ory/kratos: Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.

table of contents

Ori Kratos is an API first identity and user management system that follows cloud architecture best practices. It focuses on the core identity workflows that almost every application needs:

• Self Service Login and Registration
• Account Verification and Recovery
• multi factor authentication
• Profile and Account Management
• Identity schema and symptoms
• Admin API for lifecycle management

We recommend starting with the Ori Kratos introduction document to learn more about its architecture, feature set, and comparison to other systems.

Ori Kratos is designed to:

• Remove identity logic from your application code and expose it to HTTP API
• Work well with any UI framework through browser based and native app flows
• Scale to large numbers of identities and devices
• Integrate with the rest of the Ory stack for OAuth2, OpenID connect, and access control
• Fit into modern cloud native environments like Kubernetes and managed platforms

If you are migrating from Auth0, Okta, or another identity provider that uses OAuth2/OpenID Connect based login, consider using ori hydra + ori kratos Together:

• ori hydra Acts as an OAuth2 and OpenID connect provider and can replace most of your existing IdP’s authorization servers and token issuance capabilities.
• ori kratos Provides identity, credentialing and user-facing flows (login, registration, retrieval, verification, profile management).

This combination is often a drop-in replacement for OAuth2 and OpenID Connect capabilities at the protocol level. In practice, you update the client configuration and endpoints to point to Hydra, transfer the identity to Kratos, and keep your applications speaking the same OAuth2/OIDC protocols they already use.

You can play Ori Kratos in two main ways:

• As a managed service on the Ori network
• As a self-hosted service under your own control, with or without an Ori Enterprise license

Ory Network is the fastest way to use Ory services in production. ori identity The open source Ori is powered by Kratos Server and is API compatible.

Ori Network provides:

• Identity and credential management that reaches billions of users and devices
• Registration, login and account management flows for passkeys, biometrics, social login, SSO and multi factor authentication
• Prebuilt login, registration and account management pages and components
• Connect OAuth2 and OpenID for single sign on, API access, and machine-to-machine authorization.
• Low latency permission checking based on Zanzibar model with Ori Permission Language
• GDPR friendly storage with data locality and compliance in mind
• Web-based Ori Console and Ori CLI for administration and operations
• Cloud native API compatible with open source servers
• Fair, usage-based pricing

Sign up for a free developer account to get started.

You can run Ori Kratos yourself for full control over infrastructure, deployment, and customization.

The install guide explains how:

• Install Kratos on Linux, macOS, Windows, and Docker
• Configure databases like PostgreSQL, MySQL and CockroachDB
• Deploy to Kubernetes and other orchestration systems
• build kratos from source

This guide gets you started using open source distributions without license requirements. It is very suitable for individuals, researchers, hackers and companies who want to run experiments, prototypes or trivial workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.

If you run Kratos as part of a business-critical system, for example login and account recovery for all your users, you should use a commercial agreement to minimize operational and security risks. Ori Enterprise License (OEL) Layers on top of self-hosted Kratos and provides:

• Additional enterprise features that are not available in the open source version such as SCIM, SAML, Organization Login (“SSO”), CAPTCHA, and more
• Regular security releases including CVE patches with service level agreements
• Support for advanced scaling, multi-tenancy, and complex deployments
• Premium support option with SLA, direct access to engineers and onboarding assistance
• Access to a private Docker registry with persistent and tested, up-to-date enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ori Enterprise license and access to the Ori Enterprise Docker registry. To learn more, contact the Ori team.

Install Ory CLI and create a new project to try out Ory Identities.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart"  --use-project
ory open ax login

The Ori community stands on the shoulders of individuals, companies and maintainers. The Ori team thanks everyone involved – from submitting bug reports and feature requests to contributing patches and documentation. The Ori community has over 50,000 members and growing. The Ori Stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without all of you!

The following list represents companies that have been with us and have made outstanding contributions to our ecosystem. If you think your company deserves a spot here, get in touch now at office@ory.sh,

Many thanks to all individual contributors