Skip to main content

Ory Oathkeeper

Ory Oathkeeper is an open-source Identity & Access Proxy (identity and access management) that enforces access control, authentication, and authorization for Hypertext Transfer Protocol (HTTP) services and APIs.

  • Reverse proxy for externalizing authentication and authorization in front of APIs and web applications (identity and access management).
  • Supports flexible access rules for HTTP requests, including URL, method, and header-based policies (policy enforcement).
  • Integrates with identity providers and token issuers through authenticators such as JWT, OAuth2/OIDC, and Application Programming Interface (API) keys (authentication and federation).
  • Applies authorization logic via configurable access rules and decision engines, including integration with Ory Keto (authorization and policy decision).
  • Provides request mutation, header injection, and redirection to attach identity context to upstream services (API gateway and edge security).

More About Ory Oathkeeper

Ory Oathkeeper is an open-source Identity & Access Proxy (identity and access management) designed to sit in front of HTTP services and APIs to handle authentication, authorization, and request mutation before traffic reaches upstream applications. It operates as a reverse proxy that externalizes access control from application code, which allows teams to apply centralized security policies across heterogeneous services, including microservices, legacy systems, and third-party APIs.

The project focuses on the enforcement layer of identity and access management (access management), complementing identity providers and token services rather than replacing them. Ory Oathkeeper consumes identity data from sources such as OAuth2 and OpenID Connect (OIDC) providers, JSON Web Tokens (JWTs) (JWT), API keys, and other authenticators (authentication and federation). Access decisions are defined through access rules that match requests based on attributes such as URL paths, HTTP methods, and headers, and then specify which authenticators, authorizers, and mutators to apply.

Core capabilities include authenticators, which verify the caller’s identity; authorizers, which decide whether access is allowed; and mutators, which modify the request or response (reverse proxy and edge security). Authenticators support mechanisms such as OAuth2/OIDC tokens and JWTs, enabling integration with Ory Hydra and other standards-based identity providers (identity federation). Authorizers can rely on local rule evaluation or delegate fine-grained decisions to systems such as Ory Keto (authorization and policy decision). Mutators can inject headers, add identity claims, or rewrite requests so that upstream services receive normalized identity context without implementing authentication logic themselves.

In enterprise environments, Ory Oathkeeper is typically deployed as an edge proxy or sidecar in front of APIs, web applications, and internal services (API security). It can be run in container orchestration platforms such as Kubernetes, integrated with ingress controllers, or placed behind existing load balancers. Configuration is file- or API-driven, which supports Infrastructure-as-Code (IaC) workflows and Git-based configuration management (DevSecOps and platform engineering). Because access rules and components are declarative, platform and security teams can manage policies centrally while application teams focus on business logic.

Ory Oathkeeper participates in the broader Ory ecosystem, working with Ory Hydra for OAuth2 and OIDC token issuance and Ory Keto for access control policies (identity and access management suite). It uses widely adopted protocols such as HTTP, OAuth2, OIDC, and JWT, which supports interoperability with external identity providers and Software-as-a-Service (SaaS) platforms (standards-based integration). Within a technical taxonomy, Ory Oathkeeper is categorized as an identity-aware reverse proxy and API access gateway focused on authentication and authorization enforcement at the edge of distributed systems.