Skip to main content

Quickstart

This guide gets you up and running with Ory Kratos in under 5 minutes using Docker Compose. You’ll run a complete authentication system with email/password login, registration, and a test UI.

Prerequisites

Before you begin, ensure you have:

Quick start with Docker Compose

1

Clone the Ory Kratos repository

Download the quickstart configuration files:
git clone https://github.com/ory/kratos.git
cd kratos
Alternatively, download just the quickstart files without cloning the entire repository.
2

Start Kratos and dependencies

Run the quickstart with Docker Compose:
docker-compose -f quickstart.yml up
This starts the following services:
  • Kratos (ports 4433 and 4434) - The identity server
  • Kratos UI (port 4455) - Example self-service UI
  • MailSlurper (ports 4436 and 4437) - Test email server
  • Database migration - Automatic schema setup
Use -d flag to run in detached mode: docker-compose -f quickstart.yml up -d
3

Verify services are running

Check that all services started successfully:
docker-compose -f quickstart.yml ps
You should see all containers in “Up” state.Test the health endpoint:
curl http://127.0.0.1:4433/health/ready
Expected response:
{"status":"ok"}
4

Access the UI

Open your browser and navigate to:
http://127.0.0.1:4455/
You’ll see the Kratos self-service UI. Click “Sign Up” to create your first account.

Create your first identity

Register via browser

1

Navigate to registration

Go to http://127.0.0.1:4455/registration
2

Fill in the registration form

Enter your details:
  • Email address (e.g., user@example.com)
  • Password (must meet strength requirements)
  • First and last name (optional)
3

Complete registration

Click “Sign Up” to create your account. You’ll be automatically logged in.
4

Check verification email

Open MailSlurper at http://127.0.0.1:4436 to see the verification email.

Test authentication

1

Initiate login flow

Navigate to the login page:
http://127.0.0.1:4455/login
Or initialize a login flow via API:
curl -X GET http://127.0.0.1:4433/self-service/login/browser
2

Submit credentials

Enter the email and password for the identity you created.For API-based login, first get the flow ID, then submit:
# Get the login flow
FLOW_ID=$(curl -s http://127.0.0.1:4433/self-service/login/api | jq -r '.id')

# Submit credentials
curl -X POST http://127.0.0.1:4433/self-service/login?flow=$FLOW_ID \
  -H "Content-Type: application/json" \
  -d '{
    "method": "password",
    "password_identifier": "user@example.com",
    "password": "MySecurePassword123!"
  }'
3

Verify session

Check your active session:
curl -X GET http://127.0.0.1:4433/sessions/whoami \
  -H "Cookie: ory_kratos_session=YOUR_SESSION_TOKEN"
Response includes identity details and authentication methods used:
{
  "id": "session-id",
  "active": true,
  "identity": {
    "id": "e01b5f2e-8c5a-4b9a-9c1a-8d7e6f5a4b3c",
    "traits": {
      "email": "user@example.com"
    }
  },
  "authenticated_at": "2026-03-03T12:00:00Z"
}

Understanding the quickstart configuration

The quickstart.yml file configures a complete Kratos environment: 
version: '3.7'
services:
  kratos-migrate:
    image: oryd/kratos:v25.4.0
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - type: volume
        source: kratos-sqlite
        target: /var/lib/sqlite
      - type: bind
        source: ./contrib/quickstart/kratos/email-password
        target: /etc/config/kratos
    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
    restart: on-failure

  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v25.4.0
    ports:
      - '4433:4433' # public
      - '4434:4434' # admin
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
      - LOG_LEVEL=trace
    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
    volumes:
      - type: volume
        source: kratos-sqlite
        target: /var/lib/sqlite
      - type: bind
        source: ./contrib/quickstart/kratos/email-password
        target: /etc/config/kratos

  mailslurper:
    image: oryd/mailslurper:latest-smtps
    ports:
      - '4436:4436'
      - '4437:4437'

Other quickstart variants

Ory Kratos includes several quickstart configurations for different use cases:

PostgreSQL

docker-compose \
  -f quickstart.yml \
  -f quickstart-postgres.yml \
  up
Production-ready PostgreSQL database

MySQL

docker-compose \
  -f quickstart.yml \
  -f quickstart-mysql.yml \
  up
MySQL 8.0 database backend

CockroachDB

docker-compose \
  -f quickstart.yml \
  -f quickstart-crdb.yml \
  up
Distributed SQL database

WebAuthn

docker-compose \
  -f quickstart.yml \
  -f quickstart-webauthn.yml \
  up
Passkey and biometric authentication

Exploring the Admin API

The Admin API runs on port 4434 and provides full identity management capabilities:

List all identities

curl http://127.0.0.1:4434/admin/identities

Get a specific identity

curl http://127.0.0.1:4434/admin/identities/{identity-id}

Update an identity

curl -X PUT http://127.0.0.1:4434/admin/identities/{identity-id} \
  -H "Content-Type: application/json" \
  -d '{
    "schema_id": "default",
    "traits": {
      "email": "updated@example.com",
      "name": {
        "first": "Jane",
        "last": "Smith"
      }
    }
  }'

Delete an identity

curl -X DELETE http://127.0.0.1:4434/admin/identities/{identity-id}

Cleanup

To stop all services and remove containers: 
docker-compose -f quickstart.yml down
To also remove volumes (this deletes all data): 
docker-compose -f quickstart.yml down -v

Next steps

Installation

Install Kratos for production use

Configuration

Customize authentication methods and flows

Identity schemas

Define custom identity attributes

Self-service flows

Understand login, registration, and recovery
This quickstart uses --dev mode which disables critical security features. Never use development mode in production.

Build docs developers (and LLMs) love

Get started for freeTalk to us