Making an Informed Decision About Whether to Use Ory Network or Self-Host
How Apple broke "Sign in with Apple" with an unannounced and silent redirect
If you're looking for a secure and reliable way to manage user authentication, permissions, and more, you may have heard of Ory. Did you know that there are two ways to use Ory?
In this article, we'll explore the differences between Ory Network and self-hosting Ory Open Source, and help you decide which option is right for you.
Before we dive into the differences, let's take a quick look at what the Ory Network and self-hosting Ory open source means.
Ory Network is a global infrastructure that uses Ory Open Source to deliver various services and APIs such as login, permissions, OAuth2, and more. Ory Network spans several global regions to deliver a fast service anywhere in the world. Use Ory Network to take advantage of the power of open source and all the features and benefits built on top by the Ory team, as well as continuous updates, support, and security.
Self-hosting Ory means to use the foundational building blocks of the Ory Network, the (Ory Kratos Identity Server, the Ory Hydra OAuth2 Server, and the Ory Keto Permission Server) and build authentication and authorization systems yourself. Self-hosting Ory Open Source is a great way to explore and experiment with security software, learn more about open source software development, and participate in the building the new login.
When deciding between the Ory Network and self-hosting, it's essential to know what features are available in each option. The following table summarizes the feature differences:
| Feature | Ory Network | Self-Hosting |
|---|---|---|
| Security & compliance | ||
| GDPR-compliant data storage | ✅ | ⚠️ |
| SOC2 T2 & ISO 27k certification | ✅ | ⚠️ |
| Automatically OpenID certified | ✅ | ❌ |
| PII region storage selection | ✅ | ⚠️ |
| Intelligent PII data homing | ✅ | ❌ |
| Brute force & DoS protection | ✅ | ⚠️ |
| Suspicious IP throttling | ✅ | ⚠️ |
| Breached password detection | ✅ | ✅ |
| OAuth2 Verifiable Credentials | ✅ | ✅ |
| OAuth2 Resource Owner Password Grant | ✅ | ❌ |
| Services and APIs | ||
| Identity and user management APIs | ✅ | ✅ |
| Low latency edge authentication | ✅ | ❌ |
| Permission APIs | ✅ | ✅ |
| Passwordless login | ✅ | ✅ |
| SMS verification and MFA | ✅ | ⚠️ |
| Password login | ✅ | ✅ |
| Social sign in | ✅ | ✅ |
| Machine-to-machine auth | ✅ | ✅ |
| Multi-factor authentication | ✅ | ✅ |
| OAuth2 and OIDC APIs | ✅ | ✅ |
| Search API | ✅ | ✅ |
| Organizations & B2B SSO | ✅ | ❌ |
| One-click SAML SSO | ✅ | ⚠️ |
| User management | ||
| Custom profile fields | ✅ | ✅ |
| Account linking | ✅ | ✅ |
| (Bulk) user import | ✅ | ✅ |
| User interfaces | ||
| Administrative user interface | ✅ | ❌ |
| Configuration management interface | ✅ | ❌ |
| No-code self-service pages | ✅ | ❌ |
| Themeable self-service pages | ✅ | ❌ |
| User activity insights | ||
| Live analytics and insights | ✅ | ❌ |
| Analytics and events UI | ✅ | ❌ |
| Integration and SDKs | ||
| Ory CLI tools | ✅ | ❌ |
| Backwards compatibility guarantee | ✅ | ❌ |
| SDKs for popular programming languages | ✅ | ✅ |
| Operations and deployment | ||
| Multi-regional deployments | ✅ | ❌ |
| Zero-downtime upgrades and migrations | ✅ | ❌ |
| Configuration management via API | ✅ | ❌ |
| Configuration management via files | ✅ | ✅ |
| Log access | 🔭 | ✅ |
| Organization and multi-tenancy | ||
| Multitenancy (prod, staging, dev) | ✅ | ⚠️ |
| Team management | ✅ | ❌ |
| Organization management | ✅ | ❌ |
| Customer-facing multi-tenancy | ✅ | ❌ |
| Support & Maintenance | ||
| Community support | ✅ | ✅ |
| Automatic updates to the latest version | ✅ | ⚠️ |
| Zero-downtime migrations | ✅ | ⚠️ |
| 24/7 on-call incident support | ✅ | ⚠️ |
| Private ticketing system | ✅ | ❌ |
| Concierge migration support | ✅ | ❌ |
Legend:
When it comes to choosing between Ory Network and self-hosting Ory, there are several key differences to consider. Ory Network offers a range of features that are not available in the open source stack, including compliance and certifications, user-friendly interfaces, and advanced analytics and insights systems. These features are specifically designed for the Ory Network infrastructure, making it a comprehensive and convenient solution for businesses looking to implement a fully featured IAM (Identity and Access Management) and auth system.
On the other hand, the open source stack provided by Ory offers the powerful and efficient APIs that form the backbone of Ory Network. However, running an auth system in production requires more than just APIs - it also requires a deep understanding of security requirements and solid infrastructure to ensure a professional and scalable solution. This is where Ory Network shines, providing businesses with a complete IAM and auth stack that is based on open source technology, yet offers the added benefits of compliance, user interfaces, and advanced analytics. By choosing Ory Network, companies can enjoy the best of both worlds - the flexibility, openness, and customizability of open source technology, combined with the convenience and professional features of a fully managed solution.
Ory only offers support services for self-hosted instances of its software in rare cases.
Here's why:
When you use Ory Network, you save a significant amount of time that would otherwise be spent on setting up infrastructure, maintaining it, and upgrading the software yourself. The following estimates are based on what we have observed since Ory was founded in 2015. Note that an exact time estimate heavily depends on the details of your use case.
Self-hosting takes longer than using Ory Network for several reasons:
The following table shows estimated time savings when using the Ory Network compared to setting up and maintaining the software yourself:
| Self-hosting | Ory Network | |||
|---|---|---|---|---|
| Set-Up | Continuous effort | Set up | Continuous effort | |
| Operations | ||||
| Monitoring and alerting | 1-14 days | 365 days / year | Available | None |
| Disaster recovery | 1-8 hours | 1 week / year | Out of the box | None |
| Configuration management and continuous deployment | 1-5 days | Not applicable | Out of the box in Ory Console | Not applicable |
| Software upgrades | 0h | 2-4 weeks / year | Not needed | None |
| Management | ||||
| User-facing UIs | 1-4 weeks | 2 weeks / year | Out of the box | None |
| Administrative UIs | 2-4 weeks | 2 weeks / year | Out of the box | None |
| Admin API access control | 1-2 days | 1 day / year | Out of the box | None |
| Integration | ||||
| New site/service | ~1-2 days | None | ~1-10 hours | None |
| Migration site/service to Ory | ~2-4 weeks | None | ~1-2 weeks | None |
Choosing Ory Network over self-hosting can also result in significant cost savings. When you self-host, you're responsible for infrastructure costs such as EC2 instances and Postgres AuroraDB, as well as ongoing expenses like continuous monitoring, alerting, and traffic costs. With Ory Network, these costs are already included in our subscription plans. This means that you can focus on building your product without worrying about the hidden costs of infrastructure and maintenance.
While these numbers are rough estimates and heavily dependent on the use case and cost optimization, choosing Ory Network can help you save both time and money compared to self-hosting.
For a site with less than 1,000 active users/machines (regardless of what Ory service you use), two virtual machines for failover, each with 2 vCPUs and 4GB of RAM to run up to three Ory services, and one small sized PostgreSQL instance with 100GB would be needed.
According to the AWS price calculator, this sums up to about $2,080.76 per year.
On the other hand, with the Ory Network Production Plan, these resources are included, along with development/staging projects, continuous monitoring, alerting, traffic, and metrics for only $770 per year.
| Self-hosting | Production Plan | ||
|---|---|---|---|
| Compute | 2x AWS EC2 2vCPU, 4GB RAM, 50GB SSD | $918.72 / year | $0 / year |
| Database | 1x AWS RDS Postgres 2vCPU, 4GB RAM, 100GB SDD | $879.96 / year | $0 / year |
| API Gateway | AWS API Gateway | $44.52 / year | $0 / year |
| Load Balancer | AWS Load Balancer | $237.48 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | Depends on solution | $0 / year |
| Total | > $2,080.76 / year | $770 / year | |
| Cost savings | > 40% |
For a site or application with 1,000 to 20,000 daily active (machine) users, self-hosting Ory open source becomes more expensive. Self-hosting at this scale requires more virtual machines for failover and a larger database instance, resulting in higher costs. With the Ory Growth Plan, you get a cost-effective solution that is easier to set up, manage, and scale.
According to the AWS price calculator, this sums up to about $14,167.78 per year.
For businesses with 1,000-20,000 daily active users/machines, we recommend the Ory Growth Plan for $9350 per year as the cheaper and better option. This plan includes everything in the Production Plan, plus additional features such as enterprise-grade support, a dedicated account manager, and priority bug fixes.
| Self-hosting | Growth Plan | ||
|---|---|---|---|
| Compute | 4x AWS EC2 4vCPU, 8GB RAM, 50GB SSD | $4,695.48 / year | $0 / year |
| Database | 2x AWS RDS Postgres 4vCPU, 16GB RAM, 500GB SDD | $8,780.76 / year | $0 / year |
| Traffic | In- and egress | $445.44 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | $246.12 / year | $0 / year |
| Total | $14,167.78 / year | $9350 / year | |
| Cost savings | > 65% |
When dealing with a website or application that has over 100,000 daily active users, self-hosting becomes even more complicated and expensive. Here are some reasons why:
Ory Network achieves cost savings through several factors, including economies of scale, efficient multi-tenancy, and optimized design. By serving a large number of customers, we're able to spread infrastructure costs across many users, resulting in lower expenses for everyone. Our custom code also allows us to run multiple tenants on shared resources more efficiently, further reducing costs.
In contrast, self-hosting can be expensive and time-consuming. When businesses self-host, they need to purchase or rent their hardware and set up infrastructure, which can be a significant upfront investment. They also need to manage the infrastructure themselves, including updates, security, and maintenance. This requires an experienced team and/or other third party services. These ongoing costs can add up quickly.
In contrast, Ory Network provides a turnkey solution that eliminates the need for businesses to manage their infrastructure. We take care of hardware, software, security, and maintenance, allowing businesses to focus on their core competencies instead of worrying about IT operations. This can result in significant cost savings, especially for smaller businesses or those without dedicated IT resources. By choosing Ory Network, businesses can save time, reduce costs, and improve their overall identity and access management solution.
Have questions about Ory Network or need help with your identity and access management solution? Reach out to our team of experts!
