Home Tools & Resources Ory Keto: The Access Control System for Modern Applications

Ory Keto: The Access Control System for Modern Applications

By
Ali Hajimohamadi
-
0

Ory Keto: The Access Control System for Modern Applications Review: Features, Pricing, and Why Startups Use It

Introduction

As your product grows, access control quickly becomes more than a few role checks in your code. You need to define who can do what, where, and when across multiple services, teams, and environments. That’s where Ory Keto comes in: an open-source, cloud-native authorization server designed for modern, distributed applications.

Startups use Ory Keto because it centralizes authorization logic, scales with microservices and APIs, and keeps security policies auditable and maintainable. Instead of baking complex authorization rules into every service, teams rely on Keto as a dedicated, standards-based access control layer.

What the Tool Does

Ory Keto is an open-source authorization server that implements Google Zanzibar-style relationship-based access control (ReBAC). Its core purpose is to answer a single question, efficiently and consistently:

“Is user X allowed to perform action Y on resource Z?”

It acts as a central decision service for access control. Your applications ask Keto if a user (or machine identity) is allowed to perform an operation, and Keto responds based on defined relationships and policies. It is not an authentication tool (logins, identities, tokens) but an authorization engine that typically integrates with your identity provider, API gateway, or backend services.

Key Features

1. Relationship-Based Access Control (ReBAC)

Instead of basic roles, Keto models relationships between users, groups, and resources (“Alice is an editor of document 123”). This allows highly flexible, fine-grained access rules.

  • Model permissions as relationships (e.g., owner, viewer, editor).
  • Handle complex hierarchies (orgs, teams, projects, folders).
  • Express real-world sharing semantics similar to Google Drive or GitHub.

2. Centralized Authorization Service

Keto exposes APIs for permission checks and relationship management, acting as a single source of truth for authorization across all services.

  • Consistent access control across microservices, APIs, and UIs.
  • Reduces duplicated authorization code in each service.
  • Makes audits and compliance easier because rules live in one place.

3. High-Performance, Low-Latency Checks

Ory Keto is designed for high query volume and low latency.

  • Efficient storage engine for relationships and permissions.
  • Horizontal scaling for large workloads.
  • Well-suited for real-time APIs and high-traffic SaaS products.

4. API-First and Cloud-Native

Keto is built to be integrated programmatically and deployed in modern environments.

  • REST APIs and gRPC support.
  • Docker and Kubernetes ready (Helm charts, configuration via environment variables).
  • Works in multi-region and containerized setups.

5. Open Source and Extensible

As part of the Ory ecosystem (including Ory Kratos for identity and Ory Hydra for OAuth2/OIDC), Keto is fully open source.

  • MIT-licensed open source core.
  • Active community and regular releases.
  • Can be combined with other Ory components or used standalone.

6. Auditing and Observability

Centralized authorization enables better visibility.

  • Track changes to relationships and permissions.
  • Log and trace authorization checks.
  • Integrate with monitoring and logging stacks for compliance and debugging.

Use Cases for Startups

1. Multi-Tenant SaaS Platforms

For B2B SaaS, you often need different roles and permissions across tenants and organizations.

  • Define org-level roles (admin, member, billing) and resource-specific permissions.
  • Isolate tenants while allowing cross-org collaboration where needed.
  • Manage complex sharing models for projects, dashboards, documents, or workspaces.

2. Microservices and APIs

Microservice architectures quickly become messy if each service implements its own authorization logic.

  • Use Keto as a central authorization microservice.
  • Each service calls Keto’s API to check permissions.
  • Update rules centrally without redeploying every service.

3. Developer Platforms and Marketplaces

If you run a platform with apps, plugins, or external integrations, access control becomes nuanced.

  • Control which apps or API keys can access specific resources.
  • Model permissions between external developers, customers, and resources.
  • Offer fine-grained API scopes tied to your authorization model.

4. Internal Tools and Admin Panels

Startups often build internal dashboards for support, operations, or analytics.

  • Restrict sensitive operations (refunds, data exports, account deletions).
  • Give granular access by team, role, or geography.
  • Log and audit who accessed what for compliance.

5. Replacing Hardcoded Permissions

Many early-stage products start with ad-hoc, hardcoded checks like if (user.isAdmin). That doesn’t scale.

  • Migrate to a centralized, declarative authorization model.
  • Reduce risk of inconsistent or forgotten checks across the codebase.
  • Prepare the product for enterprise-grade permission requirements.

Pricing

Ory Keto itself is open source and free to self-host. However, for managed infrastructure and additional enterprise features, Ory offers a hosted platform.

Open Source (Self-Hosted)

  • Price: Free (MIT license).
  • You manage: infrastructure, scaling, backups, monitoring.
  • Best for: teams with DevOps capacity and strong Kubernetes/infra skills.

Ory Cloud (Managed Service)

Ory provides a managed cloud offering for its stack, including Keto, with usage-based pricing. Specific details can change over time, but typically include:

  • Free tier: limited usage suitable for development and small projects.
  • Paid tiers: scale with number of requests, projects, and environments.
  • Enterprise plans: for advanced SLAs, compliance, and larger scales.

Founders should review current pricing directly on the Ory website to align with expected traffic and compliance needs.

Option Cost Pros Cons
Self-hosted Ory Keto Free (open source) Full control; no license fees; customizable; data stays in your infra Requires DevOps expertise; you handle scaling, upgrades, and uptime
Ory Cloud (managed) Free tier + paid usage tiers Minimal ops overhead; faster to production; integrated observability Ongoing subscription cost; data residency depends on provider regions

Pros and Cons

Pros Cons
  • Modern ReBAC model suitable for complex, real-world permissions.
  • Open source with no vendor lock-in if self-hosted.
  • Cloud-native and scalable for high-traffic SaaS products.
  • API-first design that fits microservices and headless architectures.
  • Part of the Ory ecosystem, making it easier to pair with identity and auth.
  • Learning curve for teams unfamiliar with Zanzibar/ReBAC concepts.
  • Requires infra maturity if self-hosted (Kubernetes, observability).
  • Overkill for very simple apps with only one or two basic roles.
  • Authorization logic is externalized, which requires good service integration discipline.

Alternatives

Several other tools and patterns can address authorization needs. Choosing between them depends on your stack, complexity, and team skills.

Tool Type Best For Key Difference vs. Ory Keto
Auth0 (Authorization features) Hosted identity + basic RBAC/ABAC Startups wanting an all-in-one auth/identity provider More focused on authentication and simple roles; less flexible ReBAC model
AWS IAM / Cognito + custom logic Cloud provider IAM + app code AWS-centric stacks Tightly coupled to AWS; not a standalone, cross-cloud authorization server
Cerbos Policy-based authorization (YAML policies) Teams preferring declarative policy files (RBAC/ABAC) Policy-driven rather than relationship-driven Zanzibar-style modeling
Casbin Embedded authorization library Apps wanting an in-process library instead of a separate service Runs in-process; doesn’t provide a centralized auth server by default
Open Policy Agent (OPA) General-purpose policy engine Broad policy enforcement (K8s, infra, APIs) More generic policy engine; Keto is specialized for app-level permissions

Who Should Use It

Ory Keto is a strong fit for startups that:

  • Operate or plan to operate a multi-tenant SaaS with complex sharing and roles.
  • Have or are moving to a microservices or service-oriented architecture.
  • Need fine-grained, dynamic permissions that go beyond simple role-based checks.
  • Expect to serve enterprise customers that demand auditable, robust access control.
  • Have at least some DevOps or platform engineering capability (or are willing to use Ory Cloud).

It may be less suitable if:

  • Your app is very simple with a single role or two, and you do not expect complexity soon.
  • You lack the resources or appetite to maintain an additional infrastructure component and do not want a managed service.
  • You prefer to keep all authorization logic tightly coupled inside a monolithic application for now.

Key Takeaways

  • Ory Keto is a modern, open-source authorization server implementing relationship-based access control inspired by Google Zanzibar.
  • It centralizes permission checks across microservices, APIs, and UIs, improving consistency and maintainability.
  • Ideal for multi-tenant SaaS and complex sharing models where simple RBAC is insufficient.
  • Available as free, self-hosted software or via Ory’s managed cloud, which reduces operational overhead.
  • There is a learning curve and infrastructure cost, but for growing startups with complex access needs, Keto can prevent security bugs and tech debt down the line.

URL for Start Using

You can explore Ory Keto and get started here:

RELATED ARTICLES

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

© Copyright © 2017 Startupik Inc. All rights reserved.
Exit mobile version