Ory

What Is Ory?

Over 80% of data breaches involve compromised credentials, according to the Verizon Data Breach Investigations Report. Authentication is not a commodity feature — it is the single most important security surface for any application. And for European organisations, the choice of identity provider carries an additional layer of complexity: GDPR, data residency, and the question of whether your users' credentials are stored on US-controlled infrastructure.

Ory is a German company that has built its answer to this problem in the open. Founded in 2017 in Munich by a team of developers frustrated with the limitations of proprietary identity platforms, Ory has grown into one of the most adopted open-source identity projects in the world. The Ory GitHub repositories have accumulated tens of thousands of stars, and the Ory Network cloud service processes billions of identity operations.

What makes Ory distinctive is its modular architecture. Rather than a monolithic auth platform, Ory provides four specialised components: Ory Kratos for identity management, Ory Hydra for OAuth2 and OpenID Connect, Ory Keto for permissions (inspired by Google's Zanzibar paper), and Ory Oathkeeper for API access control. Teams can adopt one component or the full stack, self-hosted or via Ory Network's managed cloud with EU data residency.

Key Features

Ory Kratos — Identity Management

Kratos is the identity layer: user registration, login, account recovery, profile management, and multi-factor authentication. It is designed as a headless service, exposing APIs and webhooks rather than rendering its own UI. This means developers build their own login screens, which provides complete control over the user experience but requires more frontend work than drop-in solutions like Auth0.

Kratos supports multiple authentication methods: password, TOTP (time-based one-time passwords), WebAuthn/passkeys, SMS codes, and social login via OIDC providers. Self-service flows handle the common lifecycle events — email verification, password reset, account recovery — with configurable policies and webhook triggers for downstream integration.

Ory Hydra — OAuth2 and OIDC

Hydra is a certified OAuth2 and OpenID Connect provider — meaning it has passed the official conformance tests maintained by the OpenID Foundation. This certification matters for organisations that need to issue tokens, manage client credentials, or federate identity across services. Hydra handles the OAuth2 ceremony (authorization code, client credentials, refresh tokens) without storing user credentials itself — it delegates authentication to Kratos or any other identity provider.

The practical significance: teams building platforms that need to issue API tokens, support third-party integrations, or implement single sign-on across multiple applications can use Hydra as a standards-compliant foundation rather than building OAuth2 from scratch.

Ory Keto — Permissions Engine

Keto is modelled on Google's Zanzibar paper, which describes the permission system used internally at Google for services like Drive, YouTube, and Cloud. It implements relationship-based access control (ReBAC), where permissions are defined as relationships between subjects (users, groups) and objects (documents, APIs, resources).

This is more expressive than traditional role-based access control (RBAC). Instead of "user X has role admin," you can express "user X is an editor of document Y in workspace Z." For applications with complex permission requirements — multi-tenant SaaS, collaborative tools, marketplaces — Keto provides the granularity that RBAC cannot.

Ory Oathkeeper — API Gateway

Oathkeeper sits at the network edge, evaluating incoming requests against access policies and enriching requests with identity information before forwarding them to backend services. It acts as a zero-trust access proxy: every request is authenticated and authorised before reaching your application logic.

Oathkeeper integrates with Kratos and Hydra to validate sessions and tokens, and with Keto to check permissions. For microservice architectures, this centralises access control at the gateway layer rather than scattering auth checks across individual services.

Cloud-Native Architecture

All Ory components are designed for horizontal scaling. They are stateless services backed by standard databases (PostgreSQL, MySQL, CockroachDB), deployable on Kubernetes, and operable with infrastructure-as-code tools like Terraform. Ory Network, the managed cloud, runs this same stack with multi-region availability and EU data hosting.

Pricing

Ory's pricing model reflects its open-source DNA. The entire stack is available under the Apache 2.0 licence with no feature limitations — self-hosted Ory is genuinely free, not freemium. You pay for your own infrastructure, but there are no licence fees, per-user charges, or artificial capability restrictions.

Ory Network, the managed cloud, offers a free tier with a daily active user allowance that is generous enough for development and small production workloads. The Growth tier introduces usage-based pricing that scales with daily active users, and adds custom domains, email support, and SLA guarantees.

Enterprise pricing is custom and includes dedicated infrastructure, custom SLAs, a dedicated support engineer, and compliance assistance. For organisations comparing Ory Network to Auth0, the cost difference at scale can be dramatic — Auth0's per-user pricing model generates five-figure monthly bills that Ory's architecture avoids.

The value equation is clearest for two profiles: teams that self-host and pay nothing for identity infrastructure, and high-scale applications where per-user pricing from competitors becomes prohibitive.

EU Compliance & Data Privacy

Ory is a German company with its managed cloud infrastructure hosted in the EU. For organisations using Ory Network, user data is processed and stored in European data centres with no cross-border data transfers to non-EU jurisdictions.

The open-source option provides the strongest compliance posture: self-hosted Ory means user credentials, sessions, and access policies never leave your infrastructure. There is no data processor relationship with Ory, no subprocessor chain to audit, and no Schrems II questions to answer. For organisations in regulated sectors — finance, healthcare, government — this eliminates the most common GDPR compliance concerns with identity providers.

All Ory components use open standards (OAuth2, OIDC, FIDO2, WebAuthn), which means no proprietary protocols that create vendor lock-in. If you need to migrate away from Ory, your identity data is portable and your integration patterns are standards-based.

Who It's Best For

Platform engineering teams building multi-service architectures who need production-grade identity, OAuth2, and permissions without paying per-user fees. Ory's modular stack fits into existing infrastructure rather than replacing it.

High-scale SaaS companies where Auth0 or Okta pricing has become unsustainable. Self-hosted Ory eliminates per-user costs entirely, and Ory Network's pricing scales more favourably.

Privacy-first European organisations that need to demonstrate complete control over identity data. Self-hosted Ory on EU infrastructure is the cleanest architecture for GDPR compliance.

Developer teams comfortable with complexity who want full control over authentication UX. Ory's headless approach rewards teams that can build their own frontend, and punishes those looking for a drag-and-drop solution.

The Verdict

Ory is the most comprehensive open-source identity stack available, and it is built by a German company with EU cloud hosting. The modular architecture, Zanzibar-inspired permissions, and certified OAuth2 server put it in a category that proprietary platforms cannot match on flexibility or cost. The trade-off is real, though: Ory demands developer expertise. There are no pre-built login screens, the documentation has a learning curve, and operating four components requires infrastructure maturity. For teams that have that capability, Ory is one of the best identity infrastructure choices in Europe.

Frequently Asked Questions

Is Ory GDPR compliant?

Yes. Ory is a German company with Ory Network cloud infrastructure hosted in the EU. The fully open-source stack can also be self-hosted for complete data sovereignty, with no data leaving your infrastructure.

Can I self-host Ory?

Yes. All Ory components (Kratos, Hydra, Keto, Oathkeeper) are open-source under the Apache 2.0 licence and can be self-hosted on any infrastructure. You get the complete feature set with no artificial limitations.

How does Ory compare to Auth0?

Ory is open-source and modular — you can use individual components or the full stack. Auth0 is a proprietary, all-in-one platform. Ory offers dramatically lower cost at scale, full self-hosting capability, and EU data sovereignty. Auth0 has a more polished out-of-the-box experience and a larger ecosystem.

What is the difference between Ory Kratos, Hydra, Keto, and Oathkeeper?

Kratos handles identity management (registration, login, account recovery). Hydra is a certified OAuth2 and OpenID Connect server. Keto is a permissions engine inspired by Google's Zanzibar. Oathkeeper is an API gateway that enforces access policies. They work together or independently.

How many users can Ory handle?

Ory's architecture is designed for cloud-native scale. Ory Network has handled billions of identity checks. Self-hosted deployments scale horizontally with your database and compute infrastructure, with no built-in user limits.