# Ory Kratos — Cloud-Native Identity and User Management > Ory Kratos is a headless, API-first identity server that handles registration, login, MFA, account recovery, and profile management without bundling a UI, so you keep full control over the user experience. ## Install Save as a script file and run: # Ory Kratos — Cloud-Native Identity and User Management ## Quick Use ```bash # Run Kratos with Docker docker run --rm -p 4433:4433 -p 4434:4434 -e DSN=memory oryd/kratos:v1 serve --dev --config /etc/config/kratos.yml # Create a registration flow curl -s http://localhost:4433/self-service/registration/browser | jq . ``` ## Introduction Ory Kratos is a developer-friendly identity server written in Go. It manages user accounts, authentication methods, and self-service flows (registration, login, recovery, verification) through a pure API. You build your own login and registration pages while Kratos handles the security-critical backend logic including password hashing, TOTP, WebAuthn, and social sign-in. ## What Ory Kratos Does - Manages user identities with customizable JSON Schema-based identity traits - Provides self-service flows for registration, login, settings, recovery, and verification - Supports password, TOTP, WebAuthn/passkeys, and OIDC social sign-in methods - Sends verification and recovery emails via configurable SMTP or HTTP webhooks - Exposes admin APIs for user import, bulk operations, and identity management ## Architecture Overview Kratos exposes two servers: a public API (port 4433) for end-user self-service flows and an admin API (port 4434) for back-office operations. Identity schemas are defined in JSON Schema format, letting you customize which fields each user has. Flows are state machines — each self-service action creates a flow object with a unique ID and expiration. Your UI fetches the flow, renders the form fields, and submits back to Kratos. Session tokens or cookies are issued upon successful authentication. ## Self-Hosting & Configuration - Deploy with Docker `oryd/kratos:v1` or download the Go binary from releases - Configure `kratos.yml` with DSN (PostgreSQL, MySQL, SQLite, or CockroachDB) - Define identity schemas as JSON Schema files and reference them in config - Set up SMTP courier for email verification and account recovery - Use `kratos migrate sql` to apply database migrations before first start ## Key Features - Passwordless login via WebAuthn, passkeys, and magic links - Multi-factor authentication with TOTP and lookup secrets out of the box - Social sign-in with any OpenID Connect or OAuth2 provider - Webhook integrations for triggering actions on registration, login, and profile updates - Account enumeration protection and breach-password detection via HaveIBeenPwned API ## Comparison with Similar Tools - **Keycloak** — monolithic Java server with built-in UI; Kratos is headless and lighter - **Auth0** — managed SaaS with rich SDKs but proprietary and usage-based pricing - **Firebase Auth** — Google-managed, limited customization of flows and identity schema - **SuperTokens** — similar headless approach but less mature identity schema customization - **FusionAuth** — feature-rich but requires a commercial license for advanced features ## FAQ **Q: Can I use Kratos without Ory Hydra?** A: Yes. Kratos handles identity management independently. Add Hydra only when you need OAuth2/OIDC token issuance. **Q: How do I customize the identity fields?** A: Define a JSON Schema with your desired traits (email, name, phone, etc.) and reference it in kratos.yml. **Q: Does Kratos support social login with Google and GitHub?** A: Yes. Configure OIDC providers in the selfservice.methods.oidc section of kratos.yml with client ID and secret. **Q: Is Kratos suitable for B2B multi-tenant applications?** A: Yes. You can model tenants as identity metadata or combine Kratos with Ory Keto for fine-grained permission checks. ## Sources - https://github.com/ory/kratos - https://www.ory.sh/docs/kratos/ --- Source: https://tokrepo.com/en/workflows/dcb25a5e-3942-11f1-9bc6-00163e2b0d79 Author: Script Depot