- Ory Hydra for OAuth2 and OIDC flows.
- Ory Kratos for identity management (including users, groups, and organizations).
- Ory Keto for fine-grained authorization and relationship-based access control (ReBAC, inspired by Google Zanzibar).

Ory components
Ory Hydra
Ory Hydra is a server implementation of the OAuth 2.0 authorization framework and the OpenID Connect Core 1.0. It tracks clients, consent requests, and tokens with strong consistency to prevent replay attacks and duplicate authorizations. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. The following diagram shows the series of requests made between a user, an application client, and an underlying authorization server:

- Client: An application seeking access to protected resources.
- Resource Owner: The user.
- Ory Hydra: The authorization server.
- Resource Server: The API or service that hosts protected resources.
Ory Kratos
Ory Kratos stores user identity records, recovery flows, sessions, and login attempts in transactional tables. Each identity can be associated with one or more credentials, stored in theidentity_credentials table. These credentials define how a user authenticates with the system, such as through a password, social login, or other mechanisms.
Kratos enables users to sign up and manage their profiles without administrative help. It implements the following flows:
- Registration
- Login
- Logout
- User Settings
- Account Recovery
- Address Verification
- User-Facing Error
- 2FA / MFA

Ory Keto
Ory Keto provides scalable, relationship-based access control (ReBAC). In Keto, authorization is checked by evaluating whether a relation tuple exists (directly or through recursive expansion) that permits a given subject to perform a relation on an object in a namespace. This data model is designed for high scalability and flexibility, enabling complex access patterns like group membership, role inheritance, and hierarchical access rights. A permission model is a set of rules that define which relations are checked in the database during a permission check. Permission checks are answered based on:- The data available in CockroachDB, for example: “user Bob is the owner of document X”.
- Permission rules, for example: “All owners of a document can view it”.


