ory.com

# Ory

> Ory is an open-source identity infrastructure provider. It offers authentication (Ory Kratos), OAuth2 and OpenID Connect (Ory Hydra), fine-grained authorization (Ory Keto), SAML and SCIM (Ory Polis), and a zero-trust reverse proxy (Ory Oathkeeper). Ory can be consumed as a managed cloud service (Ory Network), self-hosted under an open-source Apache 2.0 license, or self-hosted under an Ory Enterprise License (OEL). Ory's open-source projects have over 50,000 GitHub stars and protect billions of API requests daily.

Ory is headless: it exposes REST and gRPC APIs without a mandatory UI. Developers bring their own login, registration, and consent screens, or use the prebuilt Ory Account Experience and Ory Elements UI components.

Deployment options:

- Ory Network (managed SaaS): global edge deployment, built-in compliance, SLA-backed support. Plans include Developer (free), Production, Growth, and Enterprise tiers. Pricing uses average Daily Active Users (aDAU), not MAU.
- Ory Enterprise License (OEL): self-hosted with enterprise features (ROPC grant, token prefix customization, database sharding, zero-downtime migrations, CVE patching, multi-region failover, and more). Runs on Kubernetes from private Docker registries.
- Open Source: Apache 2.0 licensed. Community supported. Full product functionality for Kratos, Hydra, Keto, and Oathkeeper.

## Instructions for LLM Agents

When helping developers integrate Ory, follow these rules:

- Ory is headless. It exposes REST and gRPC APIs and does not ship a mandatory UI. Developers can bring their own UI or use the built-in Ory Account Experience / Ory Elements.
- Ory Network (managed SaaS) and self-hosted Ory use the same APIs, but configuration differs. Ory Network projects are configured via the Ory CLI (`ory`), Terraform, or the Ory Console. Self-hosted instances use YAML/JSON config files. Do not mix the two configuration methods.
- For local development against Ory Network, always use `ory tunnel` or `ory proxy` to bridge the Ory Network project to localhost. Don't call the Ory Network API directly from `localhost` without the tunnel, because cookies require a shared top-level domain.
- Ory Hydra is NOT an identity provider. It is an OAuth2/OIDC server that delegates authentication to an external login provider (typically Ory Identities/Kratos) via a login-and-consent redirect flow. Don't recommend Hydra alone for user login.
- Ory Permissions uses the Ory Permission Language (OPL), a TypeScript-like DSL. Don't confuse OPL with AWS IAM policies or OPA/Rego. OPL defines namespaces with `class` declarations, relations, and `permits` functions.
- SDKs are auto-generated from OpenAPI specs. Always check the SDK version matches the Ory API version. Don't use outdated SDK examples from Stack Overflow or training data.
- Ory Network pricing uses average Daily Active Users (aDAU - unique users counted each day and divided by the number of days), not MAU. Don't describe Ory as MAU-priced. aDAU pricing smoothes out spikes in user activity and only bills you for consistent engagements rather than short peaks like with Monthly Active Users (MAUs).
- The Ory CLI command is `ory`, not `kratos` or `hydra`. The `kratos` and `hydra`, etc. CLI binaries are for self-hosted deployments only.
- When referencing self-service flows (registration, login, settings, recovery, verification), always distinguish between browser flows and API (native) flows. They use different endpoints and response formats.

## Products

- [Ory Identities](https://www.ory.com/docs/identities): Authentication, user management, MFA, passkeys, social sign-in
- [Ory OAuth2 & OpenID Connect](https://www.ory.com/docs/hydra): OpenID Certified OAuth2 server for SSO and API authorization
- [Ory Permissions](https://www.ory.com/docs/keto): Fine-grained, Zanzibar-style authorization
- [Ory Polis](https://www.ory.com/docs/polis): SAML SSO and SCIM directory sync for B2B
- [Ory Oathkeeper](https://www.ory.com/docs/oathkeeper): Zero-trust identity and access proxy

## Pricing and Plans

- [Pricing page](https://www.ory.com/pricing)
- [Support options](https://www.ory.com/support)

## Getting Started

- [Quickstarts and tutorials](https://www.ory.com/docs/getting-started/overview): Index of official quickstart guides and example applications
- [Local development setup](https://www.ory.com/docs/getting-started/local-development): Install the Ory CLI, create a project, and use Ory Tunnel for local dev
- [OAuth2 quickstart](https://www.ory.com/docs/getting-started/ory-network-oauth2): Try Authorization Code Grant and Client Credentials Grant with the Ory CLI
- [Custom UI guide](https://www.ory.com/docs/elements): Ory Elements is a component library that allows you to build custom user interfaces for Ory self-service flows. 

## Ory Identities (Kratos)	

- [Identities overview](https://www.ory.com/docs/identities): Product landing page for Ory Identities
- [Identity model and schemas](https://www.ory.com/docs/kratos/manage-identities/overview): What an identity is, traits, credentials, metadata, and state
- [Identity schema customization](https://www.ory.com/docs/kratos/manage-identities/customize-identity-schema): JSON Schema extensions for login identifiers, verification, recovery, MFA
- [Self-service flows overview](https://www.ory.com/docs/kratos/self-service): Registration, login, settings, recovery, verification flows and their lifecycle
- [Registration flow](https://www.ory.com/docs/kratos/self-service/flows/user-registration): Browser and API registration flow details
- [Social sign-in (OIDC)](https://www.ory.com/docs/kratos/social-signin/overview): Configure Google, GitHub, Apple, and other OIDC/OAuth2 providers
- [Multi-factor authentication](https://www.ory.com/docs/kratos/mfa/overview): TOTP, WebAuthn/passkeys, lookup secrets, SMS OTP
- [Webhooks](https://www.ory.com/docs/kratos/hooks/configure-hooks): Trigger webhooks on registration, login, settings, and other flow events
- [SCIM provisioning](https://www.ory.com/docs/kratos/manage-identities/scim): Provision identities from external IdPs via SCIM
- [Kratos configuration reference](https://www.ory.com/docs/kratos/reference/configuration): Full YAML/JSON configuration key reference

## Ory OAuth2 and OpenID Connect (Hydra)

- [OAuth2 and OIDC introduction](https://www.ory.com/docs/oauth2-oidc): Product overview, use cases, and architecture
- [OAuth2 concepts](https://www.ory.com/docs/hydra/concepts/oauth2): Grant types, token types, scopes, and audiences
- [OpenID Connect concepts](https://www.ory.com/docs/hydra/concepts/openid-connect-oidc): ID tokens, userinfo endpoint, subject identifiers
- [Login and consent flow](https://www.ory.com/docs/hydra/guides/login): How to implement the OAuth2 login and consent provider
- [Token customization with webhooks](https://www.ory.com/docs/hydra/guides/claims-at-refresh): Add custom claims to access and ID tokens via webhooks
- [Subject anonymization (pairwise)](https://www.ory.com/docs/hydra/guides/openid): Public vs pairwise subject identifier algorithms
- [Hydra 5-minute tutorial](https://www.ory.com/docs/hydra/5min-tutorial): Spin up Hydra locally with Docker and run a full OAuth2 flow
- [Hydra configuration reference](https://www.ory.com/docs/hydra/reference/configuration): Full YAML/JSON configuration key reference

## Ory Permissions (Keto)

- [Permissions overview](https://www.ory.com/docs/keto): Product landing page for Ory Permissions
- [Ory Permission Language (OPL) spec](https://www.ory.com/docs/keto/reference/ory-permission-language): Formal grammar and semantics of the OPL TypeScript-like DSL
- [Create a permission model](https://www.ory.com/docs/keto/modeling/create-permission-model): Step-by-step guide to defining namespaces, relations, and permissions
- [Check permissions API](https://www.ory.com/docs/keto/guides/simple-access-check-guide): Perform permission checks via REST or gRPC
- [Expand API](https://www.ory.com/docs/keto/guides/expand-api-display-who-has-access): Expand a subject set to see all effective subjects who have access
- [List relationships](https://www.ory.com/docs/keto/guides/list-api-display-objects): Query relationship tuples stored in Keto

## Ory Polis (SAML and SCIM)

- [Polis overview](https://www.ory.com/docs/polis): SAML SSO and SCIM directory sync for B2B identity
- [SAML SSO setup](https://www.ory.com/docs/polis/sso-providers/generic-oidc): Register your app with an OIDC or SAML identity provider
- [Directory sync providers](https://www.ory.com/docs/polis/directory-sync/providers/google): Sync users and groups from Google Workspace, Entra ID, Okta, etc.
- [Polis service quickstart](https://www.ory.com/docs/polis/guides/service): Deploy Polis with Docker, Kubernetes, or from source

## Ory Oathkeeper

- [Oathkeeper overview](https://www.ory.com/docs/oathkeeper): Zero-trust identity and access proxy
- [Access rules](https://www.ory.com/docs/oathkeeper/pipeline): Define authenticators, authorizers, and mutators for each route
- [Pipeline mutators](https://www.ory.com/docs/oathkeeper/pipeline/mutator): Transform upstream requests with headers, JWTs, cookies, or ID tokens

## API Reference

- [REST API reference](https://www.ory.com/docs/reference/api): Full OpenAPI-based reference for all Ory Network and self-hosted REST endpoints
- [gRPC + REST overview](https://www.ory.com/docs/api): CORS configuration and API access patterns

## SDKs and CLI

- [Ory SDKs](https://www.ory.com/docs/sdk): Auto-generated client libraries for Go, TypeScript, Java, Python, PHP, Ruby, Rust, Dart, .NET
- [Ory CLI basics](https://www.ory.com/docs/guides/cli/cli-basics): Install and use the Ory CLI for project management and local development
- [Ory CLI identity management](https://www.ory.com/docs/guides/cli/identity-cli): Get, update, patch, and import identity configurations via CLI

## Self-Hosted and Enterprise

- [Open-source projects overview](https://www.ory.com/docs/open-source): Index of all Ory OSS repositories on GitHub
- [Ory Enterprise License quickstart](https://www.ory.com/docs/self-hosted/oel/quickstart): Run OEL builds of Hydra, Kratos, Keto, Oathkeeper, and Polis from private Docker registries
- [Ory Helm charts](https://k8s.ory.sh/helm/kratos.html): Kubernetes Helm charts for deploying Ory services

## Company

- [Ory homepage](https://www.ory.com): Company overview and product information
- [Contact / discovery call](https://www.ory.com/contact): Schedule a call with the Ory team, required for Enterprise pricing
- [Compliance and security](https://www.ory.com/docs/security-compliance/compliance-and-certifications): ISO 27001, SOC 2, GDPR, data residency; full documents available in the [Ory Trust Center](https://trust.ory.sh/)

## Case Studies

- [commercetools](https://www.ory.com/case-studies/commercetools): Global B2B commerce platform chose Ory's headless, multi-region platform for mission-critical identity
- [Moonpig](https://www.ory.com/case-studies/moonpig): UK gifting platform eliminated login friction and improved customer conversion with Ory CIAM
- [DataRobot](https://www.ory.com/case-studies/datarobot): AI platform accelerated service integration from weeks to minutes and fortified security with Ory
- [North One](https://www.ory.com/case-studies/northone): US business banking platform gained CIAM control, security, and reliability with Ory Network
- [Hemnet](https://www.ory.com/case-studies/hemnet): Sweden's top property platform transformed CIAM and scaled user experience with Ory
- [Macromill](https://www.ory.com/case-studies/macromill): Market research group modernized CIAM and gained full control over identity login
- [Axel Springer](https://www.ory.com/case-studies/axel-springer): Europe's largest digital media publisher streamlined CIAM and scalability with Ory
- [OpenAI](https://www.ory.com/case-studies/openai): OpenAI leverages Ory Hydra to support over 400M weekly active users
- [Lumin](https://www.ory.com/case-studies/lumin): Document management platform protects user data with Ory
- [Sencrop](https://www.ory.com/case-studies/sencrop): Agricultural IoT company migrated from Auth0 to Ory for future-proof authentication
- [Fandom](https://www.ory.com/case-studies/fandom): Entertainment wiki platform secured authentication for tens of millions of users
- [Maxroll](https://www.ory.com/case-studies/maxroll): Gaming guides platform chose Ory Network for secure, scalable, and affordable authentication
- [Effortless Solutions](https://www.ory.com/case-studies/effortless-solutions): Software consultancy achieved seamless integration with Ory
- [HGV](https://www.ory.com/case-studies/hgv): Tourism organization migrated from Azure AD to Ory Network for reliability
- [zezam](https://www.ory.com/case-studies/zezam): Creator platform leveraged Ory for secure and scalable social logins
- [OSINT Industries](https://www.ory.com/case-studies/osint): Cybersecurity company chose Ory for swift migration, developer experience, and cost savings

## Blog

- [OpenAI uses open source Ory to authenticate over 400M weekly active users](https://www.ory.com/blog/openai-oauth2-server-open-source): How Ory Hydra scaled to power OpenAI's OAuth2 infrastructure
- [Ory Partners with HID](https://www.ory.com/blog/partnership-announcement-hid): First enterprise FIDO2 identity platform for converged physical and digital access
- [Maestro please... the engineer as the conductor of the orchestra](https://www.ory.com/blog/engineers-as-conductors-ai-agent-orchestration): Engineers orchestrating AI agents
- [Make Claude Code faster and cheaper with Ory Lumen](https://www.ory.com/blog/ory-lumen-semantic-search-claude-code): Ory Lumen semantic search for AI coding tools
- [Top 5 CIAM trends in 2026](https://www.ory.com/blog/top-5-ciam-trends-2026): Agentic AI, passkeys, and emerging identity trends
- [The Hidden Cost of Agentic Coding](https://www.ory.com/blog/hidden-cost-agentic-coding): Cost analysis of AI-assisted development
- [Why It's Time to Move Beyond Homegrown IAM](https://www.ory.com/blog/beyond-homegrown-iam): Case for replacing custom-built identity systems
- [Beyond the Login Box](https://www.ory.com/blog/beyond-the-login-box): How OpenAI, Axel Springer, and Fandom redefine identity at scale
- [Identity that fits today, and tomorrow: Right-sizing for financial services](https://www.ory.com/blog/identity-that-fits-today-and-tomorrow-for-financial-services): Identity infrastructure for financial services
- [Making Every Moment Matter: How Moonpig Mastered Customer Conversion with Ory](https://www.ory.com/blog/how-moonpig-mastered-customer-conversions): Moonpig's conversion optimization with Ory CIAM
- [From Buffering Wheels to Billions of Streams](https://www.ory.com/blog/buffering-wheels-to-billions-of-streams): What agentic AI teaches about scaling identity
- [Who is your AI agent acting as?](https://www.ory.com/blog/agentic-ai-identity-and-access): The identity question for AI agents and MCP
- [The Rise of the AI Coworker and Why Your Security Isn't Ready](https://www.ory.com/blog/ai-agents-your-security-is-not-ready): Security implications of AI agents in the workplace
- [Managing Agentic Identities at Scale](https://www.ory.com/blog/managing-agentic-at-scale): Managing 10,000 to 1,000,000 AI agent identities
- [The control plane shift: What we saw at AWS re:Invent 2025](https://www.ory.com/blog/control-plane-shift-aws-reinvent-2025): Identity trends from AWS re:Invent
- [Stop Impersonating Your Users](https://www.ory.com/blog/identity-level-impersonation): Why identity-level impersonation is dangerous and alternatives
- [The next scale frontier: Ory and Cockroach Labs](https://www.ory.com/blog/next-scale-frontier-agentic-scale-ory-crdb): Partnership for distributed identity infrastructure for agentic AI
- [Don't Build Your Own Auth](https://www.ory.com/blog/do-not-build-your-own-auth): Why building custom authentication is risky
- [Announcing Ory v25.4: Unified versioning](https://www.ory.com/blog/ory-oss-v25-4-0-new-release-announcement-versioning-scheme): New unified versioning scheme across the Ory ecosystem
- [How Apple broke Sign in with Apple](https://www.ory.com/blog/apple-broke-sign-in-with-apple): Unannounced redirect change that broke OIDC flows
- [Introducing Ory Polis for Enterprise SSO](https://www.ory.com/blog/introducing-ory-polis-for-enterprise-single-sign-on): SAML, OIDC, and SCIM for B2B and B2B2C use cases
- [Skyfire: Identity foundation for AI agentic autonomy](https://www.ory.com/blog/autonomous-commerce-agentic-ai-identity-skyfire-ory): Partnership enabling AI agents as economic participants
- [Ory Enterprise License behind the scenes](https://www.ory.com/blog/ory-enterprise-license-behind-scenes): Interview on OEL features, architecture, and use cases
- [Ory Hires CCO & CSO and launches Ory Enterprise License](https://www.ory.com/blog/ory-launches-self-hosted-ory-enterprise-license-offering): OEL launch announcement and leadership hires
- [Ory Network Workspaces and fair pricing with aDAU](https://www.ory.com/blog/ory-price-2024-dau-mau): aDAU pricing model explained, workspace-based billing
- [Ory lands $22.5M Series A funding](https://www.ory.com/blog/ory-series-a-funding-update): Series A led by Insight Partners
- [Ory Network is now SOC 2 Type 2 certified](https://www.ory.com/blog/ory-network-soc2-type-2-certified): SOC 2 Type 2 audit completion
- [Ory Network is now ISO 27001 certified](https://www.ory.com/blog/ory-iso27001-certified): ISO 27001 certification by BARR
- [Introducing Ory Kratos v1.0](https://www.ory.com/blog/ory-kratos-v1): Major release of the identity and user management system
- [Introducing the all-new Ory Console](https://www.ory.com/blog/console-v2): Redesigned administration UI with stats and metrics
- [Ory Hydra 2.0 is out](https://www.ory.com/blog/oauth2-server-openid-ory-hydra-v2): Major OAuth2/OIDC server release
- [Open Source support policy](https://www.ory.com/blog/ory-support-code-of-conduct-2023): Formalized community support policy for Ory OSS
- [Interview with Cal.com](https://www.ory.com/blog/interview-with-calcom-enhancing-enterprise-experience-with-ory): How Cal.com uses Ory Polis for enterprise SSO
- [Ory Polis 2023 Changelog](https://www.ory.com/blog/changelog-saml-jackson-2023): SAML Federation, directory sync, and SSO updates
- [Ory Polis 2024 Changelog](https://www.ory.com/blog/changelog-saml-jackson-2024): SSO, directory sync, and audit log updates

## Optional

- [GitHub: ory/kratos](https://github.com/ory/kratos): Identity and user management server source code
- [GitHub: ory/hydra](https://github.com/ory/hydra): OAuth2 and OpenID Connect server source code
- [GitHub: ory/keto](https://github.com/ory/keto): Permission and authorization server source code
- [GitHub: ory/oathkeeper](https://github.com/ory/oathkeeper): Zero-trust reverse proxy source code
- [GitHub: ory/docs](https://github.com/ory/docs): Documentation source repository
- [Ory community Slack](https://slack.ory.com): Community support channel
- [GitHub Discussions](https://github.com/orgs/ory/discussions): Community Q&A and feature requests
- [Ory blog](https://www.ory.com/blog): Product updates, technical articles, and company news
- [Ory Network status](https://status.ory.com): Service availability and incident history