patterns.

SECSecurity

79.6/100

Authentication strength, transport security, secret hygiene, and OWASP risk posture.

AIDAI Discoverability

65/100

Descriptive richness, intent phrasing, workflow context, and registry signals.

Band rationale:B band: JAIRF=75.5 HeadlessIndex=68

04 / Embed

Show authentik's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

Get embed code

Calibration

How THI compares to external scorers

Source	Score	Measures	Last checked
Fern Agent Score	not found	Documentation completeness and SDK shape (~22 checks)	—
CLIRank Agent Friendliness	not found	CLI readiness, docs quality, and overall agent affordances	—
Cloudflare Is It Agent Ready?	blocked	Cloudflare's manual agent-readiness heuristic per vendor URL	—
Jentic Scorecard	—	JAIRF-based scorecard requiring a public OpenAPI specification	—

THI 68 vs external median 0

No external scores available to calibrate against.

Peers in Auth & Identity

KeycloakB

Headless Index 66/100

FronteggB

Headless Index 70/100

Amazon CognitoB

Headless Index 66/100

See full Auth & Identity ranking →