I am currently using oathkeeper, keto and kratos in my project. It is not production ready but I made it work with the following architecture: 1. Custom signup in nextjs 2. Creation of user entity in another table/database to own the user data 100% but without the identity id, maybe i should add it in here? 3. Using a hook to update the identity after the signup to add tenant, userId and role to the public metadata of the identity, I would prefer the admin metadata but there seems to be no api to work with that here… 4. The routes are all secured by checking the users role from the public metadata. I do not create specific access permissions for each user which would make it even harder to manage.. maybe I should do that by writing some code to automate it but the solution i currently use seems good enough… 5. the metadata is not send by the user to validate. It is fetched and send upstream to the service by oathkeeper via jwt mutation. All in all it seems to work and my only problem is probably the rate limiting which I do not know how to do with oathkeeper. Maybe adding an ingress into it somehow? I can also build another entry gateway before oathkeeper to rate limit with my own logic but this is suboptimal. I would like to remove my rate limiting middleware from my services and handle everything at oathkeeper. Is that somehow possible? Do you guys think that this solution is possibly production ready?