Ory Kratos and Ory Network do not provide a built-in, Firebase-style anonymous authentication flow out of the box. However, you can approximate this pattern using Kratos' flexible identity management and self-service flows, though some aspects (like browser-stored secrets as credentials) are not directly documented. ### What is possible with Ory Kratos/Ory Network - Anonymous Access via Oathkeeper: Ory Oathkeeper supports an

anonymous

authenticator, which allows requests without credentials and sets a subject (e.g., "guest" or "anonymous"). This is typically used for endpoints that do not require authentication, but it does not create a persistent identity in Kratos—it's just a temporary subject for the request. No user is created in Kratos, and no session is established for the anonymous user in this mode. This is not the same as Firebase's anonymous auth, which creates a persistent user record and allows later linking to a registered account [Oathkeeper anonymous authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#anonymous). - Creating an Anonymous Identity in Kratos: Kratos allows you to create identities programmatically via its Admin API. You could create an identity with a trait like

"anonymous": true

and generate a random secret (e.g., a password or token) that is stored in the browser. This secret could be used for authentication in subsequent requests. However, there is no documented, built-in flow for "anonymous registration" that does not require user interaction. You would need to implement this logic in your backend or frontend, using the Kratos Admin API to create the identity and issue a session. - Flagging Anonymous Users: You can add a trait to the identity schema (e.g.,

"anonymous": true

) to distinguish anonymous users and restrict their permissions accordingly [Identity schema customization](https://www.ory.sh/docs/kratos/manage-identities/overview). - Linking Anonymous and Registered Accounts: Ory Kratos supports account linking, especially for social sign-in and email/password accounts. When a user registers "for real," you could use the account linking flow to merge the anonymous identity with the new registered identity, preserving the user ID and associated data. This is documented for social sign-in and password accounts, but not specifically for anonymous identities created as described above. You would need to handle the merging logic, possibly by updating the identity's traits and credentials [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). ### Limitations and Uncertainties - There is no explicit documentation or example for a Firebase-style anonymous auth flow (i.e., creating a persistent, upgradable anonymous user with a browser-stored secret) in Ory Kratos or Ory Network. - The anonymous authenticator in Oathkeeper does not create a persistent identity in Kratos. - You would need to implement the logic for creating, authenticating, and upgrading anonymous users yourself, using the Kratos Admin API and custom identity schemas. - The account linking flow is documented for social and password accounts, but not for custom anonymous identities. ### Summary You can approximate anonymous users in Ory by: - Creating an identity with a trait marking it as anonymous via the Admin API. - Storing a secret in the browser for authentication. - Restricting permissions based on the anonymous trait. - Using account linking flows to merge with a registered account later. However, this is not a built-in feature and would require custom implementation. The knowledge sources do not provide a complete, ready-made solution for this use case. For more details, see: - [Oathkeeper anonymous authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#anonymous) - [Account linking in Kratos](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) - [Identity schema customization](https://www.ory.sh/docs/kratos/manage-identities/overview) If you need this pattern, you will need to design and implement the flow yourself using the building blocks Ory provides.