Is Ory Kratos — Cloud-Native Identity and User Management free to use?

Yes. Ory Kratos — Cloud-Native Identity and User Management is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Ory Kratos — Cloud-Native Identity and User Management?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

ScriptsApr 16, 2026·3 min read

Ory Kratos — Cloud-Native Identity and User Management

Ory Kratos is a headless, API-first identity server that handles registration, login, MFA, account recovery, and profile management without bundling a UI, so you keep full control over the user experience.

Script Depot · Community

TL;DR

Ory Kratos is a headless identity server that handles registration, login, MFA, and account recovery via APIs, letting you own the entire user experience.

§01

What it is

Ory Kratos is a headless, API-first identity and user management server. It handles registration, login, multi-factor authentication, account recovery, profile management, and session handling without bundling a UI. You build your own frontend and call Kratos APIs, keeping full control over the user experience.

Platform engineers, security teams, and backend developers who need production-grade identity management without vendor lock-in use Kratos. It is part of the Ory ecosystem alongside Hydra (OAuth2), Oathkeeper (API gateway), and Keto (permissions).

§02

How it saves time or tokens

Kratos handles the security-critical parts of identity (password hashing, session tokens, CSRF protection, account enumeration prevention) so developers do not build and maintain these themselves. The self-service flow system covers registration, login, settings, recovery, and verification with configurable identity schemas, reducing custom code.

§03

How to use

Run Kratos with Docker:

docker run --rm -p 4433:4433 -p 4434:4434 \
  -e DSN=memory \
  oryd/kratos:latest serve --dev

Access the public API at http://localhost:4433 and admin API at http://localhost:4434.
Initiate a registration flow:

curl -s http://localhost:4433/self-service/registration/api | python3 -m json.tool

§04

Example

# Create a registration flow
FLOW=$(curl -s http://localhost:4433/self-service/registration/api)
ACTION=$(echo $FLOW | python3 -c "import sys,json; print(json.load(sys.stdin)['ui']['action'])")

# Submit registration
curl -X POST "$ACTION" \
  -H 'Content-Type: application/json' \
  -d '{
    "method": "password",
    "traits": {"email": "user@example.com"},
    "password": "secure-password-123"
  }'

§05

Related on TokRepo

AI tools for security — Security and identity tools
AI tools for self-hosted — Self-hosted infrastructure tools

§06

Common pitfalls

Kratos is headless, meaning you must build your own login/registration UI. If you want a pre-built UI, check the Ory Account Experience or use the community reference implementations.
Running Kratos with --dev flag in production. The dev mode disables security features like CSRF and cookie security. Always use proper configuration for production deployments.
Confusing Kratos (identity) with Hydra (OAuth2). Kratos manages users and sessions. Hydra provides OAuth2/OIDC flows. They are separate services that work together.

Frequently Asked Questions

What is the difference between Ory Kratos and Auth0?+

Kratos is self-hosted and open source. Auth0 is a managed SaaS service. Kratos gives you full control over data and UI but requires you to host and operate it. Auth0 handles operations for you but introduces vendor lock-in and per-user pricing.

Does Kratos support social login?+

Yes. Kratos supports social login via OIDC providers including Google, GitHub, Apple, Microsoft, and any standard OIDC-compliant provider. Configure social providers in the Kratos configuration file and they appear as login options in your self-service flows.

How does Kratos handle multi-factor authentication?+

Kratos supports TOTP (authenticator apps), WebAuthn (hardware keys and biometrics), and lookup secrets (recovery codes) as second factors. MFA is configured per identity schema and enforced during the login flow. You can require MFA for all users or make it optional.

Can Kratos scale horizontally?+

Yes. Kratos is stateless and stores all data in a database (PostgreSQL, MySQL, CockroachDB, or SQLite). You can run multiple Kratos instances behind a load balancer. Session validation is database-backed, so any instance can validate any session.

What databases does Kratos support?+

Kratos supports PostgreSQL, MySQL, CockroachDB, and SQLite. PostgreSQL is recommended for production deployments. SQLite is suitable for development and testing. The 'memory' DSN runs an in-memory database for quick experimentation.

Citations (3)

Ory Kratos GitHub— Ory Kratos is a headless API-first identity server
Ory Kratos MFA Docs— Supports TOTP, WebAuthn, and lookup secrets for MFA
Ory Ecosystem Docs— Part of the Ory ecosystem with Hydra, Oathkeeper, and Keto

Related on TokRepo

Security tools Self-hosted tools Featured workflows

Discussion

No comments yet. Be the first to share your thoughts.

Ory Kratos — Cloud-Native Identity and User Management

What it is

How it saves time or tokens

How to use

Example

Related on TokRepo

Common pitfalls

Frequently Asked Questions

Citations (3)

Related on TokRepo

Discussion

Related Assets

NAPI-RS — Build Node.js Native Addons in Rust

Mamba — Fast Cross-Platform Package Manager

Plasmo — The Browser Extension Framework