Getting started with Ory requires understanding which components address your specific identity needs. Kratos handles user registration, login, account recovery, and profile management through headless APIs. Hydra implements OAuth2 and OIDC as a standalone authorization server. Oathkeeper provides identity-aware API gateway authorization. Keto implements Zanzibar-style fine-grained permissions. This modular clarity is Ory's strength and learning curve simultaneously.
Kratos provides user identity management through a self-service API that applications consume to build custom authentication interfaces. Identity schemas define what attributes users have, and self-service flows handle registration, login, settings, recovery, and verification through browser and API interactions. The headless approach means teams build their own UI, gaining complete design control but accepting the frontend development investment.
Hydra is the most mature Ory component and the one that has earned the strongest enterprise validation. As a certified OAuth2 and OIDC provider used by OpenAI, Hydra proves that Ory's architecture scales to the most demanding authentication workloads. The separation of the authorization server from the identity management layer is architecturally elegant, allowing Hydra to delegate authentication to Kratos or any existing identity system.
Keto implements Google's Zanzibar paper for relationship-based access control, enabling permission models where access is determined by relationships between entities rather than static roles. This approach powers the permission systems behind Google Drive and GitHub, and Keto makes it available as an open-source service. Defining permissions as relationships rather than roles enables more natural modeling of complex authorization requirements.
The Go-based codebase across all components provides excellent performance with minimal resource consumption. Each service starts quickly, handles concurrent requests efficiently, and runs comfortably on modest infrastructure. This efficiency makes Ory suitable for edge deployments and cost-conscious organizations that cannot justify the resource requirements of heavier identity platforms.
Ory Network provides a managed cloud deployment for teams that want the modular architecture without operational overhead. The managed service runs all components as a unified platform with automatic scaling, managed databases, and SLA guarantees. For teams evaluating Ory, the cloud option provides the fastest path to understanding whether the architecture fits their needs before committing to self-hosted operations.
Documentation quality is excellent across all components with comprehensive API references, configuration guides, and conceptual explanations. The documentation acknowledges the complexity of the modular approach and provides clear guidance on which components to deploy for common scenarios. The community forum and GitHub Discussions offer responsive support from both maintainers and experienced users.