Ory Kratos is a headless, API-first identity and user management system built in Go that centralizes authentication workflows—login, registration, recovery, verification, and profile management—into a single, scalable service. It removes identity logic from application code and exposes it via HTTP APIs, enabling developers to focus on core product features while ensuring compliance, scalability, and modern UX.
Built for cloud-native environments like Kubernetes and designed to integrate with the broader Ory stack (Hydra for OAuth2/OIDC, Ory Keto for access control), Kratos supports self-hosted deployments and managed SaaS via Ory Network. It uses PostgreSQL, MySQL, or CockroachDB for storage and offers enterprise features like SCIM, SAML, and multi-tenancy under the Ory Enterprise License.
What You Get
- API-first Identity Workflows - Exposes login, registration, recovery, and profile management as stateless HTTP APIs, eliminating the need to implement auth logic in every application.
- Passkey & Biometric Support - Native support for WebAuthn-based passkeys and biometric authentication without requiring custom code or third-party libraries.
- Multi-Factor Authentication (MFA) - Built-in TOTP and SMS-based MFA with configurable policies and user-facing flows for enhanced security.
- Social Login & OIDC Integration - Supports OAuth2 and OpenID Connect providers (Google, GitHub, etc.) for seamless social sign-in and SSO workflows.
- Identity Schemas & Traits - Define custom user profiles using JSON Schema, enabling dynamic user attributes and flexible data modeling without schema migrations.
- Admin APIs for Lifecycle Management - Programmatic control over user accounts, credentials, and sessions via RESTful admin endpoints for bulk operations and automation.
Common Use Cases
- Replacing Auth0 or Okta in SaaS products - A startup migrates from Auth0 to Ory Kratos to reduce costs, gain full data control, and customize login UIs without vendor lock-in.
- Building a B2B platform with SAML SSO - An enterprise software company uses Ory Enterprise License to enable SAML-based single sign-on for corporate customers with centralized user provisioning via SCIM.
- Securing AI agent access - A developer uses Ory Kratos to authenticate and authorize AI agents making API calls, treating them as non-human identities with scoped credentials.
- Scaling user authentication to billions of users - A global platform like Fandom or OpenAI uses Kratos to handle massive concurrent login and registration traffic with stateless, horizontally scalable architecture.
Under The Hood
Architecture
- Modular command-line structure using Cobra with distinct subcommands, each encapsulated in separate packages to enforce clear separation of concerns
- Driver pattern with dependency injection via a centralized registry, enabling pluggable implementations for storage, courier, and identity management without core logic coupling
- Service layers for identity, sessions, and self-service flows organized by business capability with well-defined interfaces
- JSONNet-based configuration templating isolated in a secure package, leveraging process-isolated VMs for dynamic schema generation
- Entry point cleanly delegated to a command executor, ensuring testable and maintainable CLI bootstrapping
Tech Stack
- Go (1.20+) as the foundational language, built around a custom identity and authentication framework
- PostgreSQL and CockroachDB supported via DSN-based SQL configurations with connection pooling
- Protocol Buffers for API contracts, managed with modern code generation tooling
- Docker Compose for streamlined local development environments with integrated databases and UIs
- Goreleaser for automated cross-platform builds using minimal base images
- OpenAPI Generator for consistent client SDK and server stub generation from declarative specifications
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end layers with parallel execution and structured assertions
- Strong type safety and configuration-driven behavior using context-aware injection and validated runtime state
- Consistent, domain-driven naming that reflects business capabilities rather than technical artifacts
- Robust error handling with standardized, user-friendly error types that surface configuration and validation issues clearly
- Comprehensive E2E testing with reusable configuration builders that reduce boilerplate and improve test reliability
- Strict adherence to Go idioms, including co-located tests, package boundaries, and pre-runtime configuration validation
What Makes It Unique
- Native Jsonnet integration for dynamic, template-driven identity schemas that eliminate hard-coded user attributes
- Process-isolated Jsonnet VMs with pool management provide secure, sandboxed configuration evaluation
- Command-line tooling designed for granular operational control in containerized and cloud-native environments
- Unified driver registry enables seamless plug-and-play extensibility across storage, email, and auth providers
- Built-in identity import/export utilities provide enterprise-grade data portability rarely seen in auth frameworks
- HTTP API treats identity flows as state machines, ensuring consistent user experiences across all client types without duplicating logic