ory / kratos
Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.
AI Architecture Analysis
This repository is indexed by RepoMind. By analyzing ory/kratos in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.
Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.
Embed this Badge
Showcase RepoMind's analysis directly in your repository's README.
Repository Summary (README)
Preview
Chat · Discussions · Newsletter · Docs · Try Ory Network · Jobs
Ory Kratos is an API first identity and user management system for cloud native applications. It centralizes login, registration, recovery, verification, and profile management flows so your services consume them instead of reimplementing them.
Table of contents
What is Ory Kratos?
Ory Kratos is an API first identity and user management system that follows cloud architecture best practices. It focuses on core identity workflows that almost every application needs:
- Self service login and registration
- Account verification and recovery
- Multi factor authentication
- Profile and account management
- Identity schemas and traits
- Admin APIs for lifecycle management
We recommend starting with the Ory Kratos introduction docs to learn more about its architecture, feature set, and how it compares to other systems.
Why Ory Kratos
Ory Kratos is designed to:
- Remove identity logic from your application code and expose it over HTTP APIs
- Work well with any UI framework through browser based and native app flows
- Scale to large numbers of identities and devices
- Integrate with the rest of the Ory stack for OAuth2, OpenID Connect, and access control
- Fit into modern cloud native environments such as Kubernetes and managed platforms
Migrating from Auth0, Okta, and similar providers
If you are migrating from Auth0, Okta, or another identity provider that uses OAuth2 / OpenID Connect based login, consider using Ory Hydra + Ory Kratos together:
- Ory Hydra acts as the OAuth2 and OpenID Connect provider and can replace most authorization server and token issuing capabilities of your existing IdP.
- Ory Kratos provides identity, credentials, and user-facing flows (login, registration, recovery, verification, profile management).
This combination is often a drop-in replacement for OAuth2 and OpenID Connect capabilities at the protocol level. In practice, you update client configuration and endpoints to point to Hydra, migrate identities into Kratos, and keep your applications speaking the same OAuth2 / OIDC protocols they already use.
Deployment options
You can run Ory Kratos in two main ways:
- As a managed service on the Ory Network
- As a self hosted service under your own control, with or without the Ory Enterprise License
Use Ory Kratos on the Ory Network
The Ory Network is the fastest way to use Ory services in production. Ory Identities is powered by the open source Ory Kratos server and is API compatible.
The Ory Network provides:
- Identity and credential management that scales to billions of users and devices
- Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
- Prebuilt login, registration, and account management pages and components
- OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
- Low latency permission checks based on the Zanzibar model with the Ory Permission Language
- GDPR friendly storage with data locality and compliance in mind
- Web based Ory Console and Ory CLI for administration and operations
- Cloud native APIs compatible with the open source servers
- Fair, usage based pricing
Sign up for a free developer account to get started.
Self-host Ory Kratos
You can run Ory Kratos yourself for full control over infrastructure, deployment, and customization.
The install guide explains how to:
- Install Kratos on Linux, macOS, Windows, and Docker
- Configure databases such as PostgreSQL, MySQL, and CockroachDB
- Deploy to Kubernetes and other orchestration systems
- Build Kratos from source
This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.
If you run Kratos as part of a business-critical system, for example login and account recovery for all your users, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Kratos and provides:
- Additional enterprise features that are not available in the open source version such as SCIM, SAML, organization login ("SSO"), CAPTCHAs and more
- Regular security releases, including CVE patches, with service level agreements
- Support for advanced scaling, multi-tenancy, and complex deployments
- Premium support options with SLAs, direct access to engineers, and onboarding help
- Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds
For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.
Quickstart
Install the Ory CLI and create a new project to try Ory Identities.
# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/
# Sign in or sign up
ory auth
# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart" --use-project
ory open ax login
Who is using it?
The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!
The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. If you think that your company deserves a spot here, reach out to office@ory.com now!
| Name | Logo | Website | Case Study |
|---|---|---|---|
| OpenAI |
| openai.com | OpenAI Case Study |
| Fandom |
| fandom.com | Fandom Case Study |
| Lumin |
| luminpdf.com | Lumin Case Study |
| Sencrop |
| sencrop.com | Sencrop Case Study |
| OSINT Industries |
| osint.industries | OSINT Industries Case Study |
| HGV |
| hgv.it | HGV Case Study |
| Maxroll |
| maxroll.gg | Maxroll Case Study |
| Zezam |
| zezam.io | Zezam Case Study |
| T.RowePrice |
| troweprice.com | |
| Mistral |
| mistral.ai | |
| Axel Springer |
| axelspringer.com | |
| Hemnet |
| hemnet.se | |
| Cisco |
| cisco.com | |
| Presidencia de la República Dominicana |
| presidencia.gob.do | |
| Moonpig |
| moonpig.com | |
| Booster |
| choosebooster.com | |
| Zaptec |
| zaptec.com | |
| Klarna |
| klarna.com | |
| Raspberry PI Foundation |
| raspberrypi.org | |
| Tulip |
| tulip.com | |
| Hootsuite |
| hootsuite.com | |
| Segment |
| segment.com | |
| Arduino |
| arduino.cc | |
| Sainsbury's |
| sainsburys.co.uk | |
| Contraste |
| contraste.com | |
| inMusic |
| inmusicbrands.com | |
| Buhta |
| buhta.com | |
| Amplitude |
| amplitude.com | |
 |  |  |  |
 |  |  |  |
 |  |  |  |
 |  |  |
Many thanks to all individual contributors
