Ory
Capability scores
Methodology →- Authentication
- 4.5
- SSO & Federation
- 4.0
- Authorization
- 4.5
- Lifecycle & Provisioning
- 3.5
- MFA & Passwordless
- 4.0
- Governance & Audit
- 3.5
- Developer Experience
- 4.5
- Deployment Flexibility
- 4.5
- Pricing Transparency
- 4.0
- Support & Ecosystem
- 3.0
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
Ory is a set of open-source identity components rather than a single monolith: Kratos for identity and authentication, Hydra for OAuth2 and OIDC, Keto for Zanzibar-style fine-grained authorization, and Oathkeeper for access proxying. The pieces are API-first and headless, meant to be composed into the exact identity stack a team needs.
Capability deep-dive
Ory's strengths are architecture and authorization. The components are well-engineered, fully headless (you build your own UI), and Keto brings Google Zanzibar relationship-based permissions to open source, which few alternatives match. Standards support in Hydra is strong and certified. The trade-off is assembly: there is no bundled admin console or turnkey IdP, so you wire components together, host your own login flows, and operate each service. That suits engineering-heavy teams and frustrates those wanting an out-of-the-box product. The community is active but smaller than Keycloak's, and some convenience features push you toward Ory Network, the managed offering.
Pricing
Open source and self-hostable at no license cost (Apache 2.0). Ory Network is the managed cloud with a free developer tier and usage-based paid plans, plus enterprise support.
Bottom line
The best open-source choice when you want composable, API-first identity and serious fine-grained authorization. Expect to build the UI and operate the pieces yourself.