Ory Kratos vs Auth0 vs Keycloak 2026
Ory Kratos vs Auth0 vs Keycloak 2026
TL;DR
Ory Kratos is the right pick for API-first teams who want full control and headless identity flows. Auth0 wins when you need a managed IdP running in days with minimal ops burden. Keycloak is the enterprise on-prem workhorse — powerful but expensive to operate. No single tool is best; your deployment model and team size decide it.
Key Takeaways
- Ory Kratos has 13.5k GitHub stars and is Apache-2.0 licensed, written in Go — binaries under 15MB with zero system dependencies.
- Auth0's free tier covers 7,500 MAU but per-user pricing jumped 300% recently, from $0.023 to $0.07/MAU, making large apps expensive fast.
- Keycloak is free to self-host but demands significant ops investment — Red Hat SSO support starts at $1,650/month for enterprises needing guaranteed SLAs.
- Ory Kratos is truly headless — it ships no UI at all, exposing every identity flow (login, registration, recovery, MFA) as REST APIs your frontend consumes.
- Keycloak has the richest built-in feature set of the three, including SAML, OIDC, LDAP federation, and a full admin console out of the box.
- Auth0 protects the fastest path to production — social logins, MFA, and enterprise SSO are point-and-click in the dashboard, not code.
Why Identity API Choice Matters More in 2026
The identity layer is the one API your application calls on every single request. A wrong choice at the start costs months to unwind. In 2026 the landscape has shifted: Auth0 (owned by Okta since 2021) raised prices aggressively, Keycloak 26 landed with better performance but the same heavyweight Java footprint, and Ory Kratos matured into a production-grade headless identity system used by OpenAI, Cisco, and Klarna.
The question is no longer "should I roll my own auth?" — you should not. The question is which identity API model fits your architecture: managed cloud, self-hosted monolith, or API-composable headless.
Teams building on Kubernetes and microservices are discovering that Keycloak's monolith is hard to tune, Auth0's bill is hard to predict, and Ory Kratos's headless model maps cleanly to API-first architectures. Understanding the tradeoffs across pricing, developer experience, and operational complexity is what this guide covers.
Architecture Overview
Ory Kratos: Headless Identity API
Ory Kratos is a backend-only, API-first identity management server. It ships no UI — no login page, no registration form, no admin panel. Every identity flow is a REST API call. Your frontend sends the user to a flow endpoint, handles the response JSON, and renders whatever UI you control.
This headless model means zero theming headaches and total UI freedom, but it also means you build every form yourself. Ory Kratos handles the hard parts — session management, CSRF protection, MFA flows, account recovery tokens — and hands you structured JSON to work with.
Ory Kratos is part of a broader Ory ecosystem: Hydra (OAuth2/OIDC provider), Keto (permissions/RBAC), and Oathkeeper (API gateway with identity-aware proxying). You can deploy just Kratos for user management or compose the full stack.
Under the hood it is written in Go, with binaries in the 5–15MB range that run on any OS without runtime dependencies. The Apache-2.0 license means commercial use is unrestricted.
Auth0: Managed Identity Platform
Auth0 is a fully managed Identity-as-a-Service (IDaaS) platform. You configure it via a dashboard, integrate with a few lines of SDK code, and Auth0 handles all infrastructure, uptime, and security patches. It supports universal login (hosted UI), embedded login (SDK in your app), and machine-to-machine flows.
Auth0's free tier gives you 7,500 monthly active users with social logins and basic MFA. The paid tiers are priced per MAU — and after Okta's 2024 pricing restructure, that rate rose to $0.07/MAU. For a SaaS with 50,000 MAU, you are looking at $3,500/month before enterprise SSO add-ons.
Auth0 integrates directly with hundreds of social providers, SAML enterprise connections, and B2B partner federations through its Actions and Rules system. For teams that need enterprise SSO set up in an afternoon rather than a week, Auth0 remains the fastest path.
Keycloak: Enterprise On-Prem Identity
Keycloak is a Java-based open source identity and access management server maintained by Red Hat. It handles OIDC, SAML, LDAP federation, fine-grained authorization, social logins, and OTP out of the box. The admin console gives non-technical operators a full GUI to manage realms, clients, and users without writing code.
The trade-off is resource consumption. Keycloak needs a minimum of 2GB RAM to run comfortably; production deployments with clustering typically need 4–8GB per node. A Keycloak JVM startup takes 30–60 seconds compared to Ory Kratos's sub-second startup. Keycloak 26 improved startup time with Quarkus but the footprint is still orders of magnitude heavier than Go-based alternatives.
Keycloak is entirely free to use under the Apache-2.0 license. Red Hat offers a commercial distribution (RHSSO) with support SLAs starting around $1,650/month for enterprise customers who need guaranteed response times.
Comparison Table
| Dimension | Ory Kratos | Auth0 | Keycloak |
|---|---|---|---|
| Pricing | Free (self-host) / $29+/mo cloud | Free up to 7,500 MAU / $0.07/MAU | Free (self-host) / RHSSO $1,650+/mo |
| Self-hosting | Yes (Docker, k8s, binary) | No | Yes (Docker, k8s, bare metal) |
| OIDC support | Via Ory Hydra | Yes (built-in) | Yes (built-in) |
| SAML support | Via Ory Hydra | Yes (Enterprise tier) | Yes (built-in) |
| MFA | TOTP, WebAuthn, Passkeys | TOTP, SMS, Push (paid) | TOTP, WebAuthn, SMS |
| Admin UI | None (headless) | Full dashboard | Full admin console |
| Resource use | ~50MB RAM | Managed (N/A) | 2–8GB RAM |
| Language/runtime | Go | Managed SaaS | Java/JVM |
| License | Apache-2.0 | Proprietary | Apache-2.0 |
| DX (setup speed) | Moderate (API-first setup) | Fast (dashboard-driven) | Moderate–Slow (XML config) |
| GitHub stars | 13.5k | N/A (closed source) | 24k+ |
API Integration Patterns
Ory Kratos: Flows as API Endpoints
Every identity operation in Ory Kratos is a "flow." To initiate a login, your frontend hits /self-service/login/browser (or /api for SPA/native). Kratos returns a flow object with an ID, expiry, and an array of UI nodes — the fields, labels, and submit actions your frontend should render. You render the form, POST the credentials back, and Kratos returns a session or an error node with field-level validation.
// 1. Initialize login flow
const { data: flow } = await kratosClient.createBrowserLoginFlow();
// 2. Render flow.ui.nodes as form fields in your UI
// 3. Submit credentials
const { data: session } = await kratosClient.updateLoginFlow({
flow: flow.id,
updateLoginFlowBody: {
method: "password",
identifier: email,
password: password,
},
});
console.log("Session token:", session.session_token);
This pattern applies to registration, account recovery, email verification, and settings. The headless design means the same backend serves a web app, a React Native app, and a CLI tool with identical API calls.
Auth0: SDK-Driven Authentication
Auth0 wraps its APIs in first-party SDKs for every major language and framework. The most common pattern is the Authorization Code flow with PKCE, where you redirect to Auth0's hosted login page and get back an access token and ID token.
// Auth0 Next.js SDK
import { handleAuth } from "@auth0/nextjs-auth0";
// This single export handles /api/auth/login, /callback, /logout, /me
export default handleAuth();
For machine-to-machine (API-to-API), Auth0 uses the Client Credentials flow:
const token = await auth0.getTokenSilently({
audience: "https://api.yourapp.com",
scope: "read:data",
});
Auth0 also supports Actions — serverless functions that hook into the authentication pipeline for custom claims, fraud detection, or user enrichment.
Keycloak: OIDC + Admin REST API
Keycloak exposes a full Admin REST API for programmatic management of realms, users, clients, and roles. For end-user authentication it uses standard OIDC flows — Authorization Code, Client Credentials, or Device Code for IoT.
import requests
# Client Credentials flow
response = requests.post(
"https://keycloak.example.com/realms/myrealm/protocol/openid-connect/token",
data={
"grant_type": "client_credentials",
"client_id": "my-service",
"client_secret": "my-secret",
},
)
token = response.json()["access_token"]
Keycloak's admin REST API lets you provision users, manage role mappings, and configure identity providers programmatically — useful for multi-tenant SaaS platforms that need to spin up isolated realms per customer.
When to Choose Each
Choose Ory Kratos if:
- You are building API-first or headless architectures where you control every pixel of the UI
- Your team is comfortable with Go-ecosystem tooling and self-hosting on Kubernetes
- You need sub-second cold starts and minimal RAM footprint (edge deployments, serverless-adjacent)
- You want composable identity — use Kratos for user management, Hydra for OAuth2, Keto for permissions independently
- Budget is a constraint and you have engineering bandwidth to operate your own infrastructure
Choose Auth0 if:
- You need authentication running in production within a day or two
- Your user base is under 7,500 MAU (the free tier is genuinely generous)
- You need enterprise SSO for B2B customers and cannot afford weeks of SAML integration work
- You have no dedicated DevOps/platform team and want zero infrastructure to manage
- Your MAU count is predictable — Auth0's per-MAU pricing is painful at scale but fine at small-to-mid volume
Choose Keycloak if:
- You are in an enterprise or regulated environment that requires on-premises deployment
- You need SAML federation with corporate LDAP/Active Directory out of the box
- You have a platform team that can manage a Java service with proper memory tuning
- You want a full admin GUI for non-developers to manage users, roles, and clients
- You are already in the Red Hat / OpenShift ecosystem and want commercial support options
Security Model Differences
One area teams underestimate is how the security model differs across all three systems. Ory Kratos handles CSRF protection and session management internally — it issues opaque session tokens or cookies depending on whether you use the browser or API flow. You do not manage token signing keys; Kratos does. The risk surface is limited to your own network policies and the Kratos configuration itself.
Auth0 issues signed JWTs using RS256 by default. Your API validates tokens locally using Auth0's public JWKS endpoint, which means no network round-trip on every request. This is fast and well understood, but it means compromised JWTs remain valid until expiry. Auth0 mitigates this with token revocation via the Management API and short expiry windows.
Keycloak gives you full control over token signing — you manage the realm's key pairs and can rotate them on a schedule. This is powerful but also dangerous: a misconfigured realm or leaked private key has broader blast radius than in a managed service. Keycloak's fine-grained authorization service lets you define complex ABAC policies, which Ory Kratos and Auth0 both punt to external systems (Ory Keto for Kratos, Auth0 Rules/Actions for Auth0).
Migration Considerations
Moving between identity providers is painful because sessions, password hashes (bcrypt salts), and social connection tokens are provider-specific. If you anticipate growth past Auth0's affordable MAU ceiling, architect your app to treat the identity layer as a replaceable dependency from day one — keep auth logic in a service layer, not scattered across components.
For teams considering migrating from Auth0 to Ory Kratos, Ory provides migration tooling and supports importing existing bcrypt hashes. Keycloak has an import/export mechanism for realm data but migrating hashed passwords from other systems requires custom identity provider plugins.
How This Compares to Other Auth APIs
If you are also evaluating managed auth solutions, our Auth0 vs Clerk API comparison covers the newer developer-friendly managed IdPs. For enterprise SSO specifically, see WorkOS vs Auth0 vs Clerk for Enterprise SSO. And for a deep dive on Auth0's OAuth2 implementation patterns, How to Implement OAuth2 with Auth0 covers the flows in detail.
Methodology
This comparison was researched in March 2026 using official documentation, GitHub repository data (13.5k stars for Ory Kratos, Apache-2.0 license), Auth0 pricing pages, Keycloak 26 release notes, and community discussions on Hacker News and Reddit. Pricing data reflects current public pricing as of the publish date. Self-hosting resource requirements are based on official minimum specs and community-reported production workloads.
Sources consulted:
- Ory Kratos GitHub — stars, license, tech stack
- LeanCode IAM Comparison
- Frontegg Auth0 vs Keycloak
- PhaseTwoIO Keycloak vs Auth0
- SuperTokens Ory vs Keycloak
- Authgear Open Source Auth0 Alternatives
- Auth0 official pricing (auth0.com/pricing)
- Keycloak official documentation (keycloak.org/docs)
Looking for API-based authentication beyond traditional IdPs? Explore our Best Identity Verification APIs 2026 roundup for additional options.