Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey all, we're thinking of switching to Ory Kratos (and possibly the Ory Cloud offerings). Our site currently just uses GH auth exclusively. We have an open API anyone can access. How are Ory tokens structured. Are they a JWT by default?

Kratos uses cookies/sessions, however I believe if you have it infront of Oathkeeper, you can use <https://www.ory.sh/docs/oathkeeper/pipeline/authn#jwt|Authenticators> and <https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token|Mutators> config options to produce &amp; sign a JWT.

I'm not sure how the cloud offering works, but I imagine it might be similar.