Ory Kratos
API-first identity and user management that handles login, registration, MFA, and recovery so your application never has to.
Ory Kratos is a headless, cloud-native identity server written in Go that takes full ownership of user authentication and account lifecycle. Instead of embedding auth logic into your application, you expose Kratos over HTTP and let it drive login, registration, account recovery, email verification, multi-factor authentication, and profile management as self-contained, configurable flows.
Every identity in Kratos is defined by a JSON Schema, meaning user traits—email, username, phone number, or any custom attributes your product requires—are declared in config rather than code. Credential types (password, passkey, TOTP, WebAuthn, OIDC social login, SAML, magic link codes) are strategies that can be mixed and matched per deployment without touching application logic.
Kratos is UI-agnostic by design. The server never renders HTML; it returns flow objects that your own frontend—React, Vue, mobile, or server-rendered—consumes to build whatever login screen you need. This strict separation means branding, accessibility, and UX are entirely in your control. Browser-based and API-native flows are first-class citizens, covering both traditional web apps and native mobile clients.
Born from the Ory ecosystem, Kratos integrates natively with Ory Hydra for OAuth2 and OpenID Connect, Ory Oathkeeper for request authorization, and the Ory Network managed service. It supports PostgreSQL, MySQL, and CockroachDB via the Ory Pop ORM, ships quickstart Docker Compose setups for most databases, and runs comfortably on Kubernetes. Adopted by companies including Segment, Arduino, and Sainsbury’s, Kratos is proven at scale across both consumer and enterprise workloads.
What You Get
- Self-service flows for login, registration, account recovery, email/phone verification, and profile settings exposed as structured JSON flow objects, consumed by any frontend framework
- Flexible credential strategies including password, passkey, WebAuthn, TOTP, lookup secrets, SMS/email magic codes, OIDC social login with 20+ built-in providers, and SAML
- JSON Schema-driven identity model that lets you define exactly which traits (email, username, phone, custom fields) each identity carries without touching Go code
- Native OAuth2 and OpenID Connect integration with Ory Hydra, enabling Kratos to serve as the identity layer in a full OAuth2/OIDC authorization server setup
- Multi-database support for PostgreSQL, MySQL, and CockroachDB with a battle-tested ORM migration system and zero-downtime schema upgrades
- Admin REST and gRPC APIs for identity lifecycle management—create, read, update, deactivate, and delete identities and their credentials programmatically
- Session management with configurable lifetimes, privileged session enforcement for sensitive operations, and session token exchange for native app flows
- Quickstart Docker Compose configurations for every supported database, a standalone mode, and production-grade Kubernetes deployment documentation
Common Use Cases
- SaaS product authentication - A startup removes auth from its monolith by pointing its React frontend at Kratos flows, gaining MFA, social login, and account recovery without writing a single auth function
- Auth0 or Okta migration - An engineering team migrates away from a managed identity provider by deploying Kratos behind Ory Hydra, preserving OAuth2/OIDC compatibility for all existing clients while cutting licensing costs
- Multi-tenant platform identity - A B2B platform uses Kratos identity schemas to differentiate user traits per tenant type, assigning different credential requirements and profile fields to end users versus admin accounts
- Mobile app native flows - A mobile team uses the Kratos API-native flow endpoints (no cookie redirect) to drive login and registration screens built in Swift and Kotlin, with session tokens returned directly
- Kubernetes-native microservices auth - A platform team deploys Kratos as a sidecar-adjacent service on Kubernetes, integrating it with Ory Oathkeeper to enforce per-route authentication and authorization across dozens of microservices
- Regulated industry identity - A healthcare or fintech product uses Kratos to enforce AAL2 multi-factor authentication for sensitive operations, with TOTP and passkey as second factors and privileged session gating for account changes
Under The Hood
Architecture Kratos follows a strict layered architecture organized around a central registry pattern that wires together a dozen bounded domains—identity, session, selfservice flows, continuity, courier, persistence, and credential strategies—without any global state or circular dependencies. Each domain exposes a narrow interface set (Provider, Manager, Persister, HandlerProvider) that the registry implements, enabling dependency inversion throughout: strategies declare what they need through dependency interfaces rather than importing concrete types, and the registry satisfies them at startup. The self-service layer models each flow (login, registration, recovery, verification, settings) as an explicit state machine with persisted state, hooks, and a UI node graph, ensuring that flow progression is auditable and resumable across restarts. This design creates exceptional separation between the HTTP transport layer, flow orchestration, credential strategy execution, and persistence—changing or adding a credential strategy requires no modifications to flow handlers or persistence code.
Tech Stack Kratos is implemented in Go with a stateless HTTP server architecture suitable for horizontal scaling. Routing is handled via the Ory httprouterx wrapper around julienschmidt/httprouter, with middleware via Negroni. Persistence uses Ory Pop v6 (a fork of gobuffalo/pop) as the ORM, targeting PostgreSQL, MySQL, and CockroachDB, with versioned SQL migrations managed in-process. Sessions and continuity tokens use Gorilla sessions and Ristretto v2 as an in-process cache. JSON Schema validation drives identity trait validation via a custom validator. OIDC federation uses coreos/go-oidc with PKCE support, and Jsonnet scripts (via jsonnetsecure) map external claims to identity traits. WebAuthn and passkey support is built on go-webauthn. Observability integrates OpenTelemetry tracing and Prometheus metrics. The server bundles a generated Go client SDK in the repository itself, and API schemas are maintained as OpenAPI specs generated from Go source annotations.
Code Quality The codebase demonstrates comprehensive test coverage with extensive integration tests across all self-service flows, credential strategies, and persistence backends. Test files accompany virtually every production package, and integration test helpers simulate full browser flows and API flows against real database instances. Error handling is explicit and typed throughout—the Ory herodot package provides structured error responses, errors are wrapped with pkg/errors for stack traces, and no error paths are silently swallowed. The registry dependency inversion pattern makes units independently testable with mock implementations. Naming conventions are consistent and idiomatic Go; the Go code is linted via CI. The only moderate concern is the size of the registry default implementation, which accumulates all wiring in one file and becomes dense as the feature surface grows.
What Makes It Unique Kratos’s most distinctive technical decision is its complete inversion of the UI relationship with authentication: rather than the server owning and rendering login pages, it produces flow objects—structured graphs of UI nodes with labels, input definitions, and action URLs—that any frontend renders however it chooses. This means a React SPA, a mobile app, a server-rendered Rails view, and a CLI can all drive the same Kratos flow without any server changes. Paired with the Jsonnet-based OIDC claim mapper, which lets operators script arbitrary claim transformations in a sandboxed language without server recompilation, and the JSON Schema identity model that externalizes user shape entirely to configuration, Kratos achieves a degree of runtime extensibility unusual in identity infrastructure—operators can reconfigure credential strategies, identity schemas, OIDC providers, and UI endpoints without touching compiled code or restarting with custom builds.
Self-Hosting
Ory Kratos is released under the Apache License 2.0, which is a permissive open source license. You can use it commercially, modify the source, distribute it, and build proprietary products on top of it without any obligation to open-source your application code. There are no copyleft clauses, no contributor license gotchas, and no usage-based licensing restrictions in the core open source distribution. The full engine—login, registration, recovery, MFA, OIDC, passkeys—is available to everyone under these terms.
Running Kratos yourself means you own the entire stack: database provisioning and backups, schema migrations, horizontal scaling, TLS termination, secrets management, and incident response. The server is stateless and scales horizontally behind a load balancer, but you need to provision and maintain the database (PostgreSQL, MySQL, or CockroachDB), manage migrations across upgrades, and wire up your own email/SMS courier for verification and recovery messages. Kratos ships with Docker Compose quickstarts and Kubernetes guidance, but operationalizing it in a production environment with proper HA, monitoring, and on-call runbooks is a non-trivial commitment—particularly if identity is on the critical path for every user login.
The Ory Enterprise License (OEL) layers additional capabilities onto self-hosted Kratos for production deployments that need more than the open source build provides. OEL adds SCIM provisioning, organization login (B2B SSO), CAPTCHAs, multi-tenancy primitives, FedCM support, and access to a private Docker registry with vetted, frequently updated enterprise builds including guaranteed CVE patches under SLA. Beyond features, OEL brings support contracts with direct engineer access and onboarding assistance. The alternative to self-hosting is the Ory Network managed service (Ory Identities), which is API-compatible with the open source server and handles all infrastructure, scaling, compliance storage, and upgrades automatically—trading operational control for speed and simplicity.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0PocketBase
Databases · Ecommerce · Authentication
Open Source realtime backend in 1 file — embedded SQLite, auth, file storage, and admin UI as a single Go binary.
PocketBase
MITAppwrite
Developer Tools · Databases · Authentication
Open-source backend platform with Auth, Databases, Storage, Functions, Messaging, Realtime, and Sites — deploy via Docker or use Appwrite Cloud.