Ory Kratos supports multi-domain authentication scenarios, but with important limitations and distinctions between self-hosted and Ory Network (cloud) deployments: -
Self-hosted Ory Kratos: Multi-domain authentication (i.e., sharing sessions/cookies across different top-level domains) is not natively supported in self-hosted Ory Kratos. While you can configure cookies to work across subdomains (e.g.,
app1.example.com and
app2.example.com), true multi-domain (e.g.,
example.com and
another.com) session sharing is only available in Ory Network or Ory Kratos Enterprise via the Multibrand feature. Attempting to set up session cookies across separate top-level domains in self-hosted Kratos is not supported and may lead to issues with session continuity and authentication flows. You can, however, adjust cookie domains for subdomain scenarios in your configuration file, but this does not extend to multiple top-level domains [Advanced base URL, CSRF and session cookie settings](
https://www.ory.sh/docs/kratos/guides/multi-domain-cookies). -
Ory Network (Cloud): Ory Network offers advanced multi-domain support through features like Multibrand, allowing you to add multiple custom domains to a single project. Each domain can have its own UI base URL, and users can use the same account across these domains. However, due to browser cookie isolation, users will need to authenticate separately on each domain, resulting in one session per domain. OpenID Connect can be used as an alternative, but it also results in one session per domain [Multiple custom domains](
https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains). -
WebAuthn Limitation: If you are using WebAuthn (passkeys, FIDO2), be aware that it is limited to a single domain and does not work across multiple domains due to the way the WebAuthn standard binds credentials to a specific origin [WebAuthn and FIDO2 (YubiKey)](
https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey).
Summary: - Multi-domain authentication (across top-level domains) is only fully supported in Ory Network or Ory Kratos Enterprise via the Multibrand feature. - Self-hosted Kratos supports subdomain scenarios but not true multi-domain authentication. - Each domain will have its own session due to browser security restrictions. If you need advanced multi-domain support, Ory Network is the recommended solution.