background color

OryKeto Fine-grained access control: Global, granular,
and lightning fast

Authorization server based on Google Zanzibar — supporting RBAC and ReBAC patterns at scale.

Access control systems often falter under heavy load, struggling with consistency and responsiveness. Ory Keto, based on Google Zanzibar, addresses this by delivering fine-grained authorization with minimal latency and strong consistency, even at high request volumes.

Need support?

Run Ory Keto on your own infrastructure with commercial support, SLA-backed responses, and CVE patching from the team that builds it.

Need to move quickly?

Skip the operational overhead — get fine-grained access control as a fully managed service with global edge latency and 99.99% availability.

Fine-grained permissions, built for split-second decisions

Ory Keto is a distributed authorization server built on Google Zanzibar, supporting RBAC and ReBAC patterns from a single permissions API.

SDKs for any language and framework

Ory Keto is written in Go with official SDKs for every major language: Node.js, Python, Java, .NET, PHP, Ruby, and more. It works behind any framework and integrates with your existing data structures and identifiers without forcing a rewrite, so engineers can add fine-grained permissions fast.

Permission management & policy decision point

Resolve authorization decisions in real time through Keto's permissions API. Determine whether an entity (user, service, or Iot) is allowed to perform an action via HTTP/REST or gRPC, with Keto acting as the policy decision point for every microservice in your stack.

Authorization server powered by open-source

Ory Keto offers deployment flexibility. With open source roots, Ory Keto has grown to offer different models to suit your business needs. Deploy open-source, opt for Ory Enterprise License with additional features and support, or use the fully managed Ory Network for a seamless SaaS experience.

Padis logo
Padis Logo
Akibur Rahman
Akibur Rahman

Akibur Rahman

System Architect

Ory components met modern technical standards, seamlessly integrated into our system, and were easily customizable to our needs.

Ory Keto features for fine-grained permissions at scale

  • Sub-10ms permission checks

    Ory Keto is built on Google Zanzibar's principles and has sustained 95th-percentile latency under 10ms with greater than 99.99% availability across years of production use — fast enough to run synchronous authorization in the request path of every API call.

  • RBAC and ReBAC from one API

    Mix authorization patterns within the same application without managing separate engines. Express role-based, attribute-based, list-based, and relationship-based access through a unified permissions API.

  • Global access control

    Distribute permission checks across regions and clouds with consistency — write a permission update in one region and have it visible correctly anywhere in the world. Ory Network operates Ory Keto across global edge locations so authorization checks resolve close to your users, regardless of where you're deployed.

How to de-risk identity at scale with Ory

OSS is where most teams start. The question is whether it holds up as scale, compliance, and security requirements grow. Running identity infrastructure yourself means owning everything, from patches to incident response, compliance controls, and performance tuning. At enterprise scale, that overhead competes with product innovation. Ory's commercial offerings, OEL and Ory Network, trade that burden for SLA-backed support, managed CVE patching, and audit-ready controls.

OSS

Evaluate and prototype

OEL

Self-hosted, great for enterprises that require air-gapped or certified environments

Ory Network

Fully-managed, fastest path to production without operational overhead
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
OSS: No
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Compliance-ready
Compliance and audit-ready (GDPR, PSD2, PCI-DSS, SOC 2, and others)
Ory Network: Yes
Global multi-region architecture
OSS: No
Global multi-region architecture
Multi-region capable
Global multi-region architecture
Ory Network: Yes
Purpose-based data retention
OSS: No
Purpose-based data retention
OEL: Yes
Purpose-based data retention
Ory Network: Yes
24/7 SLA support
OSS: No
24/7 SLA support
OEL: Yes
24/7 SLA support
Ory Network: Yes
CVE security patching
OSS: No
CVE security patching
OEL: Yes
CVE security patching
Ory Network: Yes
Unified control plane for ease of management
CLI
Unified control plane for ease of management
CLI & GUI
Unified control plane for ease of management
CLI & GUI
Production Helm Charts
OSS: No
Production Helm Charts
OEL: Yes
Production Helm Charts
n/a
Managed infrastructure
OSS: No
Managed infrastructure
n/a
Managed infrastructure
Ory Network: Yes
Concierge Onboarding
OSS: No
Concierge Onboarding
OEL: Yes
Concierge Onboarding
Ory Network: Yes
Optimized Permission Checks
OSS: No
Optimized Permission Checks
OEL: Yes
Optimized Permission Checks
Ory Network: Yes
OPA & RAG Integration
OSS: No
OPA & RAG Integration
OEL: Yes
OPA & RAG Integration
Ory Network: Yes
Integrations

Ready to try Ory Keto?

Integrate Ory Keto with your existing stack in minutes. Quickstarts for Docker and Kubernetes, SDKs for every major language, and reference architectures for RBAC modeling.

policy.ts
import { Namespace, Context } from "@ory/keto-namespace-types"

class User implements Namespace {}

class Document implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: Folder[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.editors.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject) ||
      this.related.parents.traverse((parent) => parent.permits.view(ctx)),
  }
}

class Folder implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: Folder[]
  }
}

More on Keto

Ory Keto FAQ

Try Ory today Start for free