Keto

Ory Keto is an open-source authorization server that implements Google Zanzibar’s relationship-based access control model. It stores every access relationship as a tuple in a SQL database and exposes a declarative TypeScript-like namespace language for defining object types, relations, and permissions. The service provides bidirectional permission resolution, configurable consistency levels for checks, and dual gRPC and REST APIs for broad integration.

Keto extends the Zanzibar model with edge enforcement of access policies, structured compliance auditing of permission decisions, and infrastructure-as-code management through Terraform, Pulumi, and Helm. It includes agent-level security controls with identity authentication, action authorization against the permission model, and graduated policy enforcement from observation to strict blocking. Observability is supported via OpenTelemetry, Prometheus metrics, and SIEM event streaming.

The system also covers identity verification workflows, consent synchronization, automated data subject request fulfillment, and billing integrations. Deployment options include managed SaaS, on-premises, and private cloud, with containerized execution and Kubernetes Helm charts for orchestration. The project, written in Go, provides full documentation and a command-line interface for configuration and management.

Features

Zanzibar-Inspired Authorization Systems - Implements Google Zanzibar's relationship-based access control model using tuples of namespace, object, relation, and subject.

Many-to-Many Associations - Declares many-to-many relations between object types and multiple subject types using union syntax to model authorization structure.

ReBAC Engines - Provides a relationship-based access control engine with a declarative DSL for defining complex authorization rules.

Permissions Engines - Ships an open-source permissions engine that evaluates relationship tuples with support for transitive and inherited permissions.

Security Decision Lookups - Exposes a decisions endpoint that returns allow/deny responses for request authorization checks.

Policy Definition Languages - Provides a TypeScript-like domain-specific language for declaring authorization rules with inheritance and union types.

Declarative Permission Modelers - Declares fine-grained authorization policies using a TypeScript-like domain-specific language designed for scalability.

Edge Security Enforcements - Automatically injects authenticated user headers and blocks unauthenticated requests at the network edge.

External Identity Provider Integration - Works with any identity provider through pluggable integration points for flexible authentication handoff.

Dual Protocol APIs - Exposes permission check, expand, and list operations over both gRPC and HTTP for broad integration without custom protocol support.

Permission Inheritance - Defines access rules using a declarative language supporting hierarchical object structures and implicit permission propagation.

Custom Access Rules - Defines access rules that specify authentication methods, permission checks, and request mutations.

Relationship-Based Access Controls - Implements Google Zanzibar's relationship-based access control model, storing access relationships as tuples and evaluating them with sub-millisecond latency.

Edge Authentication Strategies - Validates tokens and session cookies at the edge using cached public keys before traffic reaches origin servers.

SCIM Provisioning - Automates user account and group membership provisioning from directory services via the SCIM protocol.

User Profile Management - Provides full CRUD operations on user identity data with a customizable schema.

Configurable Consistency Levels - Evaluates permission checks with selectable consistency levels and cached recent decisions for low-latency responses.

Low-Latency Permission Evaluators - Evaluates authorization decisions for billions of relationships with sub-10 millisecond latency using the Zanzibar consistency model.

Relationship-Based Permission Checks - Evaluates permission checks by traversing relationship tuples with sub-millisecond latency using the Zanzibar consistency model.

Team Action Permission Checks - Checks whether a subject has a specific permission on an object before allowing an action, returning a boolean result.

Transitive Permission Rule Definitions - Defines permission checks using includes and transitive operators that evaluate whether a subject has access based on relations.

Policy-Based Access Control - Provides a declarative policy language to define relationships and rules for fine-grained access control.

Request Authorization Enforcers - Enforces authorization at the network edge by injecting user headers and redirecting unauthenticated requests.

SAML and JWT Authentications - Authenticates users through enterprise identity providers using SAML 2.0 or OpenID Connect federation.

Permission Listings - Traverses a permission subject set to list every subject with implied access, showing who has a given permission and why.

Bidirectional Relationship Queries - Queries the relationship graph in both directions to list objects accessible to a subject or subjects with access to an object.

Single Sign-On Integrations - Registers applications with external OpenID Connect providers for single sign-on authentication.

Self-Service Authentication Flows - Provides complete user authentication with self-service flows, session management, and email/SMS verification and recovery.

User Identity Management - Stores user data based on customizable schemas with full CRUD API endpoints for identity management.

External User Provisioning - Ships automated user provisioning by syncing accounts from an identity provider to downstream applications.

Authorization Schema DSLs - Defines object types, relations, and permissions in a TypeScript-like DSL that compiles into a formal authorization schema.

Tuple-Based Stores - Stores every access relationship as a tuple in a SQL database, enabling fast graph traversal and intersection queries.

Authorized Request Forwarders - Forwards requests to upstream services only when they match access rules and pass authorization checks.

Action Auditing - Captures allowed, denied, deferred, and approved actions as structured audit events, recording the session initiator, agent, action, policy result, and reason.

Phased Enforcement - Defines whether an agent action is allowed, blocked, or requires human approval, and lets organizations phase enforcement from observation to strict control.

GitHub Organization Membership Checks - Checks GitHub organization membership and profile data to enforce access decisions on resources.

Session Augmentation APIs - Calls an external API during authentication to augment the session with extra data or headers for subsequent mutators.

Cloud or Self-Hosted Deployments - Runs as a managed SaaS, on-premises, or in a private cloud with identical code and no vendor lock-in.

Infrastructure as Code - Defines and manages authorization and identity resources as declarative Terraform configurations.

Policy-as-Code Definitions - Manages authorization resources and policies declaratively using Terraform, Pulumi, and Helm configurations.

Access Control Integration - Enforces fine-grained access control on API requests by integrating with API gateway services.

GitHub Authentication - Handles the OAuth2 login flow and token lifecycle for authentication through GitHub accounts.

Concurrent Connection Handling - Handles high-volume authentication requests with minimal resource usage by running many concurrent connections.

Authorization Audit Trails - Captures authorization decisions as structured audit events for security monitoring and compliance requirements.

Consent Synchronization - Captures consent choices and transmits them to a privacy management system, automatically mapping categories and maintaining data integrity during outages.

Cryptographic Key Management - Safely stores cryptographic key material for signing JSON Web Tokens and other cryptographic operations.

Data Subject Request Workflows - Automates deletion, access, and rectification requests by executing them directly against the identity system's admin API.

eIDAS Assurance Metadata Policies - Uses identity assurance metadata from eIDAS-compliant brokers to make context-sensitive authorization decisions.

Security and Compliance - Continuously monitors identity configurations and access policies to automate SOC 2 compliance.

Attribute-based Access Controls - Inspects JWT claims at the gateway layer to grant or deny access based on roles and scopes.

Permission Model Test Suites - Validates relationship-based access rules by creating test relationships and checking permissions through the API or SDK.

Agent Action Policies - Checks every agent action against a Zanzibar-style permission model before execution, enforcing policies on shell commands, file writes, and web fetches.

Agent Identities - Assigns unique credentials and audit attribution to each agent, so teams can trace which agent acted, where it ran, and how it was delegated.

Support Context Identity Verification - Verifies a user's identity automatically during customer support interactions, providing context and eliminating re-authentication.

Machine Identity Authentication - Verifies identity of automated services, microservices, or AI agents in real-time with instant credential revocation.

Headless OAuth2 Identity Integration - Connects OAuth2 and OpenID Connect flows to any external user management system through a headless API.

Token Signing Services - Replaces original credentials with a cryptographically signed JSON Web Token verifiable via a public key endpoint.

Pass-Through Header Proxies - Leaves original request headers untouched so the backend receives credentials in their original form.

Policy Validators - Performs compile-time type checking on relation and permission declarations to catch errors before runtime.

Social Authentication Providers - Connects to over 15 pre-built social sign-in providers or any OpenID Connect-compliant identity provider.

Social Login Integrations - Authenticates users via enterprise DingTalk credentials for single sign-on integration.

Macaroons - Creates tokens with embedded caveats that continuously narrow permissions, enforcing strict least privilege for each use.

Identity Header Injections - Injects authenticated user identity into request headers for downstream services to consume.

Gateway Authentication Offloading - Moves authentication and authorization processing to the API gateway, reducing backend service complexity.

Compliance Evidence Collection - Schedules and collects compliance evidence including user lifecycle, roles, and security policy status.

OpenTelemetry Exporters - Exports traces and metrics to any OpenTelemetry-compatible backend for unified monitoring.

Permission Auditing Tools - Queries the permission graph to identify and review permissions that are no longer necessary, helping maintain least-privilege access.

Prometheus Exporters - Exposes runtime and HTTP request metrics in Prometheus format for scraping and visualization.

Authentication SDKs - Provides APIs and SDKs for mobile, native, and web applications, with tools to build custom authentication UIs.

Access Control Frameworks - Policy decision point for access control based on policies.

Security & Privacy - Global authorization system based on Google's Zanzibar.

oryketo

Features

Star history