The latest releases of Ory Keto v25.4.0 and Ory Oathkeeper v25.4.0 are here — and they’re packed with updates that make your access control infrastructure more secure, maintainable, and cohesive across the Ory ecosystem.
From encrypted pagination tokens to enhanced observability, these releases reinforce Ory’s mission to provide developers with tools that are both powerful and privacy-conscious. Together, Keto and Oathkeeper v25.4 mark a step toward a more unified, resilient, and developer-friendly platform.
ICYMI: Earlier this week we released the latest open source 25.4.0 versions of Ory Hydra, and Ory Kratos, as well as our new versioning scheme to make upgrades more predictable.
Ory Keto: Encrypted pagination tokens and stronger foundations
The highlight of Ory Keto v25.4 is the introduction of encrypted pagination tokens — a subtle but impactful improvement that strengthens privacy and data integrity across paginated API responses. Previously, pagination state could appear in plaintext, but with encryption now in place, that state is fully protected from exposure or tampering. This means even as your datasets grow, your pagination remains secure.
This upgrade embodies a larger theme across the Ory ecosystem: protecting stateful interactions with robust cryptography and minimal developer friction. The same philosophy underpins Ory Hydra’s new Device Authorization Grant, which allows secure OAuth 2.0 flows for devices that can’t display or enter credentials directly (e.g. AI agents, smart TVs, IoT devices). Both updates share the same goal: secure state handling and seamless authorization, no matter the context.
In addition to encrypted pagination, Keto now runs on Go 1.24.4, which resolves CVE-2025-4673. All deployments should upgrade promptly to benefit from this critical runtime fix.
Under the hood, Keto v25.4.0 includes a series of improvements aimed at maintainability and consistency:
- Pagination helpers from
ory/x reduce code duplication and simplify testing.
- Fallback keys are now hardcoded, preventing runtime panics when configuration is missing.
- Vendored dependencies ensure reproducible, stable builds across environments.
- Database meta functions have been relocated to the root
ory/x package, enhancing reusability across Ory projects.
Observability has also been enhanced with more reliable OTLP tracing defaults and improved telemetry behavior which gives operators better visibility into production systems without extra configuration.
Ory Oathkeeper: Observability and ecosystem consistency
The release modernizes Oathkeeper’s internal structure by adopting vendored ory/x libraries, reducing dependency drift and simplifying builds. With Goreleaser integration, release processes are now reproducible and consistent across all platforms — from local development to production deployments.
Configuration test helpers have been migrated into ory/x, promoting shared testing patterns across the ecosystem. On the observability side, improved OTLP tracing brings better defaults and finer control over sampling, making it easier to monitor and troubleshoot your deployments.
Together, these changes make Ory Oathkeeper a cleaner and more maintainable foundation for the future Ory services.
Get started
Both Ory Keto v25.4.0 and Ory Oathkeeper v25.4.0 are available now:
Join us for a live walkthrough today on Thursday, November 13th where we'll dive into the updates made to the Ory stack, demonstrate the new versioning, and answer your questions about the newly released OSS features and upgrade.
Why Ory Enterprise License matters
Open source releases give you powerful identity infrastructure. However, mission-critical production environments often need continuous security patches, enterprise features that support compliance requirements, and updates that keep pace with your infrastructure demands.
Ory Enterprise License (OEL) provides continuous releases with the latest security patches and advanced enterprise features between open source releases.
For teams running identity infrastructure that needs to stay secure, compliant, and performant at scale, OEL delivers the update cadence and enterprise capabilities that production environments require.
Evaluating Ory for web-scale production? Learn more about OEL.
Questions about the new versioning? Join us in Ory Community Slack or GitHub Discussions.
