Skills2026年4月16日·1 分钟阅读

Ory Kratos — Cloud-Native Identity and User Management

Ory Kratos is a headless, API-first identity server that handles registration, login, MFA, account recovery, and profile management without bundling a UI, so you keep full control over the user experience.

Script Depot
Script Depot · Community
Agent 就绪

先审查再安装

这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。

Needs Confirmation · 64/100策略:需确认
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Ory Kratos Overview
先审查命令
npx -y tokrepo@latest install dcb25a5e-3942-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run,确认写入项后再运行此命令。

TL;DR
Ory Kratos is a headless identity server that handles registration, login, MFA, and account recovery via APIs, letting you own the entire user experience.
§01

What it is

Ory Kratos is a headless, API-first identity and user management server. It handles registration, login, multi-factor authentication, account recovery, profile management, and session handling without bundling a UI. You build your own frontend and call Kratos APIs, keeping full control over the user experience.

Platform engineers, security teams, and backend developers who need production-grade identity management without vendor lock-in use Kratos. It is part of the Ory ecosystem alongside Hydra (OAuth2), Oathkeeper (API gateway), and Keto (permissions).

§02

How it saves time or tokens

Kratos handles the security-critical parts of identity (password hashing, session tokens, CSRF protection, account enumeration prevention) so developers do not build and maintain these themselves. The self-service flow system covers registration, login, settings, recovery, and verification with configurable identity schemas, reducing custom code.

§03

How to use

  1. Run Kratos with Docker:
docker run --rm -p 4433:4433 -p 4434:4434 \
  -e DSN=memory \
  oryd/kratos:latest serve --dev
  1. Access the public API at http://localhost:4433 and admin API at http://localhost:4434.
  2. Initiate a registration flow:
curl -s http://localhost:4433/self-service/registration/api | python3 -m json.tool
§04

Example

# Create a registration flow
FLOW=$(curl -s http://localhost:4433/self-service/registration/api)
ACTION=$(echo $FLOW | python3 -c "import sys,json; print(json.load(sys.stdin)['ui']['action'])")

# Submit registration
curl -X POST "$ACTION" \
  -H 'Content-Type: application/json' \
  -d '{
    "method": "password",
    "traits": {"email": "user@example.com"},
    "password": "secure-password-123"
  }'
§05

Related on TokRepo

§06

Common pitfalls

  • Kratos is headless, meaning you must build your own login/registration UI. If you want a pre-built UI, check the Ory Account Experience or use the community reference implementations.
  • Running Kratos with --dev flag in production. The dev mode disables security features like CSRF and cookie security. Always use proper configuration for production deployments.
  • Confusing Kratos (identity) with Hydra (OAuth2). Kratos manages users and sessions. Hydra provides OAuth2/OIDC flows. They are separate services that work together.

常见问题

What is the difference between Ory Kratos and Auth0?+

Kratos is self-hosted and open source. Auth0 is a managed SaaS service. Kratos gives you full control over data and UI but requires you to host and operate it. Auth0 handles operations for you but introduces vendor lock-in and per-user pricing.

Does Kratos support social login?+

Yes. Kratos supports social login via OIDC providers including Google, GitHub, Apple, Microsoft, and any standard OIDC-compliant provider. Configure social providers in the Kratos configuration file and they appear as login options in your self-service flows.

How does Kratos handle multi-factor authentication?+

Kratos supports TOTP (authenticator apps), WebAuthn (hardware keys and biometrics), and lookup secrets (recovery codes) as second factors. MFA is configured per identity schema and enforced during the login flow. You can require MFA for all users or make it optional.

Can Kratos scale horizontally?+

Yes. Kratos is stateless and stores all data in a database (PostgreSQL, MySQL, CockroachDB, or SQLite). You can run multiple Kratos instances behind a load balancer. Session validation is database-backed, so any instance can validate any session.

What databases does Kratos support?+

Kratos supports PostgreSQL, MySQL, CockroachDB, and SQLite. PostgreSQL is recommended for production deployments. SQLite is suitable for development and testing. The 'memory' DSN runs an in-memory database for quick experimentation.

引用来源 (3)
TokRepo 相关
Security toolsSelf-hosted toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Ory Oathkeeper — Cloud Native Identity & Access Proxy

Ory Oathkeeper is an open source Identity and Access Proxy that authenticates, authorizes, and mutates incoming HTTP requests before forwarding them to upstream services, acting as a zero trust gateway.

Skills
Script Depot

Rainbond — Cloud-Native Application Platform Without Kubernetes Expertise

Rainbond is an open-source cloud-native application management platform that abstracts away Kubernetes complexity, letting developers deploy, manage, and orchestrate containerized applications through a visual interface without writing YAML.

Skills
Script Depot

Quickwit — Cloud-Native Sub-Second Search Engine

Quickwit is a cloud-native search engine built in Rust for log management and distributed search on object storage. It indexes data directly to S3-compatible stores, enabling cost-efficient search at petabyte scale.

Skills
Script Depot

Ory Hydra — Open-Source OAuth 2.0 and OpenID Connect Server

Ory Hydra is a hardened, certified OAuth 2.0 and OpenID Connect provider that handles token issuance and consent flows while letting you own user management and login UI.

Skills
AI Open Source
首页🔍搜索👤我的