If you're looking for a secure and reliable way to manage user authentication, permissions, and more, you may have heard of Ory. Did you know that there are two ways to use Ory?
In this article, we'll explore the differences between Ory Network and self-hosting Ory Open Source, and help you decide which option is right for you.
Ory Network and Ory self-hosted
Before we dive into the differences, let's take a quick look at what the Ory Network and self-hosting Ory open source means.
Ory Network is a global infrastructure that uses Ory Open Source to deliver various services and APIs such as login, permissions, OAuth2, and more. Ory Network spans several global regions to deliver a fast service anywhere in the world. Use Ory Network to take advantage of the power of open source and all the features and benefits built on top by the Ory team, as well as continuous updates, support, and security.
Self-hosting Ory means to use the foundational building blocks of the Ory Network, the (Ory Kratos Identity Server, the Ory Hydra OAuth2 Server, and the Ory Keto Permission Server) and build authentication and authorization systems yourself. Self-hosting Ory Open Source is a great way to explore and experiment with security software, learn more about open source software development, and participate in the building the new login.
Feature differences
When deciding between the Ory Network and self-hosting, it's essential to know what features are available in each option. The following table summarizes the feature differences:
| Feature | Ory Network | Self-Hosting |
|---|---|---|
| Security & compliance | ||
| GDPR-compliant data storage | ✅ | ⚠️ |
| SOC2 T2 & ISO 27k certification | ✅ | ⚠️ |
| Automatically OpenID certified | ✅ | ❌ |
| PII region storage selection | ✅ | ⚠️ |
| Intelligent PII data homing | ✅ | ❌ |
| Brute force & DoS protection | ✅ | ⚠️ |
| Suspicious IP throttling | ✅ | ⚠️ |
| Breached password detection | ✅ | ✅ |
| OAuth2 Verifiable Credentials | ✅ | ✅ |
| OAuth2 Resource Owner Password Grant | ✅ | ❌ |
| Services and APIs | ||
| Identity and user management APIs | ✅ | ✅ |
| Low latency edge authentication | ✅ | ❌ |
| Permission APIs | ✅ | ✅ |
| Passwordless login | ✅ | ✅ |
| SMS verification and MFA | ✅ | ⚠️ |
| Password login | ✅ | ✅ |
| Social sign in | ✅ | ✅ |
| Machine-to-machine auth | ✅ | ✅ |
| Multi-factor authentication | ✅ | ✅ |
| OAuth2 and OIDC APIs | ✅ | ✅ |
| Search API | ✅ | ✅ |
| Organizations & B2B SSO | ✅ | ❌ |
| One-click SAML SSO | ✅ | ⚠️ |
| User management | ||
| Custom profile fields | ✅ | ✅ |
| Account linking | ✅ | ✅ |
| (Bulk) user import | ✅ | ✅ |
| User interfaces | ||
| Administrative user interface | ✅ | ❌ |
| Configuration management interface | ✅ | ❌ |
| No-code self-service pages | ✅ | ❌ |
| Themeable self-service pages | ✅ | ❌ |
| User activity insights | ||
| Live analytics and insights | ✅ | ❌ |
| Analytics and events UI | ✅ | ❌ |
| Integration and SDKs | ||
| Ory CLI tools | ✅ | ❌ |
| Backwards compatibility guarantee | ✅ | ❌ |
| SDKs for popular programming languages | ✅ | ✅ |
| Operations and deployment | ||
| Multi-regional deployments | ✅ | ❌ |
| Zero-downtime upgrades and migrations | ✅ | ❌ |
| Configuration management via API | ✅ | ❌ |
| Configuration management via files | ✅ | ✅ |
| Log access | 🔭 | ✅ |
| Organization and multi-tenancy | ||
| Multitenancy (prod, staging, dev) | ✅ | ⚠️ |
| Team management | ✅ | ❌ |
| Organization management | ✅ | ❌ |
| Customer-facing multi-tenancy | ✅ | ❌ |
| Support & Maintenance | ||
| Community support | ✅ | ✅ |
| Automatic updates to the latest version | ✅ | ⚠️ |
| Zero-downtime migrations | ✅ | ⚠️ |
| 24/7 on-call incident support | ✅ | ⚠️ |
| Private ticketing system | ✅ | ❌ |
| Concierge migration support | ✅ | ❌ |
Legend:
- ⚠️: your responsibility
- ✅: solved
- ❌: not available
- 🔭: planned
When it comes to choosing between Ory Network and self-hosting Ory, there are several key differences to consider. Ory Network offers a range of features that are not available in the open source stack, including compliance and certifications, user-friendly interfaces, and advanced analytics and insights systems. These features are specifically designed for the Ory Network infrastructure, making it a comprehensive and convenient solution for businesses looking to implement a fully featured IAM (Identity and Access Management) and auth system.
On the other hand, the open source stack provided by Ory offers the powerful and efficient APIs that form the backbone of Ory Network. However, running an auth system in production requires more than just APIs - it also requires a deep understanding of security requirements and solid infrastructure to ensure a professional and scalable solution. This is where Ory Network shines, providing businesses with a complete IAM and auth stack that is based on open source technology, yet offers the added benefits of compliance, user interfaces, and advanced analytics. By choosing Ory Network, companies can enjoy the best of both worlds - the flexibility, openness, and customizability of open source technology, combined with the convenience and professional features of a fully managed solution.
Support
Ory only offers support services for self-hosted instances of its software in rare cases.
Here's why:
- Incident response: When self-hosting, Ory's incident response team has no access to the companies infrastructure. The time it takes to resolve incidents thus increases significantly if Ory Engineers need to be involved. What could be solved in minutes on Ory Network, has to go through several communication channels, back and forth when Ory is self-hosted on the companies infrastructure.
- Release process: Ory Network releases new features and updates on a daily basis, while open source releases are quarterly. This allows Ory to maintain the highest standards of security, reliability, and performance. With self-hosting, companies have to manage upgrades, which can be time-consuming and can lead to running in production on outdated versions, which can lead to performance issues and potentially even security vulnerabilities.
- Upgrade fatigue: Based on open source telemetry data, less than 10% of all Ory open source deployments run on a recent and supported version, while 90% of deployments run on outdated versions that may have known vulnerabilities such as patched Golang CVEs. This puts businesses and their customers at risk of security breaches and performance issues. Ory Network eliminates upgrade fatigue by providing automatic upgrades and ensuring that all deployments are running on the latest and most secure version of Ory open source.
- Expertise: Ory engineers are experts when it comes to running Ory software. They have the experience and knowledge to manage and troubleshoot issues quickly and efficiently. With self-hosting, companies have to train staff and build up expertise in-house or hire additional third parties to manage the software.
Save time using Ory Network
When you use Ory Network, you save a significant amount of time that would otherwise be spent on setting up infrastructure, maintaining it, and upgrading the software yourself. The following estimates are based on what we have observed since Ory was founded in 2015. Note that an exact time estimate heavily depends on the details of your use case.
Get more done
Self-hosting takes longer than using Ory Network for several reasons:
- Initial setup: Setting up infrastructure and configuring it for production use can be time-consuming, especially if you're not familiar with the tools and technologies involved.
- Maintenance and monitoring: Once the solution is up and running, monitor it 24/7 to ensure that it is performing as expected and to deal with any issues that may arise. This can be a significant ongoing time commitment. On Ory Network you can rest assured knowing that our team of experienced engineers is handling maintenance and monitoring for you, freeing up your time to focus on other important tasks.
- Upgrades: Upgrades can be time-consuming, especially if there are breaking changes that require you to update your configuration and code. This is particularly true if you are running on an older version of the software and need to catch up with several releases at once. On Ory Network automatic updates have you running on the latest versions always.
- UI and API development: If you need to develop user interfaces or integrate with the software's APIs, this can add significant development time to your project.
- Migration: Migrating a live auth system can be a complex process. On Ory Network you can instead rely on an experienced team of engineers that get you up and running in concierge onboarding sessions.
Estimated time savings
The following table shows estimated time savings when using the Ory Network compared to setting up and maintaining the software yourself:
| Self-hosting | Ory Network | ||||
|---|---|---|---|---|---|
| Set-Up | Continuous effort | Set up | Continuous effort | ||
| Operations | |||||
| Monitoring and alerting | 1-14 days | 365 days / year | Available | None | |
| Disaster recovery | 1-8 hours | 1 week / year | Out of the box | None | |
| Configuration management and continuous deployment | 1-5 days | Not applicable | Out of the box in Ory Console | Not applicable | |
| Software upgrades | 0h | 2-4 weeks / year | Not needed | None | |
| Management | |||||
| User-facing UIs | 1-4 weeks | 2 weeks / year | Out of the box | None | |
| Administrative UIs | 2-4 weeks | 2 weeks / year | Out of the box | None | |
| Admin API access control | 1-2 days | 1 day / year | Out of the box | None | |
| Integration | |||||
| New site/service | ~1-2 days | None | ~1-10 hours | None | |
| Migration site/service to Ory | ~2-4 weeks | None | ~1-2 weeks | None | |
Cost Savings when Using the Ory Network
Choosing Ory Network over self-hosting can also result in significant cost savings. When you self-host, you're responsible for infrastructure costs such as EC2 instances and Postgres AuroraDB, as well as ongoing expenses like continuous monitoring, alerting, and traffic costs. With Ory Network, these costs are already included in our subscription plans. This means that you can focus on building your product without worrying about the hidden costs of infrastructure and maintenance.
While these numbers are rough estimates and heavily dependent on the use case and cost optimization, choosing Ory Network can help you save both time and money compared to self-hosting.
1-1,000 Daily Active Users/Machines
For a site with less than 1,000 active users/machines (regardless of what Ory service you use), two virtual machines for failover, each with 2 vCPUs and 4GB of RAM to run up to three Ory services, and one small sized PostgreSQL instance with 100GB would be needed.
According to the AWS price calculator, this sums up to about $2,080.76 per year.
On the other hand, with the Ory Network Production Plan, these resources are included, along with development/staging projects, continuous monitoring, alerting, traffic, and metrics for only $770 per year.
| Self-hosting | Essentials Plan | ||
|---|---|---|---|
| Compute | 2x AWS EC2 2vCPU, 4GB RAM, 50GB SSD | $918.72 / year | $0 / year |
| Database | 1x AWS RDS Postgres 2vCPU, 4GB RAM, 100GB SDD | $879.96 / year | $0 / year |
| API Gateway | AWS API Gateway | $44.52 / year | $0 / year |
| Load Balancer | AWS Load Balancer | $237.48 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | Depends on solution | $0 / year |
| Total | > $2,080.76 / year | $770 / year | |
| Cost savings | > 40% |
1,000-20,000 Daily Active Users/Machines
For a site or application with 1,000 to 20,000 daily active (machine) users, self-hosting Ory open source becomes more expensive. Self-hosting at this scale requires more virtual machines for failover and a larger database instance, resulting in higher costs. With the Ory Growth Plan, you get a cost-effective solution that is easier to set up, manage, and scale.
According to the AWS price calculator, this sums up to about $14,167.78 per year.
For businesses with 1,000-20,000 daily active users/machines, we recommend the Ory Growth Plan for $9350 per year as the cheaper and better option. This plan includes everything in the Essentials Plan, plus additional features such as enterprise-grade support, a dedicated account manager, and priority bug fixes.
| Self-hosting | Scale Plan | ||
|---|---|---|---|
| Compute | 4x AWS EC2 4vCPU, 8GB RAM, 50GB SSD | $4,695.48 / year | $0 / year |
| Database | 2x AWS RDS Postgres 4vCPU, 16GB RAM, 500GB SDD | $8,780.76 / year | $0 / year |
| Traffic | In- and egress | $445.44 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | $246.12 / year | $0 / year |
| Total | $14,167.78 / year | $9350 / year | |
| Cost savings | > 65% |
Over 100,000 Daily Active Users/Machines
When dealing with a website or application that has over 100,000 daily active users, self-hosting becomes even more complicated and expensive. Here are some reasons why:
- The cost of compute and self-hosting explodes further because you need one highly available deployment (at least 4 nodes) in every region. This means that you will need a lot more virtual machines to run your application.
- You need a multi-region capable database. A multi-region capable database such as Spanner is needed to ensure that data is consistent and available in every region.
- Multi-region setup is only available in the Ory Network due to the software and architecture complexity and reliance on third-party service providers such as Cloudflare and CockroachDB.
- We recommend reaching out to us directly. We are committed to finding a solution that fits your needs - both on the technology and the commercial side. Ory Network platform provides you with the resources and support you need to handle a large user base.
How Ory achieves these savings
Ory Network achieves cost savings through several factors, including economies of scale, efficient multi-tenancy, and optimized design. By serving a large number of customers, we're able to spread infrastructure costs across many users, resulting in lower expenses for everyone. Our custom code also allows us to run multiple tenants on shared resources more efficiently, further reducing costs.
In contrast, self-hosting can be expensive and time-consuming. When businesses self-host, they need to purchase or rent their hardware and set up infrastructure, which can be a significant upfront investment. They also need to manage the infrastructure themselves, including updates, security, and maintenance. This requires an experienced team and/or other third party services. These ongoing costs can add up quickly.
In contrast, Ory Network provides a turnkey solution that eliminates the need for businesses to manage their infrastructure. We take care of hardware, software, security, and maintenance, allowing businesses to focus on their core competencies instead of worrying about IT operations. This can result in significant cost savings, especially for smaller businesses or those without dedicated IT resources. By choosing Ory Network, businesses can save time, reduce costs, and improve their overall identity and access management solution.
Questions?
Have questions about Ory Network or need help with your identity and access management solution?