Almost every DiGA team faces the same question early on: "We know Keycloak / Auth0 – can't we just use that?" A valid consideration, as both are mature Identity & Access Management systems. The honest answer is: For the login of a standard web application, yes – for a regulated digital health application with GesundheitsID and BSI TR-03161 requirements, you will hit clearly identifiable limits.

This article categorizes what Keycloak and Auth0 do well, where they reach their limits in the healthcare context, and when a specialized Health IAM is the better choice.