Identity-Aware Proxy & Zero Trust Gateway | Ory Oathkeeper

Question 1

What is Ory Oathkeeper?

Accepted Answer

Ory Oathkeeper is an open-source Identity and Access Proxy (IAP) and Access Control Decision API. It sits in front of your services and evaluates every incoming HTTP request against a set of access rules. For each request, Ory Oathkeeper authenticates the caller, checks authorization, and optionally transforms the request (for example, by adding identity headers or a signed JWT) before forwarding it to your upstream service. Unauthorized requests are rejected at the proxy layer. Ory Oathkeeper follows the BeyondCorp/Zero Trust security model and is written in Go. It is available as open-source software (Apache 2.0), under the Ory Enterprise License, and as part of the Ory Network.

Question 2

What business benefits does Ory Oathkeeper provide?

Accepted Answer

Ory Oathkeeper allows businesses to adopt a Zero Trust security model. Instead of relying on a "secure perimeter" (like a VPN), it verifies every single request to your services, whether they come from employees, partners, or customers.

Unlike rigid legacy systems, Ory Oathkeeper integrates with your existing infrastructure. It can act as a standalone reverse proxy or plug into your current API Gateways (like Envoy, AWS API Gateway, Nginx, or Ambassador).

Provides a unified way to authenticate, authorize, and manage incoming HTTP(s) traffic across all your services, reducing the complexity of managing security rules in multiple different places.

Ory Oathkeeper standardizes diverse user data into a single, secure source of truth. By delivering consistent identity context to every service, it eliminates security gaps and ensures your access policies are enforced with absolute precision across the enterprise.

Question 3

How does Ory Oathkeeper process requests?

Accepted Answer

Ory Oathkeeper processes each request through a four-stage pipeline. First, it matches the request's URL, method, and host against its configured access rules. If no rule matches, the request is denied. Second, it runs the authenticator stage: validating credentials such as a Bearer token, session cookie, or API key. Third, it runs the authorizer stage: checking whether the authenticated subject has permission to access the resource. Fourth, it runs the mutator stage: transforming the request before forwarding it upstream, for example by injecting an X-User-ID header or generating a signed JWT as a Bearer token.

Question 4

What authenticators, authorizers, and mutators does Ory Oathkeeper support?

Accepted Answer

Ory Oathkeeper supports multiple authenticators per rule, checked in order: cookie_session (validates session cookies against an external endpoint like Ory Kratos), bearer_token, oauth2_introspection, jwt, anonymous (treats unauthenticated requests as a guest subject), noop (bypasses authentication), and unauthorized (rejects all requests). Authorizers include allow (permit all), deny (reject all), and integration with Ory Keto for fine-grained permission checks. Mutators include header (adds custom HTTP headers using Go templates), id_token (generates a signed RS256 JWT), cookie (sets cookies), and noop (passes the request through unchanged). You can chain multiple mutators per rule.

Question 5

Can Ory Oathkeeper work with my existing API gateway?

Accepted Answer

Yes. Ory Oathkeeper operates in two modes. As a reverse proxy, it sits in front of your upstream service and handles traffic directly (default port 4455). As an Access Control Decision API, it exposes a /decisions endpoint (default port 4456) that your existing API gateway queries via sub-request. Your gateway sends the original request details to Ory Oathkeeper, which returns 200 (allowed, with mutated headers), 401 (unauthorized), or 403 (forbidden). Documented integrations exist for Nginx, Envoy, Traefik (ForwardAuth middleware), Kong, Ambassador/Emissary-ingress, and AWS API Gateway.

Question 6

Does Ory Oathkeeper require a database?

Accepted Answer

No. Ory Oathkeeper has no database dependency and no persistent storage requirement. Access rules are loaded from the filesystem (YAML or JSON files), environment variables, or HTTP(S) endpoints including S3, GCS, and Azure Blob storage. This makes Ory Oathkeeper simple to deploy and upgrade: there are no migrations. Install the new version and restart.

Question 7

How does Ory Oathkeeper work with Ory Kratos and Ory Keto?

Accepted Answer

A common Zero Trust setup uses all three together. Ory Oathkeeper validates the user's session cookie by calling Ory Kratos's /sessions/whoami endpoint through the cookie_session authenticator. If the session is valid, Ory Oathkeeper extracts the identity ID and passes it to the authorizer. The authorizer can check permissions against Ory Keto to determine whether the user is allowed to access the requested resource. If authorized, a mutator converts the session into a signed JWT or custom header (such as X-User-ID) and forwards the enriched request to the upstream service. This keeps authentication and authorization logic out of your application code entirely.

Question 8

Why Ory for your IAM?

Accepted Answer

Zero Trust Performance at the Edge - Ory Oathkeeper is a cloud-native identity & access proxy built for "deploy-anywhere" environments and trillion-scale performance. Ory provides a modular, flexible bridge to secure your entire ecosystem, from legacy systems to AI agents, without vendor lock-in. By centralizing policy enforcement into high-performance building blocks, Ory reduces TCO and ensures mission-critical applications are protected by a hardened Zero Trust architecture.

Question 9

What is Zero Trust / BeyondCorp and how does Ory Oathkeeper implement it?

Accepted Answer

Zero Trust is a security model where no request is trusted by default, regardless of whether it originates from inside or outside the network perimeter. Every request must be authenticated and authorized. Ory Oathkeeper implements this model by acting as a Policy Enforcement Point: it intercepts all incoming HTTP traffic, validates credentials, checks permissions, and only forwards requests that pass both checks. This replaces the traditional approach of relying on network-level trust (firewalls, VPNs) with per-request identity verification.

Question 10

How does Ory Oathkeeper fit into the Ory ecosystem?

Accepted Answer

Ory Oathkeeper is the enforcement layer. Ory Kratos handles identity (authentication, registration, MFA). Ory Hydra handles OAuth2/OIDC token issuance. Ory Keto handles fine-grained permissions. Ory Oathkeeper ties them together at the network edge: it validates sessions from Ory Kratos, checks permissions against Ory Keto, and can introspect OAuth2 tokens from Ory Hydra. On the Ory Network, all four services are pre-integrated.

Question 11

How is Ory Oathkeeper different from an API gateway?

Accepted Answer

API gateways (Nginx, Kong, Envoy, AWS API Gateway) handle traffic routing, rate limiting, load balancing, and TLS termination. Ory Oathkeeper handles identity-aware access control: authenticating callers, checking permissions, and enriching requests with identity context. These are complementary, not competing. You can deploy Ory Oathkeeper as a standalone reverse proxy to replace a simple gateway, or deploy it alongside your existing gateway as a decision API sidecar. The key difference is that Ory Oathkeeper understands identity natively: it can validate Ory Kratos sessions, introspect OAuth2 tokens, check Ory Keto permissions, and emit signed JWTs, none of which a general-purpose API gateway does out of the box.

Question 12

Is Ory Oathkeeper free? How does pricing work?

Accepted Answer

Ory Oathkeeper open source is free under the Apache 2.0 license. You can self-host it at no cost.

On the Ory Network, Ory Oathkeeper capabilities are included as part of the platform. There is no separate per-request charge for Ory Oathkeeper itself; billing is based on aDAU (identity usage), M2M tokens, and permission checks from Ory Keto. The Ory Network free Developer tier is available for testing.

For self-hosted production with SLAs and enterprise support, the Ory Enterprise License is available at custom pricing.

Oathkeeper Identity-aware proxy for Zero Trust & BeyondCorp

Need control and support?

Need to move quickly?

An identity-aware proxy that fits your stack

Identity and Access Proxy

Zero Trust gateway with BeyondCorp

Open source roots, with deployment flexibility

Identity and Access Proxy

Zero Trust gateway with BeyondCorp

Open source roots, with deployment flexibility

Identity-aware proxy capabilities at a glance

Identity-aware HTTP proxy

API gateway integration

Identity context propagation

Flexible deployment for Ory Oathkeeper identity-aware proxy

Open Source

Ory Enterprise License

Ory Network

Ready to try Ory Oathkeeper?

Ory Oathkeeper FAQ

Try Ory today Start for free