Convert Figma logo to code with AI

ory logokratos

Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.

13,544
1,124
13,544
215
View on GitHubView on NPM

Top Related Projects

supertokens's avatar

supertokens-core

14,984

Open source alternative to Auth0 / Firebase Auth / AWS Cognito

keycloak's avatar

keycloak

34,105

Open Source Identity and Access Management For Modern Applications and Services

logto-io's avatar

logto

11,743

🧑‍🚀 Authentication and authorization infrastructure for SaaS and AI apps, built on OIDC and OAuth 2.1 with multi-tenancy, SSO, and RBAC.

zitadel's avatar

zitadel

13,338

ZITADEL - Identity infrastructure, simplified for you.

authelia's avatar

authelia

26,759

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

casdoor's avatar

casdoor

13,213

An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI supporting MCP, A2A, OAuth 2.1, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

Quick Overview

Ory Kratos is an open-source identity and user management system designed for cloud-native applications. It provides secure login, registration, and account recovery functionalities, supporting various authentication methods and integrating seamlessly with modern application architectures.

Pros

  • Highly secure and privacy-compliant, adhering to GDPR and other regulations
  • Flexible and customizable, supporting multiple authentication methods and workflows
  • Cloud-native design, easily scalable and deployable in containerized environments
  • Language-agnostic with RESTful APIs, allowing integration with various tech stacks

Cons

  • Steeper learning curve compared to some simpler authentication solutions
  • Requires additional setup and configuration for advanced features
  • Documentation can be overwhelming for beginners
  • Limited built-in UI components, requiring more frontend development effort

Code Examples

  1. Initializing Kratos client:
import "github.com/ory/kratos-client-go"

configuration := kratos.NewConfiguration()
configuration.Servers = kratos.ServerConfigurations{
    {URL: "http://127.0.0.1:4433"},
}
client := kratos.NewAPIClient(configuration)
  1. Retrieving the current user's session:
import "context"

session, response, err := client.V0alpha2Api.ToSession(context.Background()).Execute()
if err != nil {
    // Handle error
}
// Use session data
  1. Initiating a login flow:
flow, response, err := client.V0alpha2Api.InitializeSelfServiceLoginViaAPIFlow(context.Background()).Execute()
if err != nil {
    // Handle error
}
// Use flow.Id for subsequent login requests

Getting Started

  1. Install Kratos:

    docker pull oryd/kratos:v0.11.1

  2. Create a basic configuration file kratos.yml:

    dsn: memory
serve:
  public:
    base_url: http://127.0.0.1:4433/
  admin:
    base_url: http://127.0.0.1:4434/

  3. Run Kratos:

    docker run -it -p 4433:4433 -p 4434:4434 \
  -v $PWD/kratos.yml:/etc/config/kratos/kratos.yml \
  oryd/kratos:v0.11.1 serve

  4. Integrate Kratos client in your application using the code examples provided above.

Competitor Comparisons

supertokens logo

supertokens-core

14,984

Open source alternative to Auth0 / Firebase Auth / AWS Cognito

Pros of SuperTokens

  • Offers a more comprehensive out-of-the-box solution for authentication, including pre-built UI components
  • Provides better documentation and easier setup process for developers
  • Supports multiple programming languages and frameworks natively

Cons of SuperTokens

  • Less flexible and customizable compared to Kratos' modular approach
  • Smaller community and ecosystem, potentially leading to fewer third-party integrations
  • May have a steeper learning curve for developers who prefer more control over the authentication flow

Code Comparison

SuperTokens (Node.js example):

import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";

supertokens.init({
    appInfo: {
        apiDomain: "https://api.example.com",
        appName: "MyApp",
        websiteDomain: "https://example.com"
    },
    recipeList: [Session.init()]
});

Kratos (Go example):

import "github.com/ory/kratos/x"

func main() {
    reg := driver.NewDefaultRegistry()
    c := reg.Config()
    c.MustSet(config.ViperKeyDSN, "memory")
    kratos := driver.New(c, reg)
}

Both examples demonstrate basic initialization, but SuperTokens provides a more opinionated setup, while Kratos offers more flexibility in configuration.

keycloak logo

keycloak

34,105

Open Source Identity and Access Management For Modern Applications and Services

Pros of Keycloak

  • More mature and feature-rich, with a larger ecosystem and community support
  • Offers a comprehensive admin UI for easier management and configuration
  • Provides out-of-the-box support for various authentication protocols (e.g., SAML, OpenID Connect)

Cons of Keycloak

  • Heavier resource footprint, requiring more system resources to run
  • Steeper learning curve due to its extensive feature set and complexity
  • Less flexible for custom integrations compared to Kratos' modular approach

Code Comparison

Keycloak (Java):

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    KeycloakSecurityContext context = (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName());
    AccessToken token = context.getToken();
    // Use token for authentication and authorization
}

Kratos (Go):

func (h *Handler) ProtectedEndpoint(w http.ResponseWriter, r *http.Request) {
    session, err := h.r.Session().ToSession(r.Context(), w, r)
    if err != nil {
        h.r.Writer().WriteError(w, r, err)
        return
    }
    // Use session for authentication and authorization
}
logto-io logo

logto

11,743

🧑‍🚀 Authentication and authorization infrastructure for SaaS and AI apps, built on OIDC and OAuth 2.1 with multi-tenancy, SSO, and RBAC.

Pros of Logto

  • More user-friendly interface with a built-in admin console
  • Offers out-of-the-box social sign-in integrations
  • Provides a more comprehensive solution with additional features like user management and audit logs

Cons of Logto

  • Less mature project with a smaller community compared to Kratos
  • May have fewer customization options for advanced use cases
  • Limited language support for SDKs (primarily JavaScript/TypeScript)

Code Comparison

Logto (JavaScript SDK usage):

import { LogtoClient } from '@logto/browser';

const logto = new LogtoClient({
  endpoint: 'https://your-logto-endpoint',
  appId: 'your-application-id',
});

await logto.signIn('http://localhost:3000/callback');

Kratos (Go SDK usage):

import "github.com/ory/kratos-client-go"

configuration := kratos.NewConfiguration()
configuration.Servers = []kratos.ServerConfiguration{
    {URL: "http://127.0.0.1:4433"},
}
client := kratos.NewAPIClient(configuration)

_, _, err := client.V0alpha2Api.InitializeSelfServiceLoginViaAPIFlow(context.Background()).Execute()

Both projects aim to provide authentication and identity management solutions, but they differ in their approach and target audience. Logto focuses on simplicity and ease of use, while Kratos offers more flexibility and customization options for complex scenarios.

zitadel logo

zitadel

13,338

ZITADEL - Identity infrastructure, simplified for you.

Pros of Zitadel

  • Offers a more comprehensive identity management solution, including user management, authentication, and authorization
  • Provides built-in multi-tenancy support out of the box
  • Includes a user-friendly web interface for easier management and configuration

Cons of Zitadel

  • Less flexible and customizable compared to Kratos' modular approach
  • Steeper learning curve due to its more extensive feature set
  • May be overkill for simpler authentication requirements

Code Comparison

Kratos configuration example:

selfservice:
  strategies:
    password:
      enabled: true
    oidc:
      enabled: true
      providers:
        - id: google
          provider: google
          client_id: ...
          client_secret: ...

Zitadel configuration example:

AuthNKey:
  key: ...
  algorithm: RS256
Database:
  cockroach:
    host: ...
    user: ...
    password: ...
OIDC:
  Issuer: https://example.com

Both projects offer robust identity and access management solutions, but they cater to different use cases. Kratos focuses on providing a flexible, API-first approach to authentication, while Zitadel offers a more comprehensive suite of identity management features. The choice between the two depends on the specific requirements of your project and the level of customization needed.

authelia logo

authelia

26,759

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

Pros of Authelia

  • Comprehensive all-in-one solution with built-in 2FA, SSO, and access control
  • Supports multiple authentication backends (LDAP, file-based)
  • Easy to set up and configure with Docker

Cons of Authelia

  • Less flexible for custom identity workflows compared to Kratos
  • Limited support for external identity providers
  • Smaller community and ecosystem compared to Ory projects

Code Comparison

Authelia configuration (YAML):

authentication_backend:
  file:
    path: /config/users_database.yml
access_control:
  default_policy: deny
  rules:
    - domain: secure.example.com
      policy: two_factor

Kratos configuration (YAML):

selfservice:
  strategies:
    password:
      enabled: true
    oidc:
      enabled: true
      providers:
        - id: google
          provider: google

Both projects use YAML for configuration, but Kratos offers more granular control over identity workflows and strategies. Authelia's configuration is more focused on access control and authentication methods, while Kratos provides a more flexible identity management system.

casdoor logo

casdoor

13,213

An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI supporting MCP, A2A, OAuth 2.1, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

Pros of Casdoor

  • More comprehensive out-of-the-box features, including user management, role-based access control, and multi-tenancy
  • Easier to set up and configure, with a user-friendly web interface for management
  • Better support for multiple authentication protocols (OAuth 2.0, SAML, LDAP)

Cons of Casdoor

  • Less focus on API-first design, which may limit flexibility for complex integrations
  • Smaller community and ecosystem compared to Kratos
  • Less emphasis on cloud-native architecture and scalability

Code Comparison

Kratos (Go):

import "github.com/ory/kratos/driver"

d := driver.New()
r := d.Registry()

Casdoor (Go):

import "github.com/casdoor/casdoor/object"

object.InitConfig("conf/app.conf")

Both projects use Go, but Kratos follows a more modular approach with its driver and registry pattern, while Casdoor uses a simpler configuration initialization. This reflects Kratos' focus on flexibility and Casdoor's emphasis on ease of use.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Ory Kratos - Cloud native identity and user management

Chat · Discussions · Newsletter · Docs · Try Ory Network · Jobs

Ory Kratos is an API first identity and user management system for cloud native applications. It centralizes login, registration, recovery, verification, and profile management flows so your services consume them instead of reimplementing them.

Table of contents

What is Ory Kratos?

Ory Kratos is an API first identity and user management system that follows cloud architecture best practices. It focuses on core identity workflows that almost every application needs:

  • Self service login and registration
  • Account verification and recovery
  • Multi factor authentication
  • Profile and account management
  • Identity schemas and traits
  • Admin APIs for lifecycle management

We recommend starting with the Ory Kratos introduction docs to learn more about its architecture, feature set, and how it compares to other systems.

Why Ory Kratos

Ory Kratos is designed to:

  • Remove identity logic from your application code and expose it over HTTP APIs
  • Work well with any UI framework through browser based and native app flows
  • Scale to large numbers of identities and devices
  • Integrate with the rest of the Ory stack for OAuth2, OpenID Connect, and access control
  • Fit into modern cloud native environments such as Kubernetes and managed platforms

Migrating from Auth0, Okta, and similar providers

If you are migrating from Auth0, Okta, or another identity provider that uses OAuth2 / OpenID Connect based login, consider using Ory Hydra + Ory Kratos together:

  • Ory Hydra acts as the OAuth2 and OpenID Connect provider and can replace most authorization server and token issuing capabilities of your existing IdP.
  • Ory Kratos provides identity, credentials, and user-facing flows (login, registration, recovery, verification, profile management).

This combination is often a drop-in replacement for OAuth2 and OpenID Connect capabilities at the protocol level. In practice, you update client configuration and endpoints to point to Hydra, migrate identities into Kratos, and keep your applications speaking the same OAuth2 / OIDC protocols they already use.

Deployment options

You can run Ory Kratos in two main ways:

  • As a managed service on the Ory Network
  • As a self hosted service under your own control, with or without the Ory Enterprise License

Use Ory Kratos on the Ory Network

The Ory Network is the fastest way to use Ory services in production. Ory Identities is powered by the open source Ory Kratos server and is API compatible.

The Ory Network provides:

  • Identity and credential management that scales to billions of users and devices
  • Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
  • Prebuilt login, registration, and account management pages and components
  • OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
  • Low latency permission checks based on the Zanzibar model with the Ory Permission Language
  • GDPR friendly storage with data locality and compliance in mind
  • Web based Ory Console and Ory CLI for administration and operations
  • Cloud native APIs compatible with the open source servers
  • Fair, usage based pricing

Sign up for a free developer account to get started.

Self-host Ory Kratos

You can run Ory Kratos yourself for full control over infrastructure, deployment, and customization.

The install guide explains how to:

  • Install Kratos on Linux, macOS, Windows, and Docker
  • Configure databases such as PostgreSQL, MySQL, and CockroachDB
  • Deploy to Kubernetes and other orchestration systems
  • Build Kratos from source

This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.

If you run Kratos as part of a business-critical system, for example login and account recovery for all your users, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Kratos and provides:

  • Additional enterprise features that are not available in the open source version such as SCIM, SAML, organization login ("SSO"), CAPTCHAs and more
  • Regular security releases, including CVE patches, with service level agreements
  • Support for advanced scaling, multi-tenancy, and complex deployments
  • Premium support options with SLAs, direct access to engineers, and onboarding help
  • Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.

Quickstart

Install the Ory CLI and create a new project to try Ory Identities.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart"  --use-project
ory open ax login

Who is using it?

The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!

The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. If you think that your company deserves a spot here, reach out to office@ory.com now!

Name Logo Website Case Study
OpenAI OpenAI openai.com OpenAI Case Study
Fandom Fandom fandom.com Fandom Case Study
Lumin Lumin luminpdf.com Lumin Case Study
Sencrop Sencrop sencrop.com Sencrop Case Study
OSINT Industries OSINT Industries osint.industries OSINT Industries Case Study
HGV HGV hgv.it HGV Case Study
Maxroll Maxroll maxroll.gg Maxroll Case Study
Zezam Zezam zezam.io Zezam Case Study
T.RowePrice T.RowePrice troweprice.com
Mistral Mistral mistral.ai
Axel Springer Axel Springer axelspringer.com
Hemnet Hemnet hemnet.se
Cisco Cisco cisco.com
Presidencia de la República Dominicana Presidencia de la República Dominicana presidencia.gob.do
Moonpig Moonpig moonpig.com
Booster Booster choosebooster.com
Zaptec Zaptec zaptec.com
Klarna Klarna klarna.com
Raspberry PI Foundation Raspberry PI Foundation raspberrypi.org
Tulip Tulip Retail tulip.com
Hootsuite Hootsuite hootsuite.com
Segment Segment segment.com
Arduino Arduino arduino.cc
Sainsbury's Sainsbury's sainsburys.co.uk
Contraste Contraste contraste.com
inMusic InMusic inmusicbrands.com
Buhta Buhta buhta.com
Amplitude amplitude.com amplitude.com
TIER IV Kyma Project Serlo Padis
Cloudbear Security Onion Solutions Factly All My Funds
Nortal OrderMyGear R2Devops Paralus
dyrector.io pinniped.dev pvotal.tech

Many thanks to all individual contributors

NPM DownloadsLast 30 Days