Home AuthenticationOry: The Open Source IAM Stack That Powers ChatGPT’s Login
AuthenticationChatGPTOpenAIOpensourceSecuritySelf-hostTechnology

Ory: The Open Source IAM Stack That Powers ChatGPT’s Login

Ory Handles Authentication for OpenAI's 900M Weekly Users. Learn What Ory is and Who It's for.

By sk
Written by sk 112 views 8 mins read

Every application eventually faces the same problem: users need to log in. It may sound simple, but it isn't. Behind a login button sits a series of security decisions. They are: password hashing, session management, CSRF protection, brute-force defense, multi-factor auth, password recovery, email verification, token expiry, and a dozen more concerns that have nothing to do with what your app actually does.

Most teams handle this one of three ways. They build it themselves and spend months patching edge cases. They reach for a managed service like Auth0 and eventually hit a pricing wall. Or they bolt on a library and end up owning half the security logic anyway.

Ory is a fourth option and for developers and infrastructure engineers who care about control, it's worth understanding properly.

What Is Ory?

Ory is an open source suite of identity and access management (IAM) tools for cloud-native applications. It provides authentication, authorization, and identity management as five independently deployable services:

  • Ory Kratos: User registration, login, sessions, MFA, and password recovery
  • Ory Hydra: OAuth 2.0 and OpenID Connect server for token issuance
  • Ory Keto: Fine-grained permissions using Google's Zanzibar model
  • Ory Oathkeeper: Identity-aware reverse proxy for Zero Trust networking
  • Ory Polis: Enterprise SSO bridge for SAML and SCIM integration

All components are Apache 2.0 licensed, written in Go, and self-hostable.

It is not a SaaS product you're locked into. It is not a library you integrate into your app. It is a set of production-hardened services you run alongside your application - self-hosted, managed, or both.

The Problem Ory Solves

Ory outsources the complex and security-critical task of developing and maintaining authentication and authorization in-house. This includes compliance with current security standards such as OAuth 2.0 and OIDC, protection against attacks, and the provision of a unified identity layer that avoids data silos between different applications.

Put differently: Ory lets your team stop writing auth code and start shipping product features.

The alternative - building authentication yourself - means owning every security decision in perpetuity. Argon2 configuration. Timing-safe comparisons. CSRF token lifecycle. Recovery token expiry. Session rotation after privilege escalation. These are solvable problems, but they are not your problems to solve. They are Ory's.

The Ory Ecosystem: Five Core Components

Ory is a suite of cloud-native IAM components built on a microservices architecture. It separates identity, authentication, and authorization into dedicated services that can be used independently or together.

Ory Kratos - Identity Management

Kratos handles everything to do with who a user is and how they prove it:

  • User registration and login
  • Session management
  • Password recovery and email verification
  • Multi-factor authentication (TOTP, WebAuthn, passkeys)
  • Social login (Google, GitHub, Apple via OIDC)
  • Account settings

Kratos is headless. It has no built-in UI. It exposes a REST API that your application calls to drive auth flows. Your login page is a normal page in your app; Kratos handles the security logic behind it. This gives you complete control over branding and user experience with zero compromise on security.

Ory Hydra - OAuth2 and OpenID Connect

Hydra is a certified OAuth 2.0 and OpenID Connect server. It handles:

  • Issuing access tokens, refresh tokens, and ID tokens
  • Authorization code, client credentials, and device authorization flows
  • Token introspection and revocation
  • Machine-to-machine and service-to-service authentication

If you need your application to act as an OAuth2 provider, letting users grant third-party apps access to their data, or enabling service-to-service auth, Hydra is the component you reach for. It is written in Go and designed for stateless horizontal scalability.

Ory Keto - Fine-Grained Permissions

Keto implements Google's Zanzibar permission model, the same system that powers Google Drive's sharing permissions. It handles:

  • Relationship-based access control (ReBAC)
  • Policy evaluation at scale
  • Permission inheritance and propagation ("can Alice edit this document?")

Most applications start with simple role-based access control and eventually need something more nuanced. Keto gives you a path there without rewriting your auth layer.

Ory Oathkeeper - Identity-Aware Proxy

Oathkeeper is a reverse proxy and access control decision API that validates identity on every incoming HTTP request before it reaches your services:

  • Validates OAuth2 tokens, session cookies, API keys, and mTLS
  • Rewrites request headers with identity claims (e.g., X-User-Id)
  • Enables Zero Trust networking for HTTP services
  • Works with Nginx, Traefik, and Kubernetes ingress controllers

Think of it as a PAM module for HTTP traffic, every request is authenticated and authorized at the gate, before your application code sees it.

Ory Polis - Enterprise SSO Bridge

Polis bridges the gap between legacy enterprise identity protocols and modern OAuth2/OIDC:

  • Translates SAML 2.0 ↔ OpenID Connect flows
  • Supports SCIM 2.0 for automated user provisioning and deprovisioning
  • Enables enterprise customers to use their existing IdP (Okta, ADFS, Ping) with Ory-powered applications

Please note that Polis is part of the Ory Enterprise License, not available in the free open source tier.

How the Components Work Together

You don't have to use all of them. That is the point of the modular design.

A typical starting stack:

Browser


Your App (Node.js / Go / Python / anything)

  ├── Calls Kratos for login, registration, sessions

  └── Calls Hydra for OAuth2 tokens (if needed)

        └── Oathkeeper validates tokens at the API gateway

              └── Keto checks fine-grained permissions

A small team building a SaaS app might start with just Kratos. A platform team building internal tooling might add Hydra for machine-to-machine auth. A company with complex multi-tenant permissions eventually adds Keto. An enterprise onboarding business customers with SAML IdPs adds Polis.

Each service is independently runnable, independently scalable, and independently replaceable.

Who Uses Ory in Production?

The most prominent example: OpenAI.

"OpenAI replaced its legacy login system with Ory Hydra to scale identity for 900 million weekly active users, with zero downtime and full IAM control", reports the Newstack online publication.

Initially, OpenAI's rapid user growth overwhelmed their previous CIAM solution. They migrated to a self-hosted Ory Hydra backed by a scalable database to issue and manage tokens for ChatGPT users.

According to the official case study, Ory provided deep observability and resilience for "unprecedented logins per second", and crucially gave OpenAI ownership of their identity processes without vendor lock-in.

Beyond OpenAI, Ory serves tens of thousands of active projects across its open-source, self-managed, and managed cloud environments - covering billions of identities and trillions of transactions.

Three Ways to Deploy Ory

1. Open Source (Self-Hosted, Free)

All four core open source components (Kratos, Hydra, Keto, Oathkeeper) are Apache 2.0 licensed and available on GitHub. You run them on your own infrastructure (bare metal, VMs, Docker, Kubernetes) with full control over data, configuration, and upgrade cadence.

Best for: Teams with DevOps capacity, compliance requirements, or cost sensitivity at scale.

2. Ory Enterprise License (OEL)

Self-hosted, with commercial support: SLAs, security patch guarantees, a private Docker registry with vetted builds, and direct access to Ory engineers. Adds enterprise-only components including Ory Polis (SAML, SCIM) and advanced B2B federation.

Best for: Enterprise teams that need self-hosting for data sovereignty but want production-grade support contracts.

3. Ory Network (Managed Cloud)

A fully managed, globally distributed SaaS version of the Ory stack.

Pricing note: Verify current rates at ory.com/pricing before making decisions, as pricing changes frequently.

Best for: Teams that want to move fast without managing infrastructure, or those starting out before deciding whether to self-host.

The key advantage of Ory Network: switching to self-hosted later requires only a URL change in your configuration. Your application code doesn't change.

How Ory Compares to Auth0, Keycloak, and Firebase

OryAuth0KeycloakFirebase Auth
Open source✅ Apache 2.0✅ Apache 2.0
Self-hostable
Headless (own your UI)⚠️ Limited⚠️ Limited⚠️ Limited
Written inGoMixedJavaMixed
RAM footprint~100–150 MBN/A~1,250 MBN/A
Horizontal scaling✅ Stateless⚠️ Complex
Fine-grained permissions✅ (Keto)⚠️ Basic⚠️ Basic⚠️ Basic
Dedicated Agent IAM
Vendor lock-inLowHighLowHigh

Who Should (and Shouldn't) Use Ory

Ory is a strong fit if you:

  • Are building a customer-facing application that needs to scale past tens of thousands of users
  • Want full ownership of your user data and identity infrastructure
  • Have engineering capacity to integrate API-first services
  • Need to self-host for compliance, data residency, or GDPR requirements
  • Are tired of Auth0's pricing growing with your user count
  • Are building AI agents or machine-to-machine workflows that need identity

Ory may not be the right fit if you:

  • Need something working in under an hour with zero configuration (Auth0 or Firebase is faster to start)
  • Have non-technical operators who need to manage identities via a UI (Keycloak has a better admin console)
  • Need SAML 2.0 on the free tier (Keycloak covers this; Ory requires the Enterprise License)
  • Are running a small personal project where scale isn't a concern

What Next?

Auth0 has been one of the most popular identity platforms for years. It's polished, well documented, and can get most applications from zero to a working login flow in very little time.

But as applications grow, many teams start looking for alternatives that offer lower long-term costs, self-hosting options, open-source components, and greater control over user data.

If you want to try Ory, you're in luck. Read the following guide to migrate Auth0 to Ory:

Conclusion

Ory exists because authentication is a solved problem that most teams keep re-solving, badly, under time pressure. It gives you a production-hardened identity stack that runs at OpenAI scale, built on open standards, with no vendor lock-in, that you can inspect line by line.

Of course, Ory has a steep learning curve. But, the payoff is worth it.

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

How to Migrate to Ory from Auth0

Why Startups Need Smarter Authentication Before They Scale

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More