{"name":"Ory","slug":"ory","category":"auth","type":"hybrid","website":"https://ory.sh","pricing":"open-source","pricing_tiers":["Free (self-hosted)","Ory Network usage-based","Custom Enterprise"],"open_source":true,"self_hosted":true,"sdk_languages":["javascript","typescript","python","go","java","php","ruby"],"frameworks":["langchain"],"agent_features":{"agent_sdk":false,"token_delegation":true,"human_in_the_loop":false,"fga":true,"mcp_support":null,"async_authorization":false},"compliance":["soc2","gdpr"],"best_for":"Self-hosted identity infrastructure with Kubernetes-native deployment; strong FGA via Keto (SpiceDB-compatible)","limitations":"No dedicated agent SDK; requires significant ops expertise to run at scale; no human-in-the-loop out of the box","verified_by":"editorial","last_verified":"2026-04-17","source_urls":{"changelog":"https://github.com/ory/kratos/releases","pricing":"https://www.ory.sh/pricing/","docs":"https://www.ory.sh/docs"},"feature_labels":{"agent_sdk":"Dedicated SDK for agentic workflows — agent sessions, token lifecycle, and authorization requests","token_delegation":"Issue scoped tokens an agent can use downstream without exposing user credentials","human_in_the_loop":"Pause agent execution and require explicit user approval before proceeding","fga":"Fine-Grained Authorization — relationship-based or attribute-based access control, not just role-based","mcp_support":"Native OAuth/OIDC authorization layer for Model Context Protocol servers","async_authorization":"Non-blocking approval workflows — agent continues and gets notified when approval is granted"},"comparisons":[{"slug":"auth0-vs-ory","title":"Auth0 vs Ory","vs":"auth0"},{"slug":"clerk-vs-ory","title":"Clerk vs Ory","vs":"clerk"},{"slug":"cognito-vs-ory","title":"Amazon Cognito vs Ory","vs":"cognito"},{"slug":"descope-vs-ory","title":"Descope vs Ory","vs":"descope"},{"slug":"firebase-auth-vs-ory","title":"Firebase Auth vs Ory","vs":"firebase-auth"},{"slug":"keycloak-vs-ory","title":"Keycloak vs Ory","vs":"keycloak"},{"slug":"ory-vs-stytch","title":"Ory vs Stytch","vs":"stytch"},{"slug":"ory-vs-supabase-auth","title":"Ory vs Supabase Auth","vs":"supabase-auth"},{"slug":"ory-vs-workos","title":"Ory vs WorkOS","vs":"workos"}],"body":"# Ory\n\nOry is the dominant open-source identity stack for teams that need to run their own infrastructure. It's a suite of components: Kratos (identity management), Hydra (OAuth 2.0/OIDC), Keto (FGA via SpiceDB-compatible model), and Oathkeeper (API gateway / access proxy).\n\nFor agents in regulated industries or organizations that can't use cloud-hosted identity providers, Ory is the most capable self-hosted option. The FGA via Keto is powerful — it uses Google Zanzibar's relationship-based model, the same foundation as Auth0 FGA and Google's own IAM.\n\nThe complexity cost is real. Running Ory in production requires Kubernetes experience and ongoing ops investment. There's no hosted agent SDK, and human-in-the-loop approval flows need to be built on top of the underlying primitives.\n\n**Agent-specific features:**\n- OAuth 2.0 token delegation via Hydra\n- Relationship-based FGA via Keto (Zanzibar model)\n- API access control via Oathkeeper\n- Full infrastructure control for compliance-sensitive deployments"}