Chat | Discusssions | Newsletter

Guide | API Docs | Code Docs

Support this project!

Work in Open Source, Ory is hiring!

---

Ory Keto is the first and most popular open source implementation of "Zanzibar: Google's Consistent, Global Authorization System"! ## Get Started You can use [Docker to run Ory Keto locally](https://www.ory.sh/docs/keto/install) or use the Ory CLI to try out Ory Keto: ```sh # This example works best in Bash bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory sudo mv ./ory /usr/local/bin/ # Or with Homebrew installed brew install ory/tap/cli ``` create a new project (you may also use [Docker](https://www.ory.sh/docs/keto/install)) ```sh ory create project --name "Ory Keto Example" export project_id="{set to the id from output}" ``` and follow the quick & easy steps below. ## Create a namespace with the Ory Permission Language ```sh # Write a simple configuration with one namespace echo "class Document implements Namespace {}" > config.ts # Apply that configuration ory patch opl --project $project_id -f file://./config.ts # Create a relationship that grants tom access to a document echo "Document:secret#read@tom" \ | ory parse relation-tuples --project=$project_id --format=json - \ | ory create relation-tuples --project=$project_id - # List all relationships ory list relation-tuples --project=$project_id # Output: # NAMESPACE OBJECT RELATION NAME SUBJECT # Document secret read tom # # NEXT PAGE TOKEN # IS LAST PAGE true ``` Now, check out your project on the [Ory Network](https://console.ory.sh/) or continue with a [more in-depth guide](https://www.ory.sh/docs/keto/quickstart). ### Ory Keto on the Ory Network The [Ory Network](https://www.ory.sh/cloud) is the fastest, most secure and worry-free way to use Ory's Services. **Ory Permissions** is powered by the Ory Keto open source permission server, and it's fully API-compatible. The Ory Network provides the infrastructure for modern end-to-end security: - Identity & credential management scaling to billions of users and devices - Registration, Login and Account management flows for passkey, biometric, social, SSO and multi-factor authentication - Pre-built login, registration and account management pages and components - OAuth2 and OpenID provider for single sign on, API access and machine-to-machine authorization - **Low-latency permission checks based on Google's Zanzibar model and with built-in support for the Ory Permission Language** It's fully managed, highly available, developer & compliance-friendly! - GDPR-friendly secure storage with data locality - Cloud-native APIs, compatible with Ory's Open Source servers - Comprehensive admin tools with the web-based Ory Console and the Ory Command Line Interface (CLI) - Extensive documentation, straightforward examples and easy-to-follow guides - Fair, usage-based [pricing](https://www.ory.sh/pricing) Sign up for a [**free developer account**](https://console.ory.sh/registration?utm_source=github&utm_medium=banner&utm_campaign=keto-readme) today! ## Ory Network Hybrid Support Plan Ory offers a support plan for Ory Network Hybrid, including Ory on private cloud deployments. If you have a self-hosted solution and would like help, consider a support plan! The team at Ory has years of experience in cloud computing. Ory's offering is the only official program for qualified support from the maintainers. For more information see the **[website](https://www.ory.sh/support/)** or **[book a meeting](https://www.ory.sh/contact/)**! ## Ory Permissions, Keto and the Google's Zanzibar model > Determining whether online users are authorized to access digital objects is > central to preserving privacy. This paper presents the design, implementation, > and deployment of Zanzibar, a global system for storing and evaluating access > control lists. Zanzibar provides a uniform data model and configuration > language for expressing a wide range of access control policies from hundreds > of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, > and YouTube. Its authorization decisions respect causal ordering of user > actions and thus provide external consistency amid changes to access control > lists and object contents. Zanzibar scales to trillions of access control > lists and millions of authorization requests per second to support services > used by billions of people. It has maintained 95th-percentile latency of less > than 10 milliseconds and availability of greater than 99.999% over 3 years of > production use. > > [Source](https://research.google/pubs/pub48190/) If you need to know if a user (or robot, car, service) is allowed to do something - Ory Permissions and Ory Keto are the right fit for you. Currently, Ory Permissions [on the Ory Network] and the open-source Ory Keto permission server implement the API contracts for managing and checking relations ("permissions") with HTTP and gRPC APIs, as well as global rules defined through the Ory Permission Language ("userset rewrites"). Future versions will include features such as Zookies, reverse permission lookups, and more. --- - [Ory Permissions, Keto and the Google's Zanzibar model](#ory-permissions-keto-and-the-googles-zanzibar-model) - [Who's Using It?](#whos-using-it) - [Installation](#installation) - [Ecosystem](#ecosystem) - [Ory Kratos: Identity and User Infrastructure and Management](#ory-kratos-identity-and-user-infrastructure-and-management) - [Ory Hydra: OAuth2 & OpenID Connect Server](#ory-hydra-oauth2--openid-connect-server) - [Ory Oathkeeper: Identity & Access Proxy](#ory-oathkeeper-identity--access-proxy) - [Ory Keto: Access Control Policies as a Server](#ory-keto-access-control-policies-as-a-server) - [Security](#security) - [Disclosing Vulnerabilities](#disclosing-vulnerabilities) - [Telemetry](#telemetry) - [Guide](#guide) - [HTTP API Documentation](#http-api-documentation) - [Upgrading and Changelog](#upgrading-and-changelog) - [Command Line Documentation](#command-line-documentation) - [Develop](#develop) - [Dependencies](#dependencies) - [Install From Source](#install-from-source) - [Formatting Code](#formatting-code) - [Running Tests](#running-tests) - [Short Tests](#short-tests) - [Regular Tests](#regular-tests) - [End-to-End Tests](#end-to-end-tests) - [Build Docker](#build-docker) ## Who's Using It? The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 33.000 members and is growing rapidly. The Ory stack protects 60.000.000.000+ API requests every month with over 400.000+ active service nodes. None of this would have been possible without each and everyone of you! The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. _If you think that your company deserves a spot here, reach out to office@ory.sh now_!

Type	Name	Website
Adopter *	Raspberry PI Foundation	raspberrypi.org
Adopter *	Kyma Project	kyma-project.io
Adopter *	Tulip	tulip.com
Adopter *	Cashdeck / All My Funds	cashdeck.com.au
Adopter *	Hootsuite	hootsuite.com
Adopter *	Segment	segment.com
Adopter *	Arduino	arduino.cc
Adopter *	DataDetect	unifiedglobalarchiving.com/data-detect/
Adopter *	Sainsbury's	sainsburys.co.uk
Adopter *	Contraste	contraste.com
Adopter *	Reyah	reyah.eu
Adopter *	Zero	getzero.dev
Adopter *	Padis	padis.io
Adopter *	Cloudbear	cloudbear.eu
Adopter *	Security Onion Solutions	securityonionsolutions.com
Adopter *	Factly	factlylabs.com
Adopter *	Nortal	nortal.com
Adopter *	OrderMyGear	ordermygear.com
Adopter *	Spiri.bo	spiri.bo
Adopter *	Strivacity	strivacity.com
Adopter *	Hanko	hanko.io
Adopter *	Rabbit	rabbit.co.th
Adopter *	inMusic	inmusicbrands.com
Adopter *	Buhta	buhta.com
Adopter *	Connctd	connctd.com
Adopter *	Paralus	paralus.io
Adopter *	TIER IV	tier4.jp
Adopter *	R2Devops	r2devops.io
Adopter *	LunaSec	lunasec.io
Adopter *	Serlo	serlo.org
Adopter *	dyrector.io	dyrector.io
Adopter *	Stackspin	stackspin.net
Adopter *	Amplitude	amplitude.com
Adopter *	Pinniped	pinniped.dev
Adopter *	Pvotal	pvotal.tech

Many thanks to all individual contributors

\* Uses one of Ory's major projects in production. ## Installation Head over to the documentation to learn about ways of [installing Ory Keto](https://www.ory.sh/docs/keto/install). ## Ecosystem We build Ory on several guiding principles when it comes to our architecture design: - Minimal dependencies - Runs everywhere - Scales without effort - Minimize room for human and network errors Ory's architecture is designed to run best on a Container Orchestration system such as Kubernetes, CloudFoundry, OpenShift, and similar projects. Binaries are small (5-15MB) and available for all popular processor types (ARM, AMD64, i386) and operating systems (FreeBSD, Linux, macOS, Windows) without system dependencies (Java, Node, Ruby, libxml, ...). ### Ory Kratos: Identity and User Infrastructure and Management [Ory Kratos](https://github.com/ory/kratos) is an API-first Identity and User Management system that is built according to [cloud architecture best practices](https://www.ory.sh/docs/next/ecosystem/software-architecture-philosophy). It implements core use cases that almost every software application needs to deal with: Self-service Login and Registration, Multi-Factor Authentication (MFA/2FA), Account Recovery and Verification, Profile, and Account Management. ### Ory Hydra: OAuth2 & OpenID Connect Server [Ory Hydra](https://github.com/ory/hydra) is an OpenID Certified™ OAuth2 and OpenID Connect Provider which easily connects to any existing identity system by writing a tiny "bridge" application. It gives absolute control over the user interface and user experience flows. ### Ory Oathkeeper: Identity & Access Proxy [Ory Oathkeeper](https://github.com/ory/oathkeeper) is a BeyondCorp/Zero Trust Identity & Access Proxy (IAP) with configurable authentication, authorization, and request mutation rules for your web services: Authenticate JWT, Access Tokens, API Keys, mTLS; Check if the contained subject is allowed to perform the request; Encode resulting content into custom headers (`X-User-ID`), JSON Web Tokens and more! ### Ory Keto: Access Control Policies as a Server [Ory Keto](https://github.com/ory/keto) is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource. ## Security ### Disclosing Vulnerabilities If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub. You can find all info for responsible disclosure in our [security.txt](https://www.ory.sh/.well-known/security.txt). ## Telemetry Our services collect summarized, anonymized data which can optionally be turned off. Click [here](https://www.ory.sh/docs/ecosystem/sqa) to learn more. ### Guide The Guide is available [here](https://www.ory.sh/docs/keto/). ### HTTP API Documentation The HTTP API is documented [here](https://www.ory.sh/docs/keto/sdk/api). ### Upgrading and Changelog New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in [UPGRADE.md](./UPGRADE.md) and [CHANGELOG.md](./CHANGELOG.md). ### Command Line Documentation Run `keto -h` or `keto help`. ### Develop We encourage all contributions and recommend you read our [contribution guidelines](./CONTRIBUTING.md). #### Dependencies You need Go 1.19+ and (for the test suites): - Docker and Docker Compose - GNU Make 4.3 - NodeJS / npm >= v7 It is possible to develop Ory Keto on Windows, but please be aware that all guides assume a Unix shell like bash or zsh. #### Install From Source

make install

#### Formatting Code You can format all code using make format. Our CI checks if your code is properly formatted. #### Running Tests There are two types of tests you can run: - Short tests (do not require a SQL database like PostgreSQL) - Regular tests (do require PostgreSQL, MySQL, CockroachDB) ##### Short Tests Short tests run fairly quickly. You can either test all of the code at once: ```shell script go test -short -tags sqlite ./... ``` or test just a specific module: ```shell script go test -tags sqlite -short ./internal/check/... ``` ##### Regular Tests Regular tests require a database set up. Our test suite is able to work with docker directly (using [ory/dockertest](https://github.com/ory/dockertest)) but we encourage to use the script instead. Using dockertest can bloat the number of Docker Images on your system and starting them on each run is quite slow. Instead we recommend doing: ```shell source ./scripts/test-resetdb.sh go test -tags sqlite ./... ``` ##### End-to-End Tests The e2e tests are part of the normal `go test`. To only run the e2e test, use: ```shell source ./scripts/test-resetdb.sh go test -tags sqlite ./internal/e2e/... ``` or add the `-short` tag to only test against sqlite in-memory. #### Build Docker You can build a development Docker Image using:

make docker

The Best Go Libraries For Authentication and OAuth (33)

jwt-go

jwx

authboss

branca

casbin

cookiestxt

go-guardian

go-jose

gologin

gorbac

gosession

goth

jeff

jwt

jwt

jwt-auth

keto

loginsrv

oauth2

oidc

openfga

osin

otpgen

otpgo

paseto

permissions2

scope

scs

securecookie

session

sessions

sessionup

sjwt