Hello, I am using Kratos for OpenID connect login for human users of my application and it works really well! Now I need to enable API authentication for machine users and I wonder if I can do this with Kratos somehow or if I need to integrate another Ory offering such as Hydra? What is the best way forward for this usecase?

there is no support for machine users in kratos ATM

@brainy-plumber-70688 really? I thought the docs indicated otherwise: https://www.ory.sh/kratos/docs/self-service/flows/user-registration#api-clients

API clients are not machine accounts. Api client is a native app, mobile app etc.

(Sorry, my knowledge of Kratos may be lacking) but is there a reason the API Client flows would not work in a server-to-server scenario?

@sparse-angle-36437 you would need your server to perform a login flow with username and password. I think it's a bit weird.

Correct me if I’m wrong, but the

identifier

for the

password

Credentials can be an email, or anything else (e.g. server ID, robot ID, smartphone IMEI) and the

password

could be a machine-generated value. I’m not certain if Kratos was designed to be used in that way?

You are correct. However, generally you give machine an API key or something. I'm not saying you can't have a user that is actually a machine, I'm saying there is no support for machine accounts specifically.

Right, so if I understood you correctly, you are saying that the concept of “Service Account” does not exist in Kratos. However, machine authentication is technically possible with Kratos, using the API flows. Is that correct?

Yes