When to use OAuth2: Scaling auth for the enterprise
As your ecosystem of apps and services expands, simple authentication fails to scale, creating significant security risks and development challenges. Learn why enterprises must adopt the OAuth2 standard and how combining a robust identity system like Ory Kratos with an authorization server like Ory Hydra builds the secure, future-proof architecture needed for growth.

For many organizations, managing user authentication and authorization starts simply enough.
A single website, a couple of applications – a direct identity solution might initially suffice. But what happens when your customer base grows, your product portfolio expands, and your internal systems multiply? This is where the capability and necessity of a standards-based approach like OAuth2 applies, especially when combined with a robust identity management system such as Ory Kratos.
While Ory Kratos provides powerful, native authentication flows, its strength lies in managing the core user identity lifecycle. For large, complex organizations like financial institutions with numerous products, mobile clients, or intricate internal systems, the optimal architectural outcome frequently involves a standards-based setup using Ory Kratos and Ory Hydra for OAuth2. This combination leverages Kratos for its robust user management capabilities while incorporating Hydra’s industry-standard authorization power of OAuth2.
Why large organizations benefit from OAuth2
If your organization fits the description of a large enterprise or a financial institution, here’s why integrating OAuth2 into your authentication architecture is not just advantageous, but often foundational for long-term operational success:
- Extensive SDK support across languages and platforms: OAuth2 is a universally recognized standard. This means a substantial collection of SDKs and libraries are available across virtually every programming language (e.g., Python, Java, Node.js, Go) and platform (web, mobile, desktop). This significantly reduces development time and effort when integrating new applications or services, as developers can leverage existing, validated tools rather than building custom authentication logic. This interoperability is a core component of scalable enterprise architecture.
- Streamlined integration with internal tools and new systems: In a large organization, the need to connect various internal tools, third-party services, and newly developed systems is constant. OAuth2's standardized approach simplifies this considerably. Instead of developing bespoke integration logic for each system, you can rely on established OAuth2 flows:
- Authorization code grant with PKCE: This is the recommended flow for public clients (single-page applications (SPAs) and native/mobile apps) and increasingly for confidential clients (web applications) due to the strong security benefits it provides. The "Proof Key for Code Exchange" (PKCE) extension mitigates interception attacks for public clients that cannot securely store a client secret. The flow involves a secure redirection to the authorization server (Ory Hydra), user authentication (handled by Ory Kratos), user consent, issuance of an authorization code, and then the client exchanging this code for an
access_token
and potentially arefresh_token
andid_token
(if OpenID Connect is also used). - Client credentials grant: This flow is suitable for machine-to-machine (M2M) communication, where an application needs to access an API on its own behalf, without direct user involvement. This is common for backend services, microservices, or automated processes.
- Delegated authorization through scopes: OAuth2 leverages scopes to define the specific permissions granted to an application. For example, an application might only receive a read:email scope, restricting its access to reading emails only, not sending them. This granular control is vital for maintaining the principle of least privilege in complex environments.
- Authorization code grant with PKCE: This is the recommended flow for public clients (single-page applications (SPAs) and native/mobile apps) and increasingly for confidential clients (web applications) due to the strong security benefits it provides. The "Proof Key for Code Exchange" (PKCE) extension mitigates interception attacks for public clients that cannot securely store a client secret. The flow involves a secure redirection to the authorization server (Ory Hydra), user authentication (handled by Ory Kratos), user consent, issuance of an authorization code, and then the client exchanging this code for an
- Architectural flexibility for system evolution: Business requirements evolve. Older systems are phased out, and new products are launched. OAuth2 provides the architectural flexibility to handle these transitions efficiently. You can integrate new offerings without disrupting existing authentication mechanisms and deprecate older systems without causing a cascading effect of broken integrations. This agility, facilitated by a decoupled authentication layer, supports sustained growth. By issuing time-limited
access_token
s and managingrefresh_token
s, the system can dynamically adjust access and revoke tokens as needed. - Improved onboarding and compatibility in M&A scenarios: Mergers and acquisitions are complex, and integrating disparate IT infrastructures can present a significant challenge. Organizations utilizing OAuth2-based authentication can streamline the identity integration process during M&A. The standardized nature of OAuth2 makes it notably easier to achieve compatibility and onboard new entities, reducing both integration complexity and associated costs. This is further enhanced when combined with OpenID Connect (OIDC), an authentication layer built on top of OAuth2, which provides standardized ID Tokens (JSON Web Tokens - JWTs) containing verifiable identity claims about the authenticated user. This supports seamless Single Sign-On (SSO) across disparate systems.
Using Kratos-only for complex landscapes
Ory Kratos is an API-first identity and user management system that handles user registration, login, profile management, password resets, multi-factor authentication (MFA), and session management. Its native flows are effective for these core identity lifecycle functions.
However, Kratos' native flows are primarily designed for direct interaction between an application and the Kratos instance for user identity management. While efficient for authentication, they are non-standard in how they handle authorization for accessing diverse resources across an ecosystem of applications. This implies that if you have numerous services (e.g., microservices, internal APIs, mobile apps, partner portals), each would need to implement custom logic to validate a Kratos session or token and then determine what the user is authorized to do.
This "custom auth logic for each system" approach presents a significant scaling challenge for large enterprises. Consider:
- Increased development overhead: Every new application or service requires bespoke code to interpret Kratos sessions and apply authorization rules.
- Inconsistent security postures: Different teams might implement authorization logic in varying ways, leading to inconsistencies and potential security vulnerabilities.
- Maintenance complexity: Updating or changing authorization policies becomes a distributed, manual, and error-prone process.
- Lack of centralized authorization policy enforcement: Without a central authorization server, enforcing granular access control policies across all applications becomes difficult.
This approach works for SMEs, but it does not scale efficiently in complex IT (versus R&D) environments, where dozens or hundreds of applications need to interact securely.
The technical synergy: Kratos + OAuth2 (Ory Hydra)
This is where the combination of Ory Kratos and Ory Hydra (an OAuth2 and OpenID Connect provider) offers a robust solution:
- Ory Kratos: The Identity Provider (IdP): Kratos functions as your cloud-native identity management system. It handles all user-facing identity flows:
- User registration (e.g., email/password, social logins, passkeys)
- User login (including MFA, re-authentication)
- Account recovery (password reset, email verification)
- Profile management
- Session management
- Ory Kratos authenticates the user and manages their identity lifecycle
- Ory Hydra: The OAuth2 authorization server: Hydra acts as the authorization server, issuing
access_token
s andrefresh_token
s after Kratos has authenticated a user and the user has granted consent.- Standardized token issuance: Hydra issues standardized OAuth2 tokens (often JWTs for
id_token
s, and opaque tokens foraccess_token
s andrefresh_token
s for enhanced security). These tokens carry authorization information (scopes) that can be easily validated by any resource server. - Consent management: Hydra facilitates the user consent flow, where users explicitly grant permissions (scopes) to client applications. This is a critical security and privacy feature for complex ecosystems.
- Token introspection & revocation: Hydra provides endpoints for
token introspection
(checking the active status and details of a token) andtoken revocation
(invalidating tokens prematurely), which are essential for secure operations. - OpenID Connect (OIDC) support: As an OIDC provider, Hydra issues
id_token
s, allowing client applications to verify the user's identity based on the claims within the JWT. This separates authentication (who the user is, handled by Kratos + OIDC) from authorization (what the user can do, handled by OAuth2).
- Standardized token issuance: Hydra issues standardized OAuth2 tokens (often JWTs for
The combined flow:
- A client application initiates an OAuth2 Authorization Code flow by redirecting the user to Ory Hydra.
- Hydra, acting as the authorization server, then redirects the user to Ory Kratos for authentication.
- Kratos handles the user's login, potentially involving MFA or other configured flows.
- Upon successful authentication, Kratos informs Hydra.
- Hydra presents a consent screen to the user (often a custom UI integrated with Hydra) to approve the requested scopes.
- If the user consents, Hydra issues an authorization code back to the client application.
- The client application exchanges this code with Hydra's token endpoint for an
access_token
(for accessing protected resources), arefresh_token
(for obtaining new access tokens without re-authentication), and anid_token
(for user identity verification). - The client application can then present the
access_token
to any of your resource servers (APIs, microservices). These resource servers can validate the token (e.g., by calling Hydra's introspection endpoint or by verifying the JWT signature if it's a JWT) and enforce authorization based on the scopes contained within.
A real-world use case: Banking & financial services example
The experience of a current Ory banking customer provides a clear illustration. When initially setting up their retail banking platform, a Kratos-only approach was considered. However, the expansive scope and complexity of their platform – encompassing numerous services, internal tools, and customer-facing applications – quickly indicated that OAuth2, powered by Ory Hydra, represented the more effective architectural choice. Their requirement for multiple client types (web, mobile), extensive third-party integrations, and machine-to-machine communication necessitated a standardized, token-based authorization framework that Kratos' native flows alone could not provide with adequate efficiency. While the integration of OAuth2 might have commenced later than optimal in this specific instance, it underscores the critical importance of making this architectural decision early in the development lifecycle for new customers.
Steering towards optimized outcomes: Kratos + OAuth2 from the outset
Moving forward, our recommendation is clear: for large customers with intricate and evolving IT landscapes, the conversation should prioritize a combined Ory Kratos + OAuth2 architecture from the initial stages. This proactive approach, leveraging Kratos for robust identity management and Hydra for scalable, standards-based authorization, yields demonstrably better long-term outcomes, substantially lowers integration risk, and provides the scalability and flexibility essential for navigating the complexities of modern enterprise environments.
By integrating OAuth2 with Ory Kratos, organizations can establish a resilient, future-proof authentication and authorization framework that supports expansion, simplifies operations, and ensures a consistent experience for both users and developers.
Ready to architect a scalable identity solution for your enterprise? Don't let proprietary authentication flows limit your growth. Explore how Ory Kratos and Ory Hydra can empower your organization with a robust, standards-based identity and authorization framework. Contact us today to discuss your specific architectural needs or Learn more from our documentation on Ory Kratos and Ory Hydra.
Further reading

The future of Identity: How Ory and Cockroach Labs are building infrastructure for agentic AI

Ory and Cockroach Labs announce partnership to deliver the distributed identity and access management infrastructure required for modern identity needs and securing AI agents at global scale.

Ory + MCP: How to secure your MCP servers with OAuth2.1

Learn how to implement secure MCP servers with Ory and OAuth 2.1 in this step-by-step guide. Protect your AI agents against unauthorized access while enabling standardized interactions.