Ory

Ory is a Munich-based identity infrastructure company that has built one of the most respected open-source identity and access management ecosystems in the world. Founded in 2015, Ory provides a suite of modular, cloud-native services that handle authentication, authorization, OAuth2, OpenID Connect, and permission management for modern applications. The platform is trusted by Fortune 500 companies and has accumulated a massive open-source community, with its GitHub repositories collectively garnering tens of thousands of stars. Ory represents a fundamentally different approach to identity management compared to monolithic solutions like Auth0 and Okta, offering developers granular control over every aspect of the identity stack while maintaining the option to run everything as a fully managed cloud service.

What makes Ory particularly compelling for European organizations is the combination of its German headquarters, open-source transparency, and flexible deployment model. Unlike Auth0 (now owned by Okta, a US company) or Firebase Auth (owned by Google), Ory gives organizations the choice between self-hosting the entire identity stack on their own infrastructure or using the Ory Network managed service with European data residency. This flexibility ensures that identity data, which is among the most sensitive data any application handles, can remain fully under the organization's control and within European jurisdiction, satisfying even the strictest GDPR and data sovereignty requirements.

Ory Kratos: Identity Management

Ory Kratos is the identity management component of the Ory ecosystem, handling user registration, login, account recovery, email and phone verification, and profile management. Unlike traditional identity solutions that provide a pre-built login page, Kratos is headless, meaning it provides APIs that developers use to build their own custom user interfaces. This API-first approach gives development teams complete control over the user experience while Kratos handles the security-critical backend logic including password hashing, session management, and account lifecycle operations.

Kratos supports an impressive range of authentication methods including traditional passwords, social sign-in through providers like Google, GitHub, and Apple, OIDC-based federation, magic links, WebAuthn/passkeys, TOTP (Time-based One-Time Passwords), SMS verification, and SAML integration. Multi-factor authentication can be configured with flexible policies that require additional factors based on risk assessment, user role, or resource sensitivity. The 2025 release (OSS 25.4.0) added SMS login as a standalone authentication method, expanding the options available for mobile-first applications.

Ory Hydra: OAuth2 and OpenID Connect

Ory Hydra is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider. It is designed for high throughput and low latency, making it suitable for internet-scale applications that need to handle millions of token requests. Hydra implements the OAuth 2.0 specification comprehensively, including authorization code flow, client credentials flow, refresh tokens, token introspection, and token revocation. The 2025 release introduced the OAuth 2.0 Device Authorization Flow, which enables authentication on devices with limited input capabilities like smart TVs, IoT devices, and CLI tools.

What distinguishes Hydra from most OAuth2 implementations is its separation of concerns. Hydra handles the OAuth2 and OIDC protocol logic but delegates user authentication and consent to external services through well-defined APIs. This means organizations can use Hydra with any existing user management system, whether that is Ory Kratos, a legacy directory service, or a custom identity database. The separation also makes Hydra incredibly flexible for complex enterprise scenarios where OAuth2 needs to integrate with multiple identity providers, legacy systems, and custom consent workflows.

Ory Keto: Permission Management

Ory Keto implements Google's Zanzibar permission model, providing a scalable and flexible system for managing fine-grained permissions and access control. Zanzibar is the permission system that powers Google Drive, Google Docs, and YouTube, and Ory Keto brings this same approach to any application. Rather than using simple role-based access control (RBAC), Keto enables relationship-based access control where permissions are defined as relationships between subjects and objects, supporting complex authorization patterns like "user X can edit document Y because they are a member of team Z which owns the document."

Keto's approach to permissions is particularly powerful for SaaS applications that need multi-tenant authorization, collaborative editing features, or hierarchical organizational structures. The permission checks are designed to be extremely fast, with millisecond-level latency even for complex relationship traversals, making them suitable for inline authorization checks in request processing pipelines. The API supports both check requests (can user X perform action Y on resource Z) and list requests (which resources can user X access), enabling both authorization enforcement and resource discovery.

Ory Oathkeeper: API Gateway and Zero Trust

Ory Oathkeeper acts as an identity-aware API gateway and reverse proxy that implements zero-trust security principles. It sits in front of your application services and ensures that every incoming request is authenticated and authorized before reaching the backend. Oathkeeper can validate session cookies, JWT tokens, OAuth2 access tokens, and custom authentication schemes, transforming the authenticated identity information into a format that backend services can consume. This enables a clean separation between identity verification and application logic, allowing backend services to trust that requests have been properly authenticated without implementing their own authentication middleware.

The zero-trust architecture that Oathkeeper enables is becoming increasingly important as organizations move toward microservices and distributed architectures where the traditional network perimeter is no longer meaningful. By requiring authentication at every service boundary, Oathkeeper ensures that even if one service is compromised, attackers cannot laterally move through the system without valid credentials. The access rules are configured declaratively, making it easy to audit and manage the security posture of complex application architectures.

Ory Network: Managed Cloud Service

For organizations that prefer a managed service over self-hosting, the Ory Network provides a fully managed version of the entire Ory stack. The Ory Network handles infrastructure management, scaling, monitoring, and updates, allowing development teams to focus on building their applications rather than operating identity infrastructure. The managed service offers European data residency options, ensuring that identity data is processed and stored within the EU. For many organizations, the Ory Network is the recommended starting point, as it eliminates the operational overhead of running identity infrastructure while still providing the same APIs and capabilities as the self-hosted version.

The Ory Network pricing starts at $29 per month and scales based on the number of monthly active users. This pricing model is predictable and often more cost-effective than Auth0's per-user pricing at scale. Organizations can migrate between self-hosted and managed deployments without application changes, since the APIs are identical, providing flexibility to change deployment strategies as needs evolve.

Developer Experience

Ory's developer experience is built around an API-first philosophy. Every feature is accessible through well-documented REST APIs, and the platform provides SDKs for popular programming languages including Go, JavaScript/TypeScript, Python, Java, PHP, Ruby, and Dart. The Ory CLI provides command-line access to all platform operations, enabling automation and integration with CI/CD pipelines. The documentation is comprehensive, with conceptual guides, API references, quickstart tutorials, and example applications for common frameworks including Next.js, React, and Express.

The headless approach means there are no pre-built UI components that constrain the user experience. While this requires more initial development effort compared to solutions like Auth0 that provide ready-made login widgets, it gives development teams complete freedom to create authentication and authorization experiences that perfectly match their application's design language and user flow requirements. For teams that want to accelerate development, Ory provides reference implementations and UI templates that can be used as starting points.

Open Source and Community

All of Ory's core components are open source under the Apache 2.0 license. The source code for Kratos, Hydra, Keto, and Oathkeeper is available on GitHub, where the community actively contributes bug fixes, features, and documentation improvements. This open-source foundation provides several advantages: organizations can audit the security of their identity infrastructure, customize components for specific requirements, and avoid vendor lock-in. The active community also means that issues are quickly identified and resolved, and the platform benefits from security scrutiny by developers worldwide.

The Ory community communicates through GitHub discussions, a Slack workspace, and community calls. The project's transparent development process means that roadmap items, design decisions, and architectural changes are discussed openly, giving users visibility into the platform's direction and the opportunity to influence priorities. For organizations that value transparency and community governance in their infrastructure choices, Ory's open-source model is a significant differentiator.

Security and Compliance

As an identity infrastructure provider, security is paramount to Ory's design. The platform implements industry best practices for password hashing using Argon2, bcrypt, and PBKDF2 algorithms. Session management follows OWASP guidelines with secure token generation, proper cookie attributes, and configurable session lifetimes. Hydra's OAuth2 implementation is OpenID Certified, meaning it has passed rigorous conformance tests conducted by the OpenID Foundation. The platform supports security headers, CORS configuration, rate limiting, and brute-force protection out of the box.

For organizations in regulated industries, Ory's open-source model provides a unique compliance advantage. Auditors can review the exact code that processes and stores identity data, and organizations can implement custom security controls by modifying the source code. The self-hosted deployment option ensures that identity data never leaves the organization's infrastructure, which is a hard requirement for many financial services, healthcare, and government applications. When using the Ory Network, EU data residency ensures compliance with GDPR data localization requirements.

Scalability and Performance

Ory's components are designed for horizontal scalability and high performance. The services are stateless and can be scaled by adding more instances behind a load balancer, making them suitable for Kubernetes deployments and auto-scaling configurations. Hydra is optimized for internet-scale OAuth2 serving, with benchmarks showing it can handle thousands of token requests per second with sub-millisecond latency. Keto's permission checks use efficient graph traversal algorithms that maintain fast response times even with millions of relationships in the database. These performance characteristics make Ory suitable for applications serving millions of users without requiring expensive infrastructure.

Pricing and Plans

Ory offers a flexible pricing model that accommodates both startups and enterprises. The open-source components are completely free to use and self-host, with no limitations on features or scale. The Ory Network managed service starts at $29 per month with a generous free tier for development and testing. Pricing scales based on monthly active users, and enterprise plans with custom pricing include dedicated support, SLAs, and advanced features. Compared to Auth0 and Okta, Ory's pricing is generally more favorable at scale, particularly for applications with large user bases.

Potential Drawbacks

Ory's headless, API-first approach requires more initial development effort than solutions with pre-built UI components. Teams need to build and maintain their own login, registration, and account management interfaces, which adds to the development timeline. The modular architecture, while flexible, can be complex to configure correctly for organizations new to identity management concepts. Self-hosting requires operational expertise in deploying and managing distributed services, database administration, and security best practices. The documentation, while comprehensive, assumes a certain level of developer sophistication that may challenge less experienced teams. Despite these considerations, Ory provides the most flexible and privacy-respecting identity infrastructure available for European organizations.

Who Should Use Ory?

Ory is ideal for development teams that need full control over their authentication and authorization user experience, organizations in regulated industries that require self-hosted identity infrastructure, European businesses that need GDPR-compliant identity management with EU data residency, SaaS platforms that need scalable multi-tenant authorization, and enterprises replacing Auth0 or Okta with a European alternative. The open-source model makes it particularly attractive for organizations that value transparency, auditability, and freedom from vendor lock-in in their most critical infrastructure layer.