30 open-source projects similar to ory/keto, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Keto alternative.
OpenFGA is a fine-grained authorization server and policy decision point that implements relationship-based access control. It serves as a centralized authorization service for evaluating access requests and managing relationship tuples across distributed microservices and multi-tenant environments. The engine combines relationship graphs with attribute-based access control, using the Common Expression Language to evaluate dynamic runtime attributes and conditional access rules. It handles complex hierarchies and nested permissions by traversing chains of associations and parent-child links t
Hanko is an open-source identity provider and customer identity and access management system. It serves as a passkey authentication service and an OAuth and SAML SSO gateway, allowing applications to authenticate users and issue tokens via standard identity protocols. The project distinguishes itself through a strong focus on passwordless access using WebAuthn-based passkeys and email-based passcodes. It provides framework-agnostic authentication interfaces as customizable web components that can be embedded directly into web applications to handle login, registration, and profile management.
Cube is a semantic data layer that provides a unified framework for defining business metrics, dimensions, and relationships across diverse data sources. By acting as a headless business intelligence engine, it transforms raw data into a governed model that can be queried via SQL, REST, and GraphQL interfaces. This architecture ensures consistent data definitions and logic across all downstream analytical applications and reporting tools. The platform distinguishes itself through its integrated conversational AI capabilities, which allow users to explore data using natural language. It orches
This project is a Next.js SaaS starter kit and billing boilerplate designed for building subscription-based software services. It provides a pre-configured foundation that integrates a PostgreSQL database schema with Stripe to manage recurring billing, tiered pricing models, and customer payment portals. The implementation features a synchronization system that uses webhooks to mirror external product data and subscription states into a local relational database. It includes an authentication layer that links external identity providers to user accounts and manages secure session tracking. T
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
Tinyauth is an authentication middleware service and identity provider that verifies user identities to grant system access. It operates as a standalone server or as an authentication gateway, utilizing a reverse proxy model to intercept requests and validate credentials before traffic reaches protected backend services. The project functions as an OpenID Connect provider for single sign-on experiences and an OAuth 2.0 gateway that delegates verification to external providers such as Google and GitHub. It also acts as an LDAP authentication server, allowing for centralized user management and
Jeesite is a full-stack low-code development framework designed for building enterprise administrative portals using Spring Boot, MyBatis, and Vue. It functions as a comprehensive platform for creating administrative dashboards with integrated role-based access control and organizational data permission systems. The framework distinguishes itself through a combination of automated CRUD code generation and an integrated RAG platform that connects large language models to enterprise data via vector stores. It further incorporates a BPMN-based workflow engine to automate complex business process
Polis is a self-hosted identity provider designed to manage federated authentication and user lifecycle operations within private infrastructure. It functions as a centralized hub for identity management, enabling organizations to maintain control over user data while enforcing security policies across diverse environments. The platform distinguishes itself by acting as a protocol-bridging gateway that converts complex enterprise authentication standards, such as SAML and OIDC, into a unified OAuth 2.0 flow. It further automates administrative tasks by synchronizing user and group information
This project is an Android password manager application that provides an end-to-end encrypted vault for storing and synchronizing login credentials, secure notes, and identities. It functions as a secure storage system using zero-knowledge encryption to ensure that only the user can decrypt their stored data. The application integrates directly with the Android system to provide an autofill service that populates usernames and passwords into mobile apps and browser login fields. It also serves as a passkey management wallet for FIDO2 cryptographic passkeys and a time-based one-time password a
Lens is a multi-cluster management platform and desktop application for administering Kubernetes environments. It provides a graphical interface for deploying Helm charts, editing YAML manifests, and managing the lifecycle of pods and deployments. The project features an AI-powered cluster assistant that enables users to query cluster state, perform autonomous troubleshooting, and translate natural language requests into system commands. It also supports collaborative team access through shared spaces, utilizing encrypted cluster sharing and role-based access control to manage credentials and
Side-Menu.Android is a reusable UI component for Android applications that provides a slide-out navigation drawer. It is designed to help developers organize application sections and user options into a structured, hidden panel that maintains a clean interface for the primary content area. The component distinguishes itself through its visual presentation, which follows Material Design guidelines to ensure a consistent and intuitive user experience. It features a data-driven menu hierarchy that allows for logical grouping of navigation items, and it incorporates fluid circular reveal animatio
SpiceDB is a distributed permission store and relationship-based access control system. It provides a scalable database for storing and querying fine-grained authorization relationships, implementing a consistency model inspired by Google Zanzibar to manage access rights across large-scale applications. The system uses a dedicated schema language to define the rules and logic governing how relationships translate into permissions independently of application code. It functions as a pluggable authorization engine that persists relationship tuples in external relational databases such as Postgr
Next Terminal is an enterprise bastion host platform that brokers and audits remote access to servers and devices. It functions as a centralized gateway unifying access to Windows, Linux, and legacy systems through a single authenticated interface, supporting RDP, SSH, VNC, Telnet, and HTTP protocols. The platform combines certificate management, policy-based access control, reverse tunnel agents, session recording, and web proxy interception into a unified security gateway. It deploys lightweight agents in internal networks that build reverse tunnels to a central site, eliminating per-locati
This project is a social blogging application built with Flask. It provides a platform for user account management, following relationships, and chronological post streams, supported by a PostgreSQL relational database. The application features a multilingual web interface with localized content and date formatting. It is designed as a dockerized web application, utilizing containerization for consistent deployment across different environments. The system integrates a variety of core capabilities, including full-text search with provider abstraction, an asynchronous task worker for backgrou
GoTrue is a JWT identity provider and user management API. It functions as an OAuth 2.0 compliant server that handles user registration and authentication while issuing signed JSON Web Tokens to control access to protected API resources. The service integrates external identity providers to allow users to sign in using third-party accounts. It also includes an SMTP notification service for delivering password resets, signup confirmations, and account recovery emails. The system covers broader capabilities for user account management, including the ability to update user profiles and manage c
Next-auth is an authentication and identity management library for web frameworks. It provides a unified system for handling user sign-in and session state across server and client environments, functioning as a session management framework and an OIDC authentication library. The project distinguishes itself through a provider-based identity abstraction that supports multiple authentication methods, including OAuth, email magic links, traditional credentials, and passwordless passkeys. It allows for the registration of custom OAuth or OIDC compliant providers and offers tools to define branda
Grist is a relational spreadsheet platform that combines the flexibility of a spreadsheet with the power of a relational database. At its core, it manages structured data across multiple linked tables, using a relational database engine to organize information while providing a familiar grid interface. The platform supports Python-based formulas for complex calculations and data transformations, with automatic recalculation when referenced cells change. The system is designed for self-hosted deployment, storing data in either portable SQLite files or enterprise-grade PostgreSQL databases. It
Zuul is an API gateway service that manages incoming network traffic to backend services. It serves as a routing layer and edge security proxy that provides centralized control over security and monitoring for microservices. The project implements a dynamic request router that maps incoming paths to backend locations using configurable rules that can be updated at runtime. It also includes a circuit breaker implementation to monitor backend failure rates and stop traffic to failing services to prevent cascading outages. The gateway provides a filter-based request pipeline for processing traf
Briefer is an interactive data notebook platform and business intelligence dashboard tool used for collaborative data analysis and reporting. It provides a containerized environment for building reports that combine SQL, Python, and Markdown with native visualizations. The platform features an integrated code assistant that uses large language models to generate SQL and Python snippets from natural language prompts. It is designed as a Kubernetes data application, deploying via Helm charts to manage isolated compute environments and ensure separate resources per page through pod-based isolati
The Common Expression Language specification is a formal standard for a non-Turing-complete expression language designed for safe, portable, and fast logic evaluation. It serves as a cross-language logic standard and a declarative policy language, providing a consistent semantic framework for executing boolean expressions and data transformations across different programming environments. This specification acts as an embedded expression engine that allows applications to integrate portable logic for evaluating user-defined configurations. It is specifically designed to enable safe user-defin
InsForge is a backend-as-a-service platform that provides an integrated suite of tools for managing relational databases, identity provision, object storage, and serverless compute. It functions as an open-source identity provider and a PostgreSQL database manager featuring integrated vector storage and row-level security. The platform serves as an LLM orchestration gateway, offering a unified endpoint to route requests across various AI providers through an OpenAI-compatible interface. It enables AI-driven application generation and connects AI agents to backend resources using a standardize
Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig
Logto is an open-source identity provider that serves as a centralized authentication and authorization server for web, mobile, and command-line applications. It implements the OpenID Connect and OAuth 2.1 standards to handle secure user sign-in and the issuance of identity tokens. The platform is specifically designed as a multi-tenant authentication framework for software-as-a-service environments, featuring built-in organization management and tenant isolation. It includes an enterprise single sign-on gateway to integrate external identity providers and supports role-based access control t
Stack Auth is an open-source authentication and authorization platform that provides pre-built UI components, OAuth integration, team management, and session handling for web applications. It offers a complete authentication lifecycle covering sign-in, sign-up, session management, password recovery, and multi-factor security, with support for passkey authentication and OAuth providers including Google, GitHub, and Apple. The platform includes a team-based permission system with role-based access control, allowing users to be organized into teams with granular permissions for membership manage
This project is a cross-platform messaging SDK and client development library used to build custom Telegram applications. It functions as a comprehensive framework that manages network encryption, local data storage, and API communication, providing a C-compatible JSON interface that allows integration with any programming language. The library distinguishes itself by providing a full database manager for encrypted local caching and synchronized state, alongside a dedicated bot framework for creating interactive bots with business account integration. It enables the implementation of speciali
mcp-context-forge is a Model Context Protocol federation gateway that unifies diverse AI tool servers and APIs into a single consistent interface for discovery and execution. It acts as a centralized proxy that aggregates multiple servers and APIs, allowing AI agents to access and invoke a unified set of tools, prompts, and resources. The project distinguishes itself through a multi-protocol translation bridge that converts communication between standard I/O, SSE, gRPC, and REST to enable interoperability between disparate tool servers. It includes a comprehensive LLM evaluation framework for
Kimai is an open-source time tracking system that records employee working hours, manages absences, and generates professional invoices from recorded timesheets and expenses. It organizes all time records through a mandatory three-level hierarchy of customer, project, and activity, and supports project budget monitoring with configurable time and money limits. The application is extensible through a plugin system that allows adding custom features, invoice templates, reporting views, and dashboard widgets without modifying core files. It provides a RESTful JSON API for programmatic read and w
Synapse is a Matrix homeserver implementation that provides the infrastructure for decentralized, real-time communication. It acts as a federated chat server and messaging node, synchronizing room data and event streams across independent server instances to enable cross-domain interoperability. The server uses a hybrid core that combines Python for high-level orchestration with Rust for performance-critical logic. It leverages a PostgreSQL relational database for persisting user accounts and conversation history, and employs a non-blocking asynchronous runtime to handle concurrent network co
Gravitino is a federated metadata lake and unified data catalog designed to manage tables, files, and AI models across diverse data sources and cloud storage. It serves as a centralized interface for governing schemas, access controls, and tagging across relational databases, messaging queues, and object stores. The project distinguishes itself by unifying the management of AI assets, such as machine learning models and their version lineages, alongside traditional tabular data. It also implements the Iceberg REST specification to provide a standardized metadata server and proxy for lakehouse