Skip to main content

Ory Kratos

Ory Kratos is an open-source identity and user management system (identity and access) that provides API-first user authentication, registration, account management, and self-service identity workflows for cloud-native applications.

  • API-first user authentication, registration, and login flows (identity and access)
  • Self-service user-facing flows for profile management, password reset, verification, and multi-factor enrollment (identity and access)
  • Headless architecture with bring-your-own-UI and JSON/HTTP APIs for integration into web, mobile, and machine-to-machine services (application integration)
  • Lifecycle management for identities, credentials, and sessions in distributed systems (identity lifecycle management)
  • Designed to integrate with the broader Ory stack, including Ory Hydra and Ory Oathkeeper, for policy-based access control and authorization (security and access control)

More About Ory Kratos

Ory Kratos addresses the problem space of identity, user management, and authentication for modern application architectures (identity and access). It focuses on offloading account-related workflows from application code into a dedicated identity service. Kratos exposes Hypertext Transfer Protocol (HTTP) and JSON APIs that allow developers to manage identities, credentials, sessions, and user-facing flows while building their own frontends or integrating with existing user interfaces.

The project provides capabilities for user registration, login, logout, account recovery, email and phone verification, and profile management (identity and access). These flows are designed as self-service processes, so end users can manage their accounts without custom backend logic in each application. Ory Kratos supports multi-factor authentication and manages sessions and identity state centrally. The system stores identity data and credential metadata and exposes APIs for updating traits, managing passwords, and running policy-controlled flows for changes to user data.

Architecturally, Ory Kratos is built as a headless service (microservices and cloud-native infrastructure). It does not enforce a specific user interface; instead, it provides structured APIs and browser-based flows that application developers can connect to their own web or mobile frontends. Kratos can run in containerized environments and is described by Ory as part of a cloud-native identity platform. Configuration is declarative, and the system is designed to work with standard HTTP infrastructure and modern deployment patterns.

In enterprise environments, Ory Kratos is positioned as the identity and user management component that integrates with other Ory projects. It works with Ory Hydra for OAuth2 and OpenID Connect (OIDC) flows (identity and access protocols) and with Ory Oathkeeper for access control and Application Programming Interface (API) security (API security and authorization). This combination allows organizations to separate authentication, authorization, and policy enforcement into specialized services while using Kratos as the core user and identity service.

From an interoperability and extensibility perspective, Kratos exposes APIs and hooks that enable integration with existing systems, custom UIs, and external services (application integration). Enterprise teams can plug Kratos into broader security and compliance architectures, using it as the authoritative source for identities while delegating token issuance or gateway-level decisions to other Ory components. In a technical taxonomy, Ory Kratos fits within identity and access management, user directory and profile management, and authentication services for microservices and cloud-native applications.