When self-hosting Ory Kratos, it is critical to secure the Admin API, as by default, Ory open-source servers do not include integrated access control—any request to the Admin API will be executed if it reaches the endpoint. To set up authorization for the Admin API, you should: 1. Never expose the Admin API to the public internet. Always keep the Admin API accessible only within your internal network or intranet. This is the most important security measure. You can achieve this by configuring Ory Kratos to listen only on the loopback interface (

127.0.0.1

) for the admin endpoint:

yaml    serve:      admin:        base_url: <http://kratos:4434/>        host: 127.0.0.1

This ensures that only local processes or those on a secure internal network can access the Admin API, preventing external access entirely [Go to production](https://www.ory.sh/docs/kratos/guides/production) [Run Ory Kratos using systemd](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#run-ory-kratos-using-systemd). 2. Use an API Gateway or Reverse Proxy for Access Control. Since Ory Kratos does not provide built-in access control, you should place an API gateway such as [Ory Oathkeeper](https://github.com/ory/oathkeeper) in front of the Admin API. Oathkeeper can enforce authentication and authorization policies, such as requiring API keys, JWTs, or other credentials before forwarding requests to the Admin API [API access control](https://www.ory.sh/docs/self-hosted/operations/api-access-control) [Installation](https://www.ory.sh/docs/kratos/install). 3. Restrict Network Access. Use firewall rules or network policies to ensure that only trusted hosts or services can reach the Admin API port. Summary: - Do not expose the Admin API to the public internet. - Bind the Admin API to

127.0.0.1

or a secure internal interface. - Use Ory Oathkeeper or a similar API gateway to enforce access control. - Apply network-level restrictions as an additional layer of security. Ory Network (the managed service) uses API Keys for Admin API authorization, but for self-hosted Ory Kratos, you must implement these protections yourself, as described above. There is no built-in API key or token-based authorization in the open-source version [API access control](https://www.ory.sh/docs/self-hosted/operations/api-access-control) [Go to production](https://www.ory.sh/docs/kratos/guides/production).