Access control systems often falter under heavy load, struggling with consistency and responsiveness. Ory Keto, based on Google Zanzibar, addresses this by delivering fine-grained authorization with minimal latency and strong consistency, even at high request volumes.
Fine-grained permissions, built for split-second decisions
Ory Keto is a distributed authorization server built on Google Zanzibar, supporting RBAC and ReBAC patterns from a single permissions API.
SDKs for any language and framework
Ory Keto is written in Go with official SDKs for every major language: Node.js, Python, Java, .NET, PHP, Ruby, and more. It works behind any framework and integrates with your existing data structures and identifiers without forcing a rewrite, so engineers can add fine-grained permissions fast.
Permission management & policy decision point
Resolve authorization decisions in real time through Keto's permissions API. Determine whether an entity (user, service, or Iot) is allowed to perform an action via HTTP/REST or gRPC, with Keto acting as the policy decision point for every microservice in your stack.
Authorization server powered by open-source
Ory Keto offers deployment flexibility. With open source roots, Ory Keto has grown to offer different models to suit your business needs. Deploy open-source, opt for Ory Enterprise License with additional features and support, or use the fully managed Ory Network for a seamless SaaS experience.
Akibur Rahman
System Architect
Ory components met modern technical standards, seamlessly integrated into our system, and were easily customizable to our needs.
Ory Keto features for fine-grained permissions at scale
Sub-10ms permission checks
Ory Keto is built on Google Zanzibar's principles and has sustained 95th-percentile latency under 10ms with greater than 99.99% availability across years of production use — fast enough to run synchronous authorization in the request path of every API call.
RBAC and ReBAC from one API
Mix authorization patterns within the same application without managing separate engines. Express role-based, attribute-based, list-based, and relationship-based access through a unified permissions API.
Global access control
Distribute permission checks across regions and clouds with consistency — write a permission update in one region and have it visible correctly anywhere in the world. Ory Network operates Ory Keto across global edge locations so authorization checks resolve close to your users, regardless of where you're deployed.
How to de-risk identity at scale with Ory
OSS is where most teams start. The question is whether it holds up as scale, compliance, and security requirements grow. Running identity infrastructure yourself means owning everything, from patches to incident response, compliance controls, and performance tuning. At enterprise scale, that overhead competes with product innovation. Ory's commercial offerings, OEL and Ory Network, trade that burden for SLA-backed support, managed CVE patching, and audit-ready controls.
OSS
OEL
Ory Network
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Compliance-ready
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Global multi-region architecture
Global multi-region architecture
Multi-region capable
Global multi-region architecture
Purpose-based data retention
Purpose-based data retention
Purpose-based data retention
24/7 SLA support
24/7 SLA support
24/7 SLA support
CVE security patching
CVE security patching
CVE security patching
Unified control plane for ease of management
CLI
Unified control plane for ease of management
CLI & GUI
Unified control plane for ease of management
CLI & GUI
Production Helm Charts
Production Helm Charts
Production Helm Charts
n/a
Managed infrastructure
Managed infrastructure
n/a
Managed infrastructure
Concierge Onboarding
Concierge Onboarding
Concierge Onboarding
Optimized Permission Checks
Optimized Permission Checks
Optimized Permission Checks
OPA & RAG Integration
OPA & RAG Integration
OPA & RAG Integration
Deploy Ory Keto on your preferred infrastructure
Run the same authorization engine three ways — fully open source, self-hosted with a commercial license, or fully managed on Ory Network. Same APIs, same Zanzibar-based engine, same permission semantics across all three.
Open Source deployment — Run, try, and inspect Ory Keto open source. Perfect to proof-of-concept your next big idea. 
Ory Enterprise License
OEL deployment — Ory Keto on OEL means optimized code with premium support for mission-critical production environments, on-prem, self-hosted – wherever else you need it, always up to date. 
Ory Network
Ory Network deployment — Ory Network includes Ory Keto powered capabilities in an instant-on global identity system. Achieve speed, security, scale, compliance and support with ease.
Integrations
Ready to try Ory Keto?
Integrate Ory Keto with your existing stack in minutes. Quickstarts for Docker and Kubernetes, SDKs for every major language, and reference architectures for RBAC modeling.
policy.ts
import { Namespace, Context } from "@ory/keto-namespace-types"
class User implements Namespace {}
class Document implements Namespace {
related: {
owners: User[]
editors: User[]
viewers: User[]
parents: Folder[]
}
permits = {
view: (ctx: Context): boolean =>
this.related.viewers.includes(ctx.subject) ||
this.related.editors.includes(ctx.subject) ||
this.related.owners.includes(ctx.subject) ||
this.related.parents.traverse((parent) => parent.permits.view(ctx)),
}
}
class Folder implements Namespace {
related: {
owners: User[]
editors: User[]
viewers: User[]
parents: Folder[]
}
}
More on Keto
April 26, 2021
The evolution of Ory Keto: A global scale authorization system
Authorize billions of requests secure, consistent, low latency and no downtime using Ory Keto, the open source implementation of Google Zanzibar access control.
