Hi! I have a question regarding user deletion: I understand that self-service user deletion is on the roadmap - but i would like to ask for suggestions on how to handle it until then (as this is a GDPR requirement). We also have to delete some user data in another database, so we could trigger the deletion request via the Kratos API from this backend side. However, we would rather not expose the admin credentials to this backend if there is better solution. What are your suggestions, esp. in regards to your plans on how the self-service variant will be implemented in the future? E.g. do you think it would be a feasible solution to detect deletion requests when passing OathKeeper and direct them through a separate service to perform the actual deletion using Kratos (and then passing it on to our backend service if successful)?

Hi Stephanie! We generally recommend going through the admin API, as in most cases businesses need to do extra checks and delete more data, so having your own delete endpoint gives you maximum flexibility. As for admin credentials - we will introduce more flexible API keys with limited permissions in the coming months, so from our perspective you can go with the Admin API approach and later reduce access for the calling service. A client-side delete - once we build it, there's no definite estimate for that right now - would come with a webhook to react on the event and perform additional steps. However, we also appreciate that some clients would rather do a soft-delete (wiping PII, removing credentials, locking the account) with subsequent hard delete after some time, so we have yet to decide what a good out-of-the-box solution looks like. Your solution with oathkeeper to send DELETE requests to a separate service that orchestrates the Ory deletion with other actions in your system does sound like a good approach to me!

Thank you very much for your quick response! I understand the challenges with the client-side delete. Alright, then we will proceed with that approach using a separate service and will look forward to API keys with limited permissions! 🙂