ory/kratos: Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.

Table of contents

Ory Kratos is an API first identity and user management system that follows cloud architecture best practices. It focuses on core identity workflows that almost every application needs:

• Self service login and registration
• Account verification and recovery
• Multi factor authentication
• Profile and account management
• Identity schemas and traits
• Admin APIs for lifecycle management

We recommend starting with the Ory Kratos introduction docs to learn more about its architecture, feature set, and how it compares to other systems.

Ory Kratos is designed to:

• Remove identity logic from your application code and expose it over HTTP APIs
• Work well with any UI framework through browser based and native app flows
• Scale to large numbers of identities and devices
• Integrate with the rest of the Ory stack for OAuth2, OpenID Connect, and access control
• Fit into modern cloud native environments such as Kubernetes and managed platforms

If you are migrating from Auth0, Okta, or another identity provider that uses OAuth2 / OpenID Connect based login, consider using Ory Hydra + Ory Kratos together:

• Ory Hydra acts as the OAuth2 and OpenID Connect provider and can replace most authorization server and token issuing capabilities of your existing IdP.
• Ory Kratos provides identity, credentials, and user-facing flows (login, registration, recovery, verification, profile management).

This combination is often a drop-in replacement for OAuth2 and OpenID Connect capabilities at the protocol level. In practice, you update client configuration and endpoints to point to Hydra, migrate identities into Kratos, and keep your applications speaking the same OAuth2 / OIDC protocols they already use.

You can run Ory Kratos in two main ways:

• As a managed service on the Ory Network
• As a self hosted service under your own control, with or without the Ory Enterprise License

The Ory Network is the fastest way to use Ory services in production. Ory Identities is powered by the open source Ory Kratos server and is API compatible.

The Ory Network provides:

• Identity and credential management that scales to billions of users and devices
• Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
• Prebuilt login, registration, and account management pages and components
• OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
• Low latency permission checks based on the Zanzibar model with the Ory Permission Language
• GDPR friendly storage with data locality and compliance in mind
• Web based Ory Console and Ory CLI for administration and operations
• Cloud native APIs compatible with the open source servers
• Fair, usage based pricing

Sign up for a free developer account to get started.

You can run Ory Kratos yourself for full control over infrastructure, deployment, and customization.

The install guide explains how to:

• Install Kratos on Linux, macOS, Windows, and Docker
• Configure databases such as PostgreSQL, MySQL, and CockroachDB
• Deploy to Kubernetes and other orchestration systems
• Build Kratos from source

This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.

If you run Kratos as part of a business-critical system, for example login and account recovery for all your users, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Kratos and provides:

• Additional enterprise features that are not available in the open source version such as SCIM, SAML, organization login (“SSO”), CAPTCHAs and more
• Regular security releases, including CVE patches, with service level agreements
• Support for advanced scaling, multi-tenancy, and complex deployments
• Premium support options with SLAs, direct access to engineers, and onboarding help
• Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.

Install the Ory CLI and create a new project to try Ory Identities.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart"  --use-project
ory open ax login

The Ory community stands on the shoulders of individuals, companies, and
maintainers. The Ory team thanks everyone involved – from submitting bug reports
and feature requests, to contributing patches and documentation. The Ory
community counts more than 50.000 members and is growing. The Ory stack protects
7.000.000.000+ API requests every day across thousands of companies. None of
this would have been possible without each and everyone of you!

The following list represents companies that have accompanied us along the way
and that have made outstanding contributions to our ecosystem. If you think
that your company deserves a spot here, reach out to
office@ory.sh now!

Many thanks to all individual contributors