Skip to main content

Ory Keto

Ory Keto is an open-source (identity and access) authorization server that implements fine-grained, Context-Aware Access Control (CAAC) using the Google Zanzibar authorization model.

  • Centralized authorization service implementing the Google Zanzibar model (identity and access)
  • Fine-grained permission and relationship-based access control across services and applications (identity and access)
  • gRPC and HTTP/JSON APIs for permission checks, relationship tuples, and policy evaluation (API infrastructure)
  • Scalable, distributed architecture for enforcing authorization decisions in microservices and cloud environments (cloud-native infrastructure)
  • Integrates with the broader Ory stack for identity, authentication, and policy-based access control (identity and access)

More About Ory Keto

Ory Keto is an open-source (identity and access) authorization server designed to externalize and centralize access control decisions for distributed systems. It is based on the Google Zanzibar authorization model, which expresses access control as relationships between subjects and objects. Ory Keto focuses on fine-grained permissions, enabling enterprises to manage complex authorization requirements across heterogeneous services, APIs, and applications.

The core capability of Ory Keto is a relationship-based access control (RBAC/RBAC-like) engine (identity and access) that stores and evaluates relations, such as which users or roles can perform which actions on which resources. Instead of hardcoding authorization logic into each service, applications query Ory Keto to determine whether a given subject is allowed to perform an operation on a resource. This pattern supports multi-tenant systems, hierarchical resources, and dynamic policy scenarios where permissions depend on organizational, project, or object-level relationships.

Ory Keto exposes gRPC and HTTP/JSON APIs (API infrastructure) for performing permission checks, managing relationship tuples, and inspecting authorization state. These APIs allow services to ask “check” queries (for example, whether a subject has a permission on an object) and to write or delete relationship tuples that represent access rules. The server is designed for deployment in containerized and cloud-native environments (cloud-native infrastructure), and it can be horizontally scaled to support high query volumes typical of enterprise workloads.

In enterprise environments, Ory Keto is used as a centralized Policy Decision Point (PDP) (identity and access) that sits alongside identity providers and authentication systems. It is commonly deployed with other components from the Ory ecosystem, such as Ory Kratos for user identity and authentication, and Ory Oathkeeper for enforcing access control at edge or gateway layers. This separation of concerns allows organizations to manage authentication and authorization independently while keeping a unified authorization model across microservices, APIs, and user-facing applications.

Ory Keto supports a multi-region and multi-tenant architecture (cloud-native infrastructure) aligned with modern distributed systems. Its data model, based on relationship tuples and namespaces, allows modeling of complex resource hierarchies, group memberships, and role assignments. Because it follows principles derived from the Zanzibar paper, it is suitable for scenarios that require consistent authorization semantics at scale, such as Software-as-a-Service (SaaS) platforms, organizational hierarchies, and collaborative applications.

From a technical taxonomy perspective, Ory Keto sits in the identity and access management (IAM) category as an externalized authorization and policy decision service. It interacts with authentication providers, Application Programming Interface (API) gateways, and application backends via network APIs, and it is designed for integration into automated deployment pipelines and Infrastructure-as-Code (IaC) workflows. Its open-source nature allows teams to inspect, extend, and operate the authorization stack within their own infrastructure while maintaining a standardized model for access control across systems.