Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello Everyone, I am new to Kratos and I want to know what are the best practices to define an identity schema.

Should I store profile information in schema or should I store it in application backend?

Hello <@U0377QPVAUU>
This depends on your security requirements, but in general it is a best practice to not store more information in the identity schema than is needed.

So ideally all business-related information you can store in application backend and everything that is needed for auth you should store in the identity schema.

there are no hard &amp; fast rules to this, there might be expections where it makes a lot of sense to store more information in the identity schema.

be aware that (currently) users can view and modify identity traits - there is an issue open to provide more control here:
<https://github.com/ory/kratos/issues/47>