kratos

Ory Kratos is an open-source system for managing user accounts and identity, written in Go. Its purpose is to handle everything related to who a user is and how they log in, so that application developers do not have to build those pieces themselves. It covers user registration, login, password recovery, email verification, multi-factor authentication, and profile management, all exposed through HTTP APIs.

The core idea is that instead of each application reinventing its own login system, Kratos acts as a shared service that handles identity. Your own application's frontend handles what the login page looks like, but the logic behind it (checking credentials, issuing sessions, locking accounts) comes from Kratos. This makes Kratos what the README calls "headless," meaning it has no built-in user interface of its own.

It supports a range of authentication methods: passwords, passkeys, biometric login, social sign-in through providers like Google or GitHub, SMS codes, TOTP (time-based one-time passwords), SAML, and magic links. For organizations that need single sign-on across multiple apps, Kratos can be paired with Ory Hydra, another project from the same team that handles the OAuth2 and OpenID Connect protocol layer.

You can run Kratos in two ways. The first is self-hosted, where you install it on your own server or Kubernetes cluster and connect it to a database like PostgreSQL or MySQL. The second is as a managed service through the Ory Network, where Ory runs the infrastructure for you. The open-source version is free to self-host. Enterprise features like SAML, SCIM, and SLA-backed support require a commercial license.

The README reports that the Ory stack processes over seven billion API requests per day across thousands of companies, and the Ory community has more than 50,000 members.