Ory Kratos — Cloud-Native Identity and User Management

Introduction

Ory Kratos is a developer-friendly identity server written in Go. It manages user accounts, authentication methods, and self-service flows (registration, login, recovery, verification) through a pure API. You build your own login and registration pages while Kratos handles the security-critical backend logic including password hashing, TOTP, WebAuthn, and social sign-in.

What Ory Kratos Does

• Manages user identities with customizable JSON Schema-based identity traits
• Provides self-service flows for registration, login, settings, recovery, and verification
• Supports password, TOTP, WebAuthn/passkeys, and OIDC social sign-in methods
• Sends verification and recovery emails via configurable SMTP or HTTP webhooks
• Exposes admin APIs for user import, bulk operations, and identity management

Architecture Overview

Kratos exposes two servers: a public API (port 4433) for end-user self-service flows and an admin API (port 4434) for back-office operations. Identity schemas are defined in JSON Schema format, letting you customize which fields each user has. Flows are state machines — each self-service action creates a flow object with a unique ID and expiration. Your UI fetches the flow, renders the form fields, and submits back to Kratos. Session tokens or cookies are issued upon successful authentication.

Self-Hosting & Configuration

• Deploy with Docker oryd/kratos:v1 or download the Go binary from releases
• Configure kratos.yml with DSN (PostgreSQL, MySQL, SQLite, or CockroachDB)
• Define identity schemas as JSON Schema files and reference them in config
• Set up SMTP courier for email verification and account recovery
• Use kratos migrate sql to apply database migrations before first start

Key Features

• Passwordless login via WebAuthn, passkeys, and magic links
• Multi-factor authentication with TOTP and lookup secrets out of the box
• Social sign-in with any OpenID Connect or OAuth2 provider
• Webhook integrations for triggering actions on registration, login, and profile updates
• Account enumeration protection and breach-password detection via HaveIBeenPwned API

Comparison with Similar Tools

• Keycloak — monolithic Java server with built-in UI; Kratos is headless and lighter
• Auth0 — managed SaaS with rich SDKs but proprietary and usage-based pricing
• Firebase Auth — Google-managed, limited customization of flows and identity schema
• SuperTokens — similar headless approach but less mature identity schema customization
• FusionAuth — feature-rich but requires a commercial license for advanced features

FAQ

Q: Can I use Kratos without Ory Hydra? A: Yes. Kratos handles identity management independently. Add Hydra only when you need OAuth2/OIDC token issuance.

Q: How do I customize the identity fields? A: Define a JSON Schema with your desired traits (email, name, phone, etc.) and reference it in kratos.yml.

Q: Does Kratos support social login with Google and GitHub? A: Yes. Configure OIDC providers in the selfservice.methods.oidc section of kratos.yml with client ID and secret.

Q: Is Kratos suitable for B2B multi-tenant applications? A: Yes. You can model tenants as identity metadata or combine Kratos with Ory Keto for fine-grained permission checks.

Sources

• https://github.com/ory/kratos
• https://www.ory.sh/docs/kratos/