Chat · Discussions · Newsletter · Docs · Try Ory Network · Jobs
Ory Keto is the first and most popular open source implementation of "Zanzibar: Google's Consistent, Global Authorization System". It provides a scalable, performant authorization server for managing permissions at scale.
- What is Ory Keto?
- Deployment options
- Quickstart
- Who is using Ory Keto
- Ecosystem
- Documentation
- Developing Ory Keto
- Security
- Telemetry
Ory Keto is an open source implementation of "Zanzibar: Google's Consistent, Global Authorization System". It follows cloud architecture best practices and focuses on:
- Scalable permission checks based on the Zanzibar model
- The Ory Permission Language for defining access control policies
- Relationship-based access control (ReBAC)
- Low latency permission checks (sub-10ms)
- Horizontal scaling to billions of relationships
- Consistency and high availability
We recommend starting with the Ory Keto introduction docs to learn more about its architecture, feature set, and how it compares to other systems.
Ory Keto is designed to:
- Implement Google's Zanzibar authorization model at scale
- Provide low-latency permission checks for billions of relationships
- Support the Ory Permission Language for flexible access control
- Work with any identity provider through integration points
- Scale horizontally without effort
- Fit into modern cloud native environments such as Kubernetes and managed platforms
You can run Ory Keto in two main ways:
- As a managed service on the Ory Network
- As a self hosted service under your own control, with or without the Ory Enterprise License
The Ory Network is the fastest way to use Ory services in production. Ory Permissions is powered by the open source Ory Keto server and is API compatible.
The Ory Network provides:
- Low latency permission checks based on Google's Zanzibar model with built-in support for the Ory Permission Language
- Identity and credential management that scales to billions of users and devices
- Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
- OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
- GDPR friendly storage with data locality and compliance in mind
- Web based Ory Console and Ory CLI for administration and operations
- Cloud native APIs compatible with the open source servers
- Fair, usage based pricing
Sign up for a free developer account to get started.
You can run Ory Keto yourself for full control over infrastructure, deployment, and customization.
The install guide explains how to:
- Install Keto on Linux, macOS, Windows, and Docker
- Configure databases such as PostgreSQL, MySQL, and CockroachDB
- Deploy to Kubernetes and other orchestration systems
- Build Keto from source
This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.
If you run Keto as part of a business-critical system, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Keto and provides:
- Additional enterprise features that are not available in the open source version
- Regular security releases, including CVE patches, with service level agreements
- Support for advanced scaling, multi-tenancy, and complex deployments
- Premium support options with SLAs, direct access to engineers, and onboarding help
- Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds
For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.
Install the Ory CLI and create a new project to try Ory Permissions.
# Install the Ory CLI if you do not have it yet: bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory sudo mv ./ory /usr/local/bin/ # Sign in or sign up ory auth # Create a new project ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart" --use-projectCreate a namespace with the Ory Permission Language:
# Write a simple configuration with one namespaceecho"class Document implements Namespace{}"> config.ts # Apply that configuration ory patch opl -f file://./config.ts # Create a relationship that grants tom access to a documentecho"Document:secret#read@tom" \ | ory parse relation-tuples --format=json - \ | ory create relation-tuples - # List all relationships ory list relation-tuples # Check if tom can read the document ory check permission Document:secret read tomThe Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!
The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. If you think that your company deserves a spot here, reach out to [email protected] now!
| Name | Logo | Website | Case Study |
|---|---|---|---|
| OpenAI |  | openai.com | OpenAI Case Study |
| Fandom |  | fandom.com | Fandom Case Study |
| Lumin |  | luminpdf.com | Lumin Case Study |
| Sencrop |  | sencrop.com | Sencrop Case Study |
| OSINT Industries |  | osint.industries | OSINT Industries Case Study |
| HGV |  | hgv.it | HGV Case Study |
| Maxroll |  | maxroll.gg | Maxroll Case Study |
| Zezam |  | zezam.io | Zezam Case Study |
| T.RowePrice |  | troweprice.com | |
| Mistral |  | mistral.ai | |
| Axel Springer |  | axelspringer.com | |
| Hemnet |  | hemnet.se | |
| Cisco |  | cisco.com | |
| Presidencia de la República Dominicana |  | presidencia.gob.do | |
| Moonpig |  | moonpig.com | |
| Booster |  | choosebooster.com | |
| Zaptec |  | zaptec.com | |
| Klarna |  | klarna.com | |
| Raspberry PI Foundation |  | raspberrypi.org | |
| Tulip |  | tulip.com | |
| Hootsuite |  | hootsuite.com | |
| Segment |  | segment.com | |
| Arduino |  | arduino.cc | |
| Sainsbury's |  | sainsburys.co.uk | |
| Contraste |  | contraste.com | |
| inMusic |  | inmusicbrands.com | |
| Buhta |  | buhta.com | |
| Amplitude |  | amplitude.com | |
 |  |  |  |
 |  |  |  |
 |  |  |  |
 |  |  |
Many thanks to all individual contributors
We build Ory on several guiding principles when it comes to our architecture design:
- Minimal dependencies
- Runs everywhere
- Scales without effort
- Minimize room for human and network errors
Ory's architecture is designed to run best on a Container Orchestration system such as Kubernetes, CloudFoundry, OpenShift, and similar projects. Binaries are small (5-15MB) and available for all popular processor types (ARM, AMD64, i386) and operating systems (FreeBSD, Linux, macOS, Windows) without system dependencies (Java, Node, Ruby, libxml, ...).
Ory Kratos is an API-first Identity and User Management system that is built according to cloud architecture best practices. It implements core use cases that almost every software application needs to deal with: Self-service Login and Registration, Multi-Factor Authentication (MFA/2FA), Account Recovery and Verification, Profile, and Account Management.
Ory Hydra is an OpenID Certified™ OAuth2 and OpenID Connect Provider which easily connects to any existing identity system by writing a tiny "bridge" application. It gives absolute control over the user interface and user experience flows.
Ory Oathkeeper is a BeyondCorp/Zero Trust Identity & Access Proxy (IAP) with configurable authentication, authorization, and request mutation rules for your web services: Authenticate JWT, Access Tokens, API Keys, mTLS; Check if the contained subject is allowed to perform the request; Encode resulting content into custom headers (X-User-ID), JSON Web Tokens and more!
Ory Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.
The full Ory Keto documentation is available at www.ory.sh/docs/keto, including:
For upgrading and changelogs, check UPGRADE.md and CHANGELOG.md.
See DEVELOP.md for information on:
- Contribution guidelines
- Prerequisites
- Install from source
- Running tests
- Build Docker image
If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub. You can find all info for responsible disclosure in our security.txt.
Our services collect summarized, anonymized data that can optionally be turned off. Click here to learn more.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
