Kratos is a centralized identity and access management server designed to handle user registration, authentication, and profile management. It functions as an identity flow orchestrator, managing the state and security of authentication processes across web, mobile, and command-line interfaces. The system provides a standards-compliant authorization server that issues tokens and manages delegated access for third-party applications and internal services, supporting multi-factor authentication and custom identity schemas to secure user accounts.
The project distinguishes itself through a headless architecture that decouples identity flows from the user interface. By providing JSON-based API responses, it allows developers to build custom authentication experiences for any platform. It also implements a relationship-based access control model, which evaluates permissions by traversing a directed graph of relationships between subjects and objects. This approach enables fine-grained access control, allowing developers to model complex authorization requirements and verify user permissions dynamically across distributed software systems.
Beyond core identity and authorization, the platform includes extensive developer tooling, such as language-specific client libraries and a command-line interface for managing projects and authentication sessions. It supports lifecycle extensions through hooks, allowing custom business logic to trigger after specific identity events. The system also provides robust session management using cryptographically signed tokens that track authentication assurance levels, ensuring consistent security across disparate application boundaries.
