# ory/kratos **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/ory-kratos).** 13,455 stars · 1,106 forks · Go · apache-2.0 ## Links - GitHub: https://github.com/ory/kratos - Homepage: https://www.ory.com/?utm_source=github&utm_medium=banner&utm_campaign=kratos - awesome-repositories: https://awesome-repositories.com/repository/ory-kratos.md ## Topics `hacktoberfest` `identity` `identity-management` `login` `profile-management` `registration` `user` `user-management` `user-profile` `user-profiles` `users` ## Description Kratos is a centralized identity and access management server designed to handle user registration, authentication, and profile management. It functions as an identity flow orchestrator, managing the state and security of authentication processes across web, mobile, and command-line interfaces. The system provides a standards-compliant authorization server that issues tokens and manages delegated access for third-party applications and internal services, supporting multi-factor authentication and custom identity schemas to secure user accounts. The project distinguishes itself through a headless architecture that decouples identity flows from the user interface. By providing JSON-based API responses, it allows developers to build custom authentication experiences for any platform. It also implements a relationship-based access control model, which evaluates permissions by traversing a directed graph of relationships between subjects and objects. This approach enables fine-grained access control, allowing developers to model complex authorization requirements and verify user permissions dynamically across distributed software systems. Beyond core identity and authorization, the platform includes extensive developer tooling, such as language-specific client libraries and a command-line interface for managing projects and authentication sessions. It supports lifecycle extensions through hooks, allowing custom business logic to trigger after specific identity events. The system also provides robust session management using cryptographically signed tokens that track authentication assurance levels, ensuring consistent security across disparate application boundaries. ## Tags ### Security & Cryptography - [Multi-Factor Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/multi-factor-authentication.md) — Secures user accounts by requiring additional verification steps like TOTP, WebAuthn, or email during the login process. ([source](https://www.ory.com/docs/kratos/mfa/overview)) - [Identity and Access Management](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management.md) — Provides a comprehensive identity and access management system for user registration, profile management, and multi-factor authentication. - [Identity and Access Management Servers](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management-servers.md) — Acts as a centralized identity management server for user registration, authentication, and profile management. - [OAuth2 Implementations](https://awesome-repositories.com/f/security-cryptography/oauth2-implementations.md) — Ensures secure token exchange by implementing appropriate flows like Authorization Code with PKCE for various application types. ([source](https://www.ory.com/docs/hydra/concepts/oauth2)) - [OAuth2 Providers](https://awesome-repositories.com/f/security-cryptography/oauth2-providers.md) — Functions as a standards-compliant OAuth2 and OIDC provider for token issuance and delegated access management. - [Relationship-Based Models](https://awesome-repositories.com/f/security-cryptography/access-control-models/relationship-based-models.md) — Implements complex relationship-based permission models to manage granular access across distributed systems. - [Relationship-Based Access Controls](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls.md) — Enforces granular access rights based on defined relationships between users and resources. - [Access Control and Authorization](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/authorization-and-user-administration/access-control-authorization.md) — Models complex access control requirements by defining namespaces, relations, and permissions. ([source](https://www.ory.com/docs/keto/reference/ory-permission-language)) - [JWT Session Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/session-and-credential-handling/session-credential-management/jwt-session-management.md) — Maintains user sessions using cryptographically signed tokens that track identity metadata across services. - [OAuth2 Client Management](https://awesome-repositories.com/f/security-cryptography/oauth2-client-management.md) — Identifies and authenticates applications during authorization flows by registering redirect URIs and managing client credentials. ([source](https://www.ory.com/docs/hydra/concepts/oauth2)) - [OIDC Identity Token Issuance](https://awesome-repositories.com/f/security-cryptography/oidc-identity-token-issuance.md) — Verifies user identity and session information securely by requesting ID tokens alongside standard OAuth2 access tokens. ([source](https://www.ory.com/docs/hydra/concepts/openid-connect-oidc)) - [Permission Management](https://awesome-repositories.com/f/security-cryptography/permission-management.md) — Verifies user access by validating subject, permission, and object combinations before performing sensitive actions. ([source](https://www.ory.com/docs/keto/guides/simple-access-check-guide)) - [Authentication Flows](https://awesome-repositories.com/f/security-cryptography/authentication-flows.md) — Supports headless authentication workflows via JSON APIs for flexible integration across web, mobile, and desktop platforms. - [Authentication Login Handlers](https://awesome-repositories.com/f/security-cryptography/authentication-login-handlers.md) — Delegates authentication to a custom application by handling login challenges and accepting or rejecting requests. ([source](https://www.ory.com/docs/hydra/guides/login)) - [Authentication CLI](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/session-and-credential-handling/credential-security-utilities/authentication-cli.md) — Authenticates terminal sessions using browser flows or API keys for secure command-line access. ([source](https://www.ory.com/docs/guides/cli/cli-basics)) - [Identity Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management.md) — Maps user fields to identity management functions like password recovery and multi-factor authentication. ([source](https://www.ory.com/docs/kratos/manage-identities/customize-identity-schema)) - [Flow Orchestrators](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management-servers/flow-orchestrators.md) — Orchestrates complex authentication state and security flows across diverse client interfaces. - [Permission Systems](https://awesome-repositories.com/f/security-cryptography/permission-systems.md) — Provides a dedicated language for modeling relationships and permissions to power global access control logic. ([source](https://www.ory.com/docs/keto/modeling/create-permission-model)) - [Authorization Testing](https://awesome-repositories.com/f/security-cryptography/authorization-testing.md) — Validates access control logic through manual API checks and automated test suites. ([source](https://www.ory.com/docs/keto/modeling/create-permission-model)) - [Multi-Factor Authentication](https://awesome-repositories.com/f/security-cryptography/multi-factor-authentication.md) — Enforces multi-factor authentication using TOTP and WebAuthn to secure user account access. - [Authorization Middleware](https://awesome-repositories.com/f/security-cryptography/authorization-middleware.md) — Retrieves authorized resources by querying objects or subjects associated with specific users or relations. ([source](https://www.ory.com/docs/keto/guides/list-api-display-objects)) - [Consent Bypasses](https://awesome-repositories.com/f/security-cryptography/consent-management/consent-bypasses.md) — Provides automated authorization bypasses for trusted first-party applications to streamline user login flows. ([source](https://www.ory.com/docs/hydra/guides/login)) - [Flow Initialization](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/user-facing-login-methods/oauth-identity-providers/client-registration-protocols/flow-initialization.md) — Prepares the environment for user registration by setting up anti-CSRF tokens across browser, API, and mobile client platforms. ([source](https://www.ory.com/docs/kratos/self-service/flows/user-registration)) - [Input Validation Schemas](https://awesome-repositories.com/f/security-cryptography/input-validation-schemas.md) — Validates user input against defined identity schemas to handle errors related to password policies or missing required fields. ([source](https://www.ory.com/docs/kratos/self-service/flows/user-registration)) - [Identity Tracking Systems](https://awesome-repositories.com/f/security-cryptography/identity-tracking-systems.md) — Determines if a user has completed enough authentication factors to perform sensitive operations by tracking session assurance levels. ([source](https://www.ory.com/docs/kratos/mfa/overview)) ### Software Engineering & Architecture - [Identity Federation](https://awesome-repositories.com/f/software-engineering-architecture/identity-federation.md) — Integrates external identity providers using standard protocols to manage access across distributed systems. - [State Machine Orchestrators](https://awesome-repositories.com/f/software-engineering-architecture/state-machine-orchestrators.md) — Manages complex authentication and registration processes as stateful flows with persistent history. - [Lifecycle Event Hooks](https://awesome-repositories.com/f/software-engineering-architecture/lifecycle-event-hooks.md) — Executes custom business logic at specific stages of the identity lifecycle via event hooks. ### Data & Databases - [Graph Processing](https://awesome-repositories.com/f/data-databases/graph-computing-systems/graph-processing.md) — Evaluates access rights by traversing directed graphs of relationships between subjects and objects. - [JSON Schema Modeling](https://awesome-repositories.com/f/data-databases/json-schema-modeling.md) — Enforces data validation and consistency for user identity structures using standard schema files. - [Relationship Management](https://awesome-repositories.com/f/data-databases/relationship-management.md) — Determines user access by expanding relationship trees to identify the underlying reasons for granted permissions. ([source](https://www.ory.com/docs/keto/guides/expand-api-display-who-has-access)) ### Web Development - [API Decoupling](https://awesome-repositories.com/f/web-development/api-decoupling.md) — Separates user interface and backend layers through interface contracts to enable custom authentication experiences. ### Development Tools & Productivity - [Client SDKs](https://awesome-repositories.com/f/development-tools-productivity/client-sdks.md) — Provides language-specific packages to simplify authentication and data retrieval tasks. ([source](https://www.ory.com/docs/sdk)) - [Project Scaffolding and Configuration](https://awesome-repositories.com/f/development-tools-productivity/project-scaffolding-config-code-generation/project-scaffolding-configuration.md) — Generates new workspaces and project containers through the terminal to organize development resources. ([source](https://www.ory.com/docs/guides/cli/cli-basics)) - [Webhook Configuration](https://awesome-repositories.com/f/development-tools-productivity/webhook-configuration.md) — Customizes OAuth2 token claims during issuance or refresh by registering a webhook endpoint. ([source](https://www.ory.com/docs/hydra/guides/claims-at-refresh)) ### Business & Productivity Software - [Registration Hooks](https://awesome-repositories.com/f/business-productivity-software/user-registration-systems/registration-hooks.md) — Streamlines user onboarding by automatically issuing sessions immediately after successful account creation using post-registration hooks. ([source](https://www.ory.com/docs/kratos/self-service/flows/user-registration))