Skip to main content

Introduction to Ory Kratos

Ory Kratos is an API-first identity and user management system for cloud-native applications. It centralizes login, registration, recovery, verification, and profile management flows so your services consume them instead of reimplementing them.

What is Ory Kratos?

Ory Kratos follows cloud architecture best practices and focuses on core identity workflows that almost every application needs:

Self-service flows

Complete login and registration flows with customizable UI

Account verification

Email and phone verification with recovery workflows

Multi-factor authentication

TOTP, WebAuthn, passkeys, and recovery codes

Profile management

Self-service account and credential management

Identity schemas

Flexible JSON schema-based identity traits

Admin APIs

Complete lifecycle management over HTTP APIs

Why Ory Kratos?

Ory Kratos is designed to:
  • Remove identity logic from your application code and expose it over HTTP APIs
  • Work with any UI framework through browser-based and native app flows
  • Scale to large numbers of identities and devices
  • Integrate with the Ory stack for OAuth2, OpenID Connect, and access control
  • Fit into modern cloud-native environments such as Kubernetes and managed platforms
Ory Kratos protects over 7 billion API requests every day across thousands of companies including OpenAI, Fandom, Cisco, and many more.

Architecture overview

Ory Kratos operates as a standalone service with two distinct APIs:

Public API (port 4433)

The public API handles all user-facing operations:
  • Self-service login, registration, recovery, and verification flows
  • Session management and validation
  • Profile and settings updates
  • Multi-factor authentication challenges

Admin API (port 4434)

The admin API provides administrative operations:
  • Create, read, update, and delete identities
  • Query identity data
  • Manage identity schemas
  • Health and metrics endpoints

Key features

Authentication methods

Traditional username/email and password authentication with bcrypt or Argon2 hashing.

Identity schema flexibility

Define custom identity traits using JSON Schema: 
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "ory.sh/kratos": {
            "credentials": {
              "password": {"identifier": true}
            },
            "verification": {"via": "email"},
            "recovery": {"via": "email"}
          }
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {"type": "string"},
            "last": {"type": "string"}
          }
        }
      },
      "required": ["email"]
    }
  }
}

Use cases

B2C applications

Consumer-facing apps that need secure, scalable authentication with social login and passwordless options.

SaaS platforms

Multi-tenant platforms requiring flexible identity management and self-service flows.

Mobile applications

Native iOS and Android apps using Ory’s native SDKs and OAuth2 flows.

Microservices

Distributed systems that need centralized identity and session management.

Deployment options

Ory Network (managed)

The fastest way to use Ory Kratos in production. Ory Identities is powered by the open-source Ory Kratos server and is API compatible.

Try Ory Network

Sign up for a free developer account with identity management that scales to billions of users, prebuilt UI components, and global edge deployment.

Self-hosted

Run Ory Kratos yourself for full control over infrastructure, deployment, and customization.
  • Install on Linux, macOS, Windows, or Docker
  • Deploy to Kubernetes and other orchestration systems
  • Configure databases: PostgreSQL, MySQL, CockroachDB, or SQLite
  • Build from source for custom modifications
For business-critical systems, consider the Ory Enterprise License which includes security patches with SLAs, advanced features (SCIM, SAML), and premium support.

Migrating from other providers

If you’re migrating from Auth0, Okta, or another identity provider that uses OAuth2/OpenID Connect, consider using Ory Hydra + Ory Kratos together:
  • Ory Hydra acts as the OAuth2 and OpenID Connect provider
  • Ory Kratos provides identity, credentials, and user-facing flows
This combination is often a drop-in replacement for OAuth2 and OIDC capabilities at the protocol level.

Next steps

Quickstart

Get Ory Kratos running in under 5 minutes with Docker

Installation

Install Ory Kratos using Docker, binaries, or from source

Configuration

Configure identity schemas, authentication methods, and flows

Concepts

Learn about identities, credentials, sessions, and flows

Build docs developers (and LLMs) love

Get started for freeTalk to us