aicoolies logo

Ory Review: Modular Identity Infrastructure With Kratos, Hydra, and Keto

Ory's modular approach to identity decomposes authentication into independent microservices that teams adopt individually or combine into a complete identity platform. With Kratos for user management, Hydra for OAuth2, Oathkeeper for API authorization, and Keto for permissions, its component model includes Hydra, whose current GitHub description says it is trusted by OpenAI and others for scale and security. The API-first, headless design gives teams complete UI control at the cost of frontend development effort.

Reviewed by Raşit Akyol on April 3, 2026

Share
Overall
85
Speed
91
Privacy
93
Dev Experience
78

What Ory Does

Getting started with Ory requires understanding which components address your specific identity needs. Kratos handles user registration, login, account recovery, and profile management through headless APIs. Hydra implements OAuth2 and OIDC as a standalone authorization server. Oathkeeper provides identity-aware API gateway authorization. Keto implements Zanzibar-style fine-grained permissions. This modular clarity is Ory's strength and learning curve simultaneously.

Kratos Identity and Hydra OAuth

Kratos provides user identity management through a self-service API that applications consume to build custom authentication interfaces. Identity schemas define what attributes users have, and self-service flows handle registration, login, settings, recovery, and verification through browser and API interactions. The headless approach means teams build their own UI, gaining complete design control but accepting the frontend development investment.

Hydra is the most mature Ory component and the one that has earned the strongest enterprise validation. As an OpenID Certified OAuth2.1/OIDC provider whose current source copy says it is trusted by OpenAI and others, Hydra remains the Ory component with the clearest high-scale public validation. The separation of the authorization server from the identity management layer is architecturally elegant, allowing Hydra to delegate authentication to Kratos or any existing identity system.

Keto Authorization and Performance

Keto implements Google's Zanzibar paper for relationship-based access control, enabling permission models where access is determined by relationships between entities rather than static roles. This approach powers the permission systems behind Google Drive and GitHub, and Keto makes it available as an open-source service. Defining permissions as relationships rather than roles enables more natural modeling of complex authorization requirements.

The Go-based codebase across all components provides excellent performance with minimal resource consumption. Each service starts quickly, handles concurrent requests efficiently, and runs comfortably on modest infrastructure. This efficiency makes Ory suitable for edge deployments and cost-conscious organizations that cannot justify the resource requirements of heavier identity platforms.

Ory Network and Documentation

Ory Network provides a managed cloud deployment for teams that want the modular architecture without operational overhead. The managed service runs all components as a unified platform with automatic scaling, managed databases, and SLA guarantees. For teams evaluating Ory, the cloud option provides the fastest path to understanding whether the architecture fits their needs before committing to self-hosted operations.

Documentation quality is excellent across all components with comprehensive API references, configuration guides, and conceptual explanations. The documentation acknowledges the complexity of the modular approach and provides clear guidance on which components to deploy for common scenarios. The community forum and GitHub Discussions offer responsive support from both maintainers and experienced users.

Integration Patterns and Areas for Improvement

Integration patterns require more engineering effort than monolithic identity platforms. Connecting Kratos, Hydra, and Oathkeeper into a complete authentication flow requires understanding how tokens, sessions, and identities flow between components. While documentation covers these patterns, the integration work is non-trivial and represents a real investment that teams should plan for.

Areas for improvement include the learning curve for teams without identity infrastructure experience, the frontend development requirement for all user-facing authentication interfaces, and the operational complexity of managing multiple services with their own databases and configurations. The modular architecture that provides flexibility also introduces coordination overhead.

The Bottom Line

The open-source licensing under Apache 2.0 ensures that all components remain freely available without usage restrictions. Ory's business model relies on Ory Network cloud revenue rather than open-core limitations, meaning the self-hosted components do not have artificial feature gates that push teams toward paid plans.

Pros

  • Modular architecture lets teams adopt individual components like Hydra or Kratos independently
  • Hydra is an OpenID Certified OAuth2.1/OIDC provider whose current source copy says it is trusted by OpenAI and others
  • Keto implements Google Zanzibar relationship-based access control as an open-source service
  • Go-based services provide excellent performance with minimal resource consumption across components
  • API-first headless design gives teams complete control over authentication UI and user experience
  • Core OSS components checked in this pass are Apache-2.0; Ory Network packages managed SaaS plans separately
  • Ory Network managed cloud provides a path to evaluate the architecture without operational commitment

Cons

  • Modular architecture requires understanding how components interact and investing in integration work
  • Headless API-first design requires frontend development for all user-facing authentication interfaces
  • Operating multiple services with separate databases adds coordination overhead versus monolithic platforms
  • Learning curve is steep for teams without prior identity infrastructure or OAuth2 specification experience
  • Community is smaller than Keycloak's, with fewer pre-built integrations and third-party resources

Verdict

Ory provides the most architecturally principled approach to identity infrastructure in the open-source ecosystem. The modular design enables teams to adopt exactly the capabilities they need without deploying unused components, and the Go-based implementation delivers excellent performance. Organizations with engineering capacity to invest in frontend development and service integration will find Ory's approach rewarding. Hydra's OpenAI reference and the Apache-2.0 licensing on the checked OSS components provide useful confidence signals, while Ory Network pricing should be evaluated as a separate managed SaaS surface.

View Ory on aicoolies

Pricing, platforms, and community stacks — explore the full tool page

Alternatives to Ory