At a Glance:
Ory Kratos is an API-first open-source identity and user management system that centralizes login, registration, MFA, and profile management for cloud native applications, deployable as a self-hosted service or consumed through the managed Ory Network.
Overview:
Ory Kratos is an identity and user management system built for cloud native applications. It provides core identity workflows—including self-service login, registration, account recovery, and profile management—exposed over HTTP APIs so that services consume them instead of reimplementing identity logic. Kratos works with any UI framework through browser-based and native app flows, supports multi-factor authentication, and defines user identities through configurable schemas. It fits into modern cloud environments such as Kubernetes and can operate independently or integrate with the wider Ory stack for OAuth2, OpenID Connect, and access control. The project targets developers and teams who need a centralized identity layer that scales to large numbers of identities and removes identity logic from application code.
Key Decision Points:
Deployment flexibility: Ory Kratos can run as a managed service on the Ory Network or be self-hosted under your own infrastructure, with an Enterprise License available for additional features and support.
API-first architecture: All identity operations are accessed through HTTP APIs, allowing integration with any UI framework and keeping identity logic out of your application code.
Stack integration: Kratos can integrate with Ory Hydra for OAuth2 and OpenID Connect capabilities, forming a drop-in replacement for identity providers that use OAuth2/OIDC-based login.
Enterprise feature boundaries: Certain capabilities such as SCIM, SAML, organization login, and CAPTCHAs are only available under the Ory Enterprise License, not the open-source distribution.
Core Features:
Self-service login and registration: Browser-based and native app flows for user authentication and account creation.
Account verification and recovery: Built-in flows for verifying user identities and recovering access to accounts.
Multi-factor authentication: Support for MFA as part of the core authentication workflows.
Profile and account management: APIs for users to manage their own profiles and account settings.
Admin APIs: Programmatic interfaces for lifecycle management of identities and credentials.
Identity schemas: Configurable identity models using traits and JSON schemas to define user data structures.
Use Cases:
Developers building cloud native applications who want to offload identity logic to a centralized API service.
Teams migrating from Auth0, Okta, or similar OAuth2/OIDC identity providers who need an open-source alternative that works with existing protocols.
Self-hosters who need to run identity infrastructure under their own control on Kubernetes, Docker, or directly on Linux, macOS, or Windows.
Open-Source Alternative Value:
Ory Kratos provides an open-source core for identity management that can be self-hosted for full control over infrastructure and deployment. The source is available to inspect, extend, and build from, and the API-first design means identity workflows stay separated from application code. When combined with Ory Hydra, it can serve as a replacement for the OAuth2 and OpenID Connect capabilities of commercial identity providers. The open-source distribution is suitable for experimentation, prototyping, and non-business-critical workloads, while a commercial license is required for enterprise features and production support with SLAs.
