The web UI Ory doesn't ship. Every self-service identity flow for Ory Kratos and Ory Hydra β login, registration, recovery, MFA, OAuth2 consent β plus an admin console, in a single server-rendered binary.
Ory's engines are excellent, but headless β you get APIs, your users need pages. Forseti is the missing frontend: one binary that talks to Kratos (identity) and Hydra (OAuth2/OIDC) and gives your users real screens for every flow, plus an admin surface for operators.
Because it's backed by software the giants scale with β OpenAI self-hosts Ory Hydra to issue tokens for ChatGPT β so your auth load rides on the most battle-tested engine in this space, not on Forseti itself. And it doesn't lock you in: Ory is the contract, Forseti is just the face. You can move to Ory Network (their cloud) later, or build your own frontend against the same Kratos and Hydra APIs and swap it in. That makes Forseti a low-risk stepping stone β and, since it's fully themeable, a fine permanent answer if it's all you ever need.
| π Every Kratos flow, server-rendered | Login, registration, recovery, verification, and the full settings hub β profile, password, MFA/TOTP, passkeys, social logins, active sessions. |
| πͺͺ OAuth2 / OIDC bridge | Login, consent, and logout screens for Hydra's authorization-code flow β turn Forseti into a drop-in OIDC provider for your own apps. |
| π§© 40+ app templates | One-click, pre-filled OAuth2 client setup for popular self-hosted apps (GitLab, Nextcloud, Vaultwarden, Grafana, Immich, β¦) β redirect URIs and per-app OIDC quirks already filled in. Full list β |
| π οΈ Admin console | Manage identities, sessions, and OAuth2 clients; append-only audit log; live status dashboard; dynamic-client-registration tokens. |
| π’ Organizations | Multi-tenant orgs with members, invites, per-org theming (brand colours, a preset, and an uploaded logo β the authenticated app is white-labelled by the active org), and per-org OIDC claims. Each org runs internal (invite-only) or external β a public self-serve signup page at /o/{slug} β plus optional email-domain auto-join for workforce orgs. |
| π Observability (licensed) | Prometheus /metrics on the internal listener, token-gated: HTTP request counts and latency plus a couple of bridged operational gauges. Setup β |
| π§ Linux host auth (preview) | Back your Linux logins off the identity store: NSS passwd/group + per-user SSH-key distribution, interactive ssh/console login via the OAuth Device Authorization Grant (RFC 8628), and offline passphrase login when the server's unreachable. Setup β |
| π Nine languages | UI translated into English, German, French, Spanish, Italian, Portuguese, Russian, Thai, and Arabic (RTL-aware), including Kratos's own error messages. A footer switcher sets the language; otherwise it follows the browser's Accept-Language. |
| π Light & dark | A built-in theme toggle (light / dark / follow-system) across every page. |
| π‘οΈ Production-minded | CSRF on every form, signed cookies, rate-limited DCR, and an account-deletion webhook saga with retries. |
Forseti can fold the caller's org membership into the ID token and userinfo, so a connected app does tenant-aware access control without a second API call. Three opt-in scopes cover different needs; grant a client any combination (each still needs the user's consent, and only shows up when requested):
| Scope | Claim shape | Covers | Standardized? | Reach for it when |
|---|---|---|---|---|
groups |
Flat array of team slugs | The active org's teams | De-facto (widely implemented) | Wiring a third-party app (ArgoCD, Grafana, Harbor, Proxmox, β¦) that maps a groups claim to its own roles |
org |
One object: active org + your role | The active org | Forseti-specific | An app that only cares about the currently-selected tenant |
orgs |
Array of {id, slug, role, name} |
Every org you belong to | Forseti-specific | A multi-tenant app (e.g. Stackpit) that renders an org switcher and enforces per-org roles |
groups is the portable path: it's in no RFC, but enough apps read a groups claim that it's become the lingua franca for role mapping, which is why the app templates use it. org/orgs are richer and self-describing (they carry the role explicitly) but only an app written against Forseti's shape can consume them. No off-the-shelf IdP emits orgs, and no generic app reads it.
One thing to keep in mind: groups reflects the active org only, while orgs spans all memberships, so for a multi-tenant app the two can look like they disagree. That's by design, not a bug.
| OSS (unlicensed) | Commercial (licensed) | |
|---|---|---|
| Identity portal | Full self-service portal, single default org | Same, plus named orgs beyond Default |
| Enterprise SAML SSO | Unavailable | Per-org connections at /sso/{org-slug} |
| Linux (POSIX) auth accounts | Up to the free seat cap | Higher seat cap |
| Observability | Unavailable | Prometheus /metrics on the internal listener, token-gated |
| Health checks, JSON logs | Full | Full |
See Commercial features for the licensing model, the grace period on expiry, and full detail on each feature.
Here's the thing: Forseti isn't another from-scratch identity engine. Rauthy, Kanidm, Keycloak and FreeIPA each implement their own protocol stack and their own datastore β they are the engine. Forseti is the part Ory never shipped: a server-rendered UI, an admin console, multi-tenant orgs, and governance, sitting in front of Ory Kratos and Ory Hydra β engines that are already OpenID-certified and battle-tested in production. So the comparison below is a little apples-to-oranges, and that's rather the point.
Legend: β built-in Β· β partial / via add-on / consumes-not-serves Β· β no Β· β commercial license
| Forseti | Rauthy | Kanidm | Keycloak | FreeIPA | |
|---|---|---|---|---|---|
| What it is | UI + governance layer on Ory | Standalone OIDC provider | Passkey-first IdM | Full IAM server | Linux/Unix domain IdM |
| Language | Rust (Axum) | Rust | Rust | Java / Quarkus (JVM) | C + Python |
| OIDC / OAuth2 provider | β (Hydra) | β | β | β | β inbound only |
| SAML 2.0 | β β | β | β | β | β via Keycloak |
| TOTP + passkeys/WebAuthn | β (AAL2-enforced) | β passkey-first | β (passkey attestation) | β | β (+ smartcard) |
| Multi-org / tenancy | β β | β | β | β realms + orgs | β |
| Upstream IdP brokering / social login | β (Kratos) | β | β by design | β | β device-grant |
| LDAP / RADIUS / Unix (POSIX) hosts | β POSIX/PAM Β² | β PAM/NSS | β | β federation | β (core) |
| Admin console (web) | β | β | β CLI-first | β | β |
| End-user self-service UI | β (the whole point) | β | β | β | β limited |
| Datastore | SQLite / PostgresΒΉ | Embedded (Hiqlite) / Postgres | Own embedded DB | External RDBMS | 389 DS (LDAP) |
| Footprint | Binary + Ory services | Single binary (~50 MB) | Single binary | JVM, ~0.75β2 GB RAM | Heavy, Linux/RPM only |
| License | AGPL-3.0 + commercial gate | Apache-2.0 | MPL-2.0 | Apache-2.0 | GPLv3 |
| Maturity | Young; built on mature Ory | Pre-1.0, audited | Stable 1.x | Very mature (CNCF/Red Hat) | Very mature (Red Hat) |
ΒΉ Forseti's own data. Kratos and Hydra each bring their own Postgres, so a full deployment runs several services β more moving parts than a single-binary Rauthy or Kanidm. β Organizations, SAML SSO, and the Prometheus /metrics endpoint are commercial features; the AGPL core runs as a fully working single tenant. SCIM, SIEM streaming and bulk-admin are on the roadmap, not shipped. Β² Linux host auth (POSIX accounts, NSS, SSH-key distribution, PAM device-auth + offline login) ships as a preview β it backs POSIX hosts, but it's not an LDAP/RADIUS/Kerberos directory.
Where Forseti wins. If you've already bet on Ory β or you want a certified OAuth2/OIDC engine rather than a bespoke one β nothing else gives Kratos and Hydra real screens and an admin console and first-class multi-tenant organizations (members, invites, per-org branding, org/orgs OIDC claims). Rauthy, Kanidm and FreeIPA have no organizations model at all; only Keycloak does, and it costs you a JVM and a couple of gigs of RAM. You also get governance the others don't bundle: an append-only audit log, RFC 7591 dynamic client registration, and an account-deletion webhook saga that emits signed RISC events.
Where it doesn't. Forseti is not a full directory. It now can back Linux logins β POSIX accounts, SSH-key distribution, and interactive PAM login for a fleet of hosts (a preview feature) β but if you need an LDAP server, RADIUS, or Kerberos, that's still Kanidm or FreeIPA territory, not this. If you want the absolute smallest footprint and a single self-contained binary with no Ory alongside, Rauthy or Kanidm will be lighter to run. And if you need the full enterprise kitchen sink β UMA, fine-grained authz, every protocol under one roof β Keycloak still does more, at the cost of operating Keycloak. Do take the table with a grain of salt: these projects move, and the facts here are current as of mid-2026.
Prebuilt binaries for x86_64 and aarch64 Linux (glibc) are attached to every release:
# binary + the static/ assets it serves
curl -L -o forseti.tar.gz https://github.com/franzos/forseti/releases/latest/download/forseti-x86_64-unknown-linux-gnu.tar.gz
tar -xzf forseti.tar.gz
cd forseti-x86_64-unknown-linux-gnu
cp config.example.toml config.toml # then edit it
./forsetiOr pull the container image from the GitHub Container Registry:
podman pull ghcr.io/franzos/forseti:latest
podman run --rm -p 3000:3000 \
-v ./config.toml:/app/config.toml:ro \
ghcr.io/franzos/forseti:latestBoth need a reachable Kratos and Hydra β see the operator guide. The binary reads ./config.toml (override with FORSETI_CONFIG_PATH) and serves ./static relative to its working directory.
Runtime note: the binary links dynamically against
libpq(the Postgres client). On a bare host installlibpq5(Debian/Ubuntu) orlibpq(most other distros); the container image already includes it. SQLite is bundled, so it needs nothing extra.
Pre-release / active development. Core flows work end-to-end against the Ory playground; APIs, config, and schema are still moving. Pin a commit if you build on it.
# 1. Bring up the playground (Kratos, Hydra, Mailcrab, Postgres)
make stack-up
# 2. Seed a deterministic admin (password + TOTP)
make seed-admin
# 3. Run Forseti (debug build) at :3000
make runOpen http://localhost:3000. Register at /registration, grab the verification email from Mailcrab at http://127.0.0.1:4436, and you're in.
For the full OAuth2 dance β register a Hydra client, run an auth-code flow, exchange a token β see .claude/skills/ory-up/SKILL.md or the integration guide.
Browser
|
v
+------------------+ admin (server-only)
| Forseti | --------------------------------+
| Rust / Axum | |
| :3000 | --+ |
+------------------+ | |
| | |
| browser | browser |
| | v
+------------+ +------------+ | Kratos admin |
| Kratos | | Hydra | | Hydra admin |
| public | | public | | (internal only)|
+------------+ +------------+ +-----------------+
| |
+------+------+
|
v
+--------------+
| Database |
| Postgres / |
| SQLite |
+--------------+
- Operator guide β deployment topology, Kratos/Hydra config, secrets, backups
- Operator guide β reverse proxy β proxy topology, cookies, CSRF, CORS
- Integration guide β consuming Forseti as an OIDC provider
- Linux authentication β enroll hosts, provision POSIX accounts + SSH keys, PAM device-auth login, and offline access (preview)
- Commercial features β licensing model, plus the Organizations, Enterprise SAML SSO, and Observability guides
Forseti is dual-licensed:
- AGPL-3.0 for the open-source core (everything outside
src/commercial/) - Commercial license for paid features in
src/commercial/
Built on Ory Kratos and Ory Hydra.
Forseti β named for the Norse god of justice and reconciliation.


