Secure, scalable identity management and user authentication is complex. Ory Kratos streamlines it with a headless, cloud-native identity management system that runs in the cloud or self-hosted — letting developers focus on building their applications.
Full control. A cloud-native identity management system that fits your stack.
Ory Kratos is a fully featured identity and user management system with a clean, API-first architecture. Run it cloud-native, self-hosted, or fully managed — you control every aspect through the headless API.
Integrate with any stack
Ory Kratos works as a headless user authentication system behind any UI framework. Native support for FIDO2, WebAuthn, TOTP, and modern passwordless flows — drop in a few API calls and you're live.
Configurable user authentication flows
Customize login, registration, MFA, and account recovery. Define your own identity models with custom traits and schemas. Bring your own UI or use Ory Elements to expedite development — either way, every flow is configurable through the API.
Powered by Open Source
Ory Kratos is open-source identity management at its core — auditable, no vendor lock-in, and deployable across three models. Run the open-source distribution yourself, choose the Ory Enterprise License for self-hosted production support, or use Ory Network for fully managed cloud identity management.
Łukasz Harasimowicz
Platform Team
Our system needs to handle sudden increases in traffic — authentication is always in the critical path for every request a user is making to our platform.
The Ory Kratos identity and user management system at a glance
Self service login and registration
Users create and sign in to accounts using username/email and password combinations, Social Login, passwordless flows, TOTP and more.
Multifactor Authentication
Implement proven standards of web security with FIDO2, WebAuthn, TOTP. Use Yubikeys, Google Authenticator or FaceID to reduce friction and increase security.
User management
Run a complete user management system: create, update, retrieve, and delete user identities through the API, with webhooks for lifecycle events. Full admin control over every identity in your system.
Bring your identity model
Use customizable identity models (defining custom fields such as name, address, favorite pet) and create your own interfaces in your style and branding.
Social Login & SSO
Let users sign in with Google, GitHub, Apple, and any OIDC provider. Single sign-on (SSO) with the social and enterprise identity providers your users already trust.
Account verification and recovery
Verify an identity by checking the email, phone number, or physical address of that user. Provide recovery of accounts using "Forgot Password" flows, security codes, etc.
How to de-risk identity at scale with Ory
OSS is where most teams start. The question is whether it holds up as scale, compliance, and security requirements grow. Running identity infrastructure yourself means owning everything, from patches to incident response, compliance controls, and performance tuning. At enterprise scale, that overhead competes with product innovation. Ory's commercial offerings, OEL and Ory Network, trade that burden for SLA-backed support, managed CVE patching, and audit-ready controls.
OSS
OEL
Ory Network
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Compliance-ready
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Global multi-region architecture
Global multi-region architecture
Multi-region capable
Global multi-region architecture
Purpose-based data retention
Purpose-based data retention
Purpose-based data retention
24/7 SLA support
24/7 SLA support
24/7 SLA support
CVE security patching
CVE security patching
CVE security patching
Unified control plane for ease of management
CLI
Unified control plane for ease of management
CLI & GUI
Unified control plane for ease of management
CLI & GUI
Production Helm Charts
Production Helm Charts
Production Helm Charts
n/a
Managed infrastructure
Managed infrastructure
n/a
Managed infrastructure
High performance pooling
High performance pooling
High performance pooling
B2B Organizations
B2B Organizations
B2B Organizations
Admin onboarding portal
Admin onboarding portal
Admin onboarding portal
Social single sign-on
Social single sign-on
Social single sign-on
Purpose-based data retention
Purpose-based data retention
Purpose-based data retention
CAPTCHA
CAPTCHA
CAPTCHA
FedCM
FedCM
FedCM
Advanced identity search
Advanced identity search
Advanced identity search
Deploy Ory Kratos on your preferred infrastructure
Self-hosted to SaaS: full control over your infrastructure, data, and compliance.
Open Source deployment — Run, try, and inspect Ory Kratos open source. Perfect to proof-of-concept your next big idea. 
Ory Enterprise License
OEL deployment — Ory Kratos on OEL means optimized code with premium support for mission-critical production environments, on-prem, self-hosted – wherever else you need it, always up to date. 
Ory Network
Ory Network deployment — Ory Network includes Ory Kratos powered capabilities in an instant-on global identity system. Achieve speed, security, scale, compliance and support with ease.
Integrations
Ready to try Ory Kratos?
Get started with the guides and docs below
page.tsx
import React, { useEffect, useState } from "react"
import { FrontendApi, Configuration, Session } from "@ory/client"
const basePath = "https://ory.example.com"
const ory = new FrontendApi(
new Configuration({
basePath,
baseOptions: { withCredentials: true },
}),
)
function Example() {
const [session, setSession] = useState<Session | undefined>()
useEffect(() => {
ory
.toSession()
.then(({ data }) => {
setSession(data)
})
.catch((err) => {
console.error(err)
// Not signed in, redirect to login
window.location.replace(`${basePath}/self-service/login/browser`)
})
}, [])
if (!session) {
return <p>No session found.</p>
}
return <p>Welcome to, {session?.identity.traits.email}.</p>
}
Ory Kratos FAQ
Ory Kratos is an API-first identity and user management system. It handles login, registration, multi-factor authentication, account recovery, profile management, and session management. Ory Kratos is headless: it exposes APIs that your application consumes and does not ship a built-in login page. You build the UI in whatever framework you use. Ory Kratos is available as open-source software (Apache 2.0), as a commercially licensed self-hosted product (Ory Enterprise License), and as part of the fully managed Ory Network.
- Frictionless Global Onboarding - User drop-off during registration is a major revenue killer. Ory Kratos provides the building blocks for modern, high-conversion entry points. Rapidly implement Social Sign-In (OIDC), Passwordless flows, and Magic Links to reduce sign-up friction and directly increase conversion rates and decrease time-to-value for new users.
- Hardened Security without Developer Overhead - Building secure account recovery, MFA, and verification flows from scratch is error prone, time consuming, and takes time away from building your actual products and services. Ory Kratos comes with "battle-hardened" flows for MFA (TOTP, WebAuthn/FaceID), account verification, and secure recovery out of the box. This allows your engineering team to stop "re-inventing the wheel" of security protocols and focus 100% of their energy on building your business.
- Own Your Brand, Own Your User Experience - Legacy providers often force you to redirect users to a "generic" login page, breaking your brand's look and feel. Ory Kratos is headless. It handles the complex logic of authentication via APIs while your team maintains total control over what users see. This ensures a seamless brand experience from the very first click, which is critical for high-end B2B and consumer applications.
- Compliance and Audit-Ready Infrastructure - Navigating GDPR, SOC2, and regional data residency requirements is a significant legal and operational burden. Whether you need to host data in a specific region for GDPR or require an air-gapped environment for high-security sectors, Ory Kratos’ flexible deployment (Cloud, On-Prem, or Hybrid) provides an "audit-ready" foundation wherever you need it.
Ory Kratos handles identity: who the user is. Kratos manages credentials, login flows, registration, MFA, and sessions. Ory Hydra handles delegation: issuing OAuth 2.0 access tokens and OpenID Connect ID tokens to third-party applications.If you only need login for your own app, use Ory Kratos alone. You do not need OAuth 2.0 or OIDC just to authenticate first-party users. If you need to act as an OAuth 2.0/OIDC provider for third-party apps, machine-to-machine flows, or cross-application SSO, use Ory Kratos and Ory Hydra together. Ory Kratos serves as the identity backend, and Ory Hydra handles the token issuance.
Ory Kratos supports
- password-based login
- social login via any OpenID Connect provider (Google, GitHub, Apple, Facebook, and 15+ preconfigured providers),
- TOTP (Google Authenticator, FreeOTP)
- WebAuthn/FIDO2 (YubiKey, FaceID, TouchID, Windows Hello)
- passkeys for passwordless login, SMS OTP, email OTP, magic links, and lookup/recovery codes as a backup method
Yes. Because Ory Kratos is headless and API-first, it works with any frontend framework (React, Next.js, Vue, Angular, Svelte) and any backend language. For browser apps, Ory Kratos supports both server-rendered and single-page architectures. For native mobile apps (iOS, Android), Kratos provides dedicated API flows that do not require cookies or CSRF tokens.Ory also provides Ory Elements, a React component library, and the Ory Account Experience, a prebuilt customizable UI. If you prefer full control, reference implementations exist for Node.js, Next.js, and React Native.
Ory provides a modular, cloud-native IAM platform designed for "deploy-anywhere" flexibility and trillion-scale performance. Break free from vendor lock-in and secure your entire ecosystem, from global customers to autonomous AI agents. By replacing monolithic legacy systems with Ory’s hardened building blocks, you slash total cost of ownership (TCO) and accelerate the launch of mission-critical applications.
Ory Kratos supports two migration paths. - First, bulk import: use the Admin API to import identities with their existing password hashes. Supported hash formats include bcrypt, Argon2, PBKDF2, scrypt, SHA, MD5, HMAC, Firebase scrypt, and crypt(3). - Second, graceful migration via webhook: import users without password hashes and enable the password migration hook. When a user logs in, Ory Kratos calls your webhook with the credentials. If your service confirms the password, Ory Kratos stores the hash going forward and never calls the hook for that user again. A step-by-step guide for migrating from Auth0 is also available.
Ory Kratos supports PostgreSQL, MySQL, and CockroachDB for production. SQLite is supported for local development and testing only. Ory Network manages the database layer for you.
Ory Kratos is the identity layer. It handles who the user is: login, registration, account recovery, email/phone verification, profile management, multi-factor authentication, and session management. The other Ory products handle what the user can do and how access is delegated. Ory Hydra issues OAuth 2.0 access tokens and OpenID Connect ID tokens when you need to grant third-party applications access to your APIs. Ory Keto evaluates fine-grained permissions based on the Google Zanzibar model, answering questions like "can this user edit this document?" Ory Oathkeeper sits at the network edge as a reverse proxy or decision API, validating Ory Kratos sessions, checking Ory Keto permissions, and enriching requests with identity context (such as an X-User-ID header or signed JWT) before forwarding them to your upstream services. Ory Polis bridges enterprise SAML and OIDC identity providers into a standard OAuth 2.0 flow for B2B SSO. Ory Elements provides a React component library that renders login, registration, and account management pages based on your Ory Kratos configuration. You can use Ory Kratos on its own for first-party authentication, or combine it with any of the other Ory products as your requirements grow. On the Ory Network, all products are pre-integrated into a single managed platform.
Yes. Ory supports B2B organizations that group users and route them to the correct SSO provider based on email domain (Home Realm Discovery). Each organization can have its own OIDC or SAML SSO connections. SAML is supported through Ory Polis and available on Ory Network Enterprise plans. SCIM provisioning is supported for automated user lifecycle management, with guided setup for Microsoft Entra ID, Google Workspace, and Okta. Ory also provides a self-service onboarding portal so your customers' IT admins can configure SSO and SCIM without needing identity expertise.Note: B2B organizations, SAML, and SCIM require Ory Network or self-hosted Ory Enterprise License plans. The community version is single-tenant only.
Ory is SOC 2 Type 2 certified and ISO 27001:2022 certified. Ory Hydra is OpenID certified. Ory Network was built with GDPR in mind: personal data can be stored on EU-based servers only, all data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and APIs exist for data portability and deletion. Ory is currently undergoing PCI-DSS certification, with full compliance available soon. Audit reports are available through the Ory Trust Center.
Three design choices set Ory Kratos apart.First, it is truly headless. Unlike Keycloak or Auth0, which ship opinionated login UIs that you override, Ory Kratos provides no UI at all. Your team builds the interface in your framework, with your design system, on your domain - or chooses one of the pre-built options that Ory provides, such as or the Ory Account Experience. There is no hosted login page redirect unless you want one.Second, it separates authentication from OAuth 2.0. Most identity providers force you into OAuth 2.0/OIDC flows even for first-party login. Ory Kratos handles authentication directly, with native session management. You add OAuth 2.0 if you need it - for example via Ory Hydra.Third, it offers a deployment spectrum from open source to managed SaaS. Unique to Ory, you can start with the Apache 2.0 licensed open-source version, graduate to the Ory Enterprise License for self-hosted production with SLAs and enterprise features, or run on the fully managed Ory Network. Your identity schemas, configurations, and integrations work across all three. Only Ory gives you deployment freedom today and tomorrow.
Ory Kratos open source is free under the Apache 2.0 license. You can self-host it at no cost.For self-hosted production environments, the Ory Enterprise License (OEL) adds capabilities beyond what the open-source version provides. OEL includes enterprise features not available in OSS, such as B2B organizations, multi-tenancy, multi-region deployments, SAML, SCIM, and CAPTCHA support. It also includes regular security releases with CVE patches, SLA-backed support from Ory's core engineering team, zero-downtime migrations, and access to a private Docker registry with vetted enterprise builds. OEL is custom-priced.The has a free Developer tier for testing and proof-of-concept work.Ory Network charges based on average Daily Active Users (aDAU), not Monthly Active Users (MAU). A user active every day counts as 1 aDAU. A user active once a month counts as about 0.03 aDAU. This model avoids billing spikes from single high-traffic days. Depending on your ratio of daily to monthly active users, aDAU-based pricing can be significantly cheaper than MAU-based alternatives. Each paid plan includes a monthly usage credit that offsets per-unit costs.
