A cloud native Identity & Access Proxy (IAP) which authenticates and authorizes incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
stszap and aeneasr Support "scope" claim as a string in jwt authenticator (#137)
Signed-off-by: Stanislav Zapolsky <stszap@gmail.com>
Latest commit ab5240e Nov 15, 2018
Failed to load latest commit information.
.circleci ci: Use beta.8 as hydra image Aug 31, 2018
.github docs: Updates issue and pull request templates (#127) Oct 17, 2018
cmd cmd: Add http proxy timeout config (#132) Nov 5, 2018
docs docs: Improve some docs and update SDK (#135) Nov 11, 2018
health health: Introduce health and version endpoint Jul 21, 2018
helper cmd: Add ability to configure scope strategy Aug 24, 2018
judge proxy: Authenticator noop should not bypass Aug 9, 2018
pkg all: Refactors Oathkeeper into new ecosystem (#60) May 21, 2018
proxy Support "scope" claim as a string in jwt authenticator (#137) Nov 15, 2018
rsakey proxy: Make subject configurable using go template (#129) Oct 23, 2018
rule docs: Improve some docs and update SDK (#135) Nov 11, 2018
scripts sdk: Add NodeJS SDK (#94) Aug 1, 2018
sdk docs: Improve some docs and update SDK (#135) Nov 11, 2018
stub stub: Update rules stub Aug 31, 2018
.dockerignore all: initial commit Oct 10, 2017
.gitattributes Tells linguist to ignore SDK files May 10, 2018
.gitignore docs: Adds automatic summary generation (#49) Feb 17, 2018
CHANGELOG.md docs: Incorporates changes from version v1.0.0-beta.9 Sep 1, 2018
CODE_OF_CONDUCT.md docs: Adds gh templates & code of conduct (#78) Jun 15, 2018
CONTRIBUTING.md docs: Updates README.md (#58) Mar 17, 2018
Dockerfile all: Refactors Oathkeeper into new ecosystem (#60) May 21, 2018
Gopkg.lock proxy: Add JWT authenticator Aug 24, 2018
Gopkg.toml proxy: Add JWT authenticator Aug 24, 2018
LICENSE docs: Updates copyright notice Jun 16, 2018
README.md docs: Update link to security console Sep 15, 2018
UPGRADE.md cmd: Streamlines https configuration variables (#124) Oct 11, 2018
doc.go all: Updates license header Feb 27, 2018
doc_swagger.go all: Updates license header Feb 27, 2018
docker-compose.yml Adds docker-compose example with postgres Jul 7, 2018
main.go all: Updates license header Feb 27, 2018
package.json sdk: Upgrade superagent version Aug 31, 2018


ORY Oathkeeper - Cloud Native Identity & Access Proxy

Chat | Forums | Newsletter

Guide | API Docs | Code Docs

Support this project!

ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks. An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests.

While the full feature set of the BeyondCorp Whitepaper is not yet implemented, the goal of this project is to achieve this in the future.

ORY Oathkeeper is a reverse proxy which evaluates incoming HTTP requests based on a set of rules that are defined by administrative users. ORY Oathkeeper is thus capable of:

  • Identifying the user and providing the user session to API backends (authentication).
  • Restricting access to certain resources based on a set of rules (authorization).
  • Transforms access credentials (e.g. OAuth2 Access Tokens, SAML Assertions, ...) to a format (e.g. JSON Web Token, Plaintext, Basic Authorization, ...) consumable by your API services.

This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.

CircleCI Coverage Status Go Report Card


There are various ways of installing ORY Oathkeeper on your system.

Download binaries

The client and server binaries are downloadable at releases. There is currently no installer available. You have to add the ORY Oathkeeper binary to the PATH environment variable yourself or put the binary in a location that is already in your path (/usr/bin, ...). If you do not understand what that all of this means, ask in our chat channel. We are happy to help.

Using Docker

Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux, OSX or Windows. ORY Oathkeeper is available on Docker Hub.

You can use ORY Oathkeeper without a database, but be aware that restarting, scaling or stopping the container will lose all data:

$ docker run -e "DATABASE_URL=memory" -d --name my-oathkeeper -p 4455:4455 -p 4456:4456 oryd/oathkeeper serve api

Building from source

If you wish to compile ORY Oathkeeper yourself, you need to install and set up Go 1.10+ and add $GOPATH/bin to your $PATH as well as golang/dep.

The following commands will check out the latest release tag of ORY Oathkeeper and compile it and set up flags so that oathkeeper version works as expected. Please note that this will only work with a linux shell like bash or sh.

go get -d -u github.com/ory/oathkeeper
cd $(go env GOPATH)/src/github.com/ory/oathkeeper
OATHKEEPER_LATEST=$(git describe --abbrev=0 --tags)
dep ensure -vendor-only
go install \
    -ldflags "-X github.com/ory/oathkeeper/cmd.Version=$OATHKEEPER_LATEST -X github.com/ory/oathkeeper/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/oathkeeper/cmd.GitHash=`git rev-parse HEAD`" \
git checkout master
oathkeeper help


ORY Security Console

ORY Security Console: Administrative User Interface

The ORY Security Console is a visual admin interface for managing ORY Hydra, ORY Oathkeeper, and ORY Keto.

ORY Hydra: OAuth2 & OpenID Connect Server

ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.

ORY Keto: Access Control Policies as a Server

ORY Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.


The ory/examples repository contains numerous examples of setting up this project individually and together with other services from the ORY Ecosystem.


Disclosing vulnerabilities

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and send us an email to hi@ory.am instead.


Our services collect summarized, anonymized data which can optionally be turned off. Click here to learn more.



The Guide is available here.

HTTP API documentation

The HTTP API is documented here.

Upgrading and Changelog

New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in UPGRADE.md and CHANGELOG.md.

Command line documentation

Run oathkeeper -h or oathkeeper help.


Developing with ORY Oathkeeper is as easy as:

go get -d -u github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
dep ensure
go test ./...

Then run it with in-memory database:

DATABASE_URL=memory go run main.go serve all


Thank you to all our backers! 🙏 [Become a backer]

We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Chancy Kennedy, Drozzy, Oz Haven, TheCrealm


Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.