assay-engine vs Ory

assay-engine v0.2.0 ships a complete Ory replacement in one ~9 MB static binary. Same features as Kratos + Hydra + Keto stacked together, plus biscuit (Ory has nothing equivalent), plus a Temporal-replacement workflow engine in the same process.

Footprint

Stack	Containers	Compressed	RAM (idle)
assay-engine	1	~9 MB	<50 MB
Ory Kratos	1	~120 MB	~150 MB
Ory Hydra	1	~80 MB	~100 MB
Ory Keto	1	~80 MB	~100 MB
Ory Oathkeeper (optional)	1	~50 MB	~80 MB
Postgres (shared)	1	~80 MB	~200 MB
Ory total	5	~410 MB	~630 MB

Feature matrix

Capability	Ory	assay-engine
Identity (Kratos)
Password login (Argon2id)	Kratos	Yes — `auth-password`
WebAuthn / passkey	Kratos	Yes — `auth-passkey` (`webauthn-rs`)
Cookie + CSRF sessions	Kratos	Yes — `auth-session`
Federated SSO (OIDC client)	Kratos	Yes — `auth-oidc` (Google/Apple/GitHub/any OIDC)
Self-service password reset	Kratos flows	Admin password-reset endpoint; UI flows on roadmap
TOTP / SMS MFA	Kratos	Roadmap (v0.3.0)
SAML	Kratos	Not planned (open issue if you need it)
OAuth2 / OIDC OP (Hydra)
Authorization-code + PKCE	Hydra	Yes — `auth-oidc-provider`
Refresh tokens	Hydra	Yes (SHA-256 hashed at rest)
RFC 7009 token revocation	Hydra	Yes
RFC 7662 token introspection	Hydra	Yes
OIDC discovery (`/.well-known/openid-configuration`)	Hydra	Yes
JWKS rotation (`/.well-known/jwks.json`)	Hydra	Yes — active + history in `auth.jwks_keys`
Back-channel logout	Hydra	Yes (SSO session registry in `auth.oidc_sessions`)
Consent screen + per-(user, client) grants	Hydra	Yes — `auth.oidc_consents`
Client CRUD via admin API	Hydra	Yes — admin HTTP API + dashboard pane
Dynamic client registration (RFC 7591)	Hydra	Roadmap
Authorization (Keto)
Zanzibar relation tuples	Keto	Yes — `auth-zanzibar`
`check` (subject ∈ relation(object))	Keto	Yes — recursive CTE on PG18 + SQLite
`expand` (userset tree)	Keto	Yes
`lookup_resources` / `lookup_subjects`	Keto	Yes — reverse-indexed
Namespace schema with computed-userset rewrites	Keto	Yes — `auth.zanzibar_namespaces`
Caveats / temporal predicates	SpiceDB only	Roadmap
Capability tokens
Biscuit / macaroons	Nothing	Yes — `biscuit-auth` built-in (always-on)
Datalog-attenuable tokens	—	Yes
Offline verification	JWT-only	Both JWT + biscuit
Operations
Single binary deployment	5 binaries	Yes — one process
SQLite backend (no DB server needed)	No	Yes — first-class via `backend-sqlite`
PostgreSQL backend	Yes	Yes — PG18 first-class
Cross-module atomic transactions	No (each Ory app has its own DB)	Yes — `auth.users` ⇄ `workflow.workflows` in one TX
Built-in dashboard / admin SPA	Console (separate Cloud product)	Yes — bundled, free, self-hosted
Lua scripting bindings	No	Yes — `assay.auth` stdlib
Workflow engine in same binary	No	Yes — Temporal-replacement, same process
Module enable/disable at runtime	No	Yes — `engine.modules` table
Compile-time feature gates for slim builds	No	Yes — fine-grained Cargo features

What's not in v0.2.0

Honest gaps to know about before swapping out Ory:

TOTP / SMS MFA. Planned for v0.3.0. Today, MFA via passkey works (passkeys are phishing-resistant, NIST-recognised second-factor by themselves).
SAML. Not planned. If you need SAML SSO, file an issue with the use case; OIDC covers ~98% of modern apps.
Self-service registration / recovery / verification UI flows. The admin endpoints exist; the public-facing UI flows ship in v0.3.0.
Dynamic client registration (RFC 7591). Roadmap.
Caveats in Zanzibar. SpiceDB has these; we don't yet. Roadmap.
HSM / KMS for signing keys. Today JWKS + biscuit root keys are plaintext-at-rest in the DB. private_pem_encrypted column already exists for a future envelope-encryption upgrade.

When NOT to use assay-engine

You need SAML and can't switch to OIDC.
You need Ory's hosted Cloud (compliance, support contracts) — assay-engine is BYO ops.
You're already running Ory at scale and the migration cost outweighs the operational win.

Otherwise, you're trading 5 containers + ~600 MB RAM for one ~9 MB static binary that does the same job, scripts in Lua, and runs your workflows too.

← Back to Auth & IdP overview