Hi we currently plan the integration of Keto in our main project. An idea popup this morning during our daily. We have a Permission Management API to manage Keto rules. Currently we use the User Identifier in the keto tuple (like User:email@org.foo) it's far from perfect and we plan to switch to the user UUID to make the data more anonymous. But what if we create the Keto tuple when a session is initialized (hooks in Kratos) and use the session id as an identifier ? We can then cleanup the keto tuple when a session expires. Did you think it's on "ok pattern" ? From our perspective it allow us to manage the tuple generation inside our Permission Management API, and migrate them (but only for active session, not for all users) when we deploy new version. In this case the Keto DB contains no personal information, only temporal session id.

why not use the kratos identity id? you can automate stuff there using the post-registration hook

Yes the kratos identity id is OK, and available in login hook so it's perfect in our case