command module
Version: v0.15.2 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2019 License: Apache-2.0 Imports: 1 Imported by: 0


Chat | Forums | Newsletter

Guide | API Docs | Code Docs

Support this project!

ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks. An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests.

While the full feature set of the BeyondCorp Whitepaper is not yet implemented, the goal of this project is to achieve this in the future.

ORY Oathkeeper is a reverse proxy which evaluates incoming HTTP requests based on a set of rules that are defined by administrative users. ORY Oathkeeper is thus capable of:

  • Identifying the user and providing the user session to API backends (authentication).
  • Restricting access to certain resources based on a set of rules (authorization).
  • Transforms access credentials (e.g. OAuth2 Access Tokens, SAML Assertions, ...) to a format (e.g. JSON Web Token, Plaintext, Basic Authorization, ...) consumable by your API services.

This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.

CircleCI Coverage Status Go Report Card


Head over to the ORY Developer Documentation to learn how to install ORY Oathkeeper on Linux, macOS, Windows, and Docker and how to build ORY Oathkeeper from source.

Download binaries

The client and server binaries are downloadable at releases. There is currently no installer available. You have to add the ORY Oathkeeper binary to the PATH environment variable yourself or put the binary in a location that is already in your path (/usr/bin, ...). If you do not understand what that all of this means, ask in our chat channel. We are happy to help.

Using Docker

Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux, OSX or Windows. ORY Oathkeeper is available on Docker Hub.

You can use ORY Oathkeeper without a database, but be aware that restarting, scaling or stopping the container will lose all data:

$ docker run -e "DATABASE_URL=memory" -d --name my-oathkeeper -p 4455:4455 -p 4456:4456 oryd/oathkeeper serve api

Building from source

If you wish to compile ORY Oathkeeper yourself, you need to install and set up Go 1.11+.

The following commands will check out the latest release tag of ORY Oathkeeper and compile it and set up flags so that oathkeeper version works as expected. Please note that this will only work with a linux shell like bash or sh.

go get -d -u github.com/ory/oathkeeper
cd $(go env GOPATH)/src/github.com/ory/oathkeeper
OATHKEEPER_LATEST=$(git describe --abbrev=0 --tags)
GO111MODULE=on go install \
    -ldflags "-X github.com/ory/oathkeeper/cmd.Version=$OATHKEEPER_LATEST -X github.com/ory/oathkeeper/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/oathkeeper/cmd.GitHash=`git rev-parse HEAD`" \
git checkout master
$GOPATH/bin/oathkeeper help


ORY Security Console

ORY Security Console: Administrative User Interface

The ORY Security Console is a visual admin interface for managing ORY Hydra, ORY Oathkeeper, and ORY Keto.

ORY Hydra: OAuth2 & OpenID Connect Server

ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.

ORY Keto: Access Control Policies as a Server

ORY Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.


The ory/examples repository contains numerous examples of setting up this project individually and together with other services from the ORY Ecosystem.


Disclosing vulnerabilities

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and send us an email to hi@ory.am instead.


Our services collect summarized, anonymized data which can optionally be turned off. Click here to learn more.



The Guide is available here.

HTTP API documentation

The HTTP API is documented here.

Upgrading and Changelog

New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in UPGRADE.md and CHANGELOG.md.

Command line documentation

Run oathkeeper -h or oathkeeper help.


Developing with ORY Oathkeeper is as easy as:

go get -d -u github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
dep ensure
go test ./...

Then run it with in-memory database:

DATABASE_URL=memory go run main.go serve all


Thank you to all our backers! 🙏 [Become a backer]

We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Billy, Chancy Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, TheCrealm


Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.



Package main ORY Oathkeeper

ORY Oathkeeper is a reverse proxy that checks the HTTP Authorization for validity against a set of rules. This service uses Hydra to validate access tokens and policies.

Schemes: http, https
BasePath: /
Version: Latest
Contact: ORY <hi@ory.am> https://www.ory.am

- application/json

- application/json

x-request-id: string
x-forwarded-proto: string



Path Synopsis
Package rule implements management capabilities for rules A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server.
Package rule implements management capabilities for rules A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL