Self-service identity portal · Ory Kratos + Ory Hydra

The pages your identity stack is missing

Name: Forseti
Author: Franz Geffke

A self-service UI and OAuth2 login / consent / logout bridge for Ory Kratos + Ory Hydra. Login, registration, recovery, MFA, consent and admin tooling — all server-rendered in Rust.

Get it on GitHub Install →

LicenseAGPL-3.0 + commercial

StackRust · Axum

RenderingServer-side

Status● Pre-release

— the bridge —

browserUser

→

pagesForseti

→

identityKratos

oauth2 / oidcHydra

→

protectedYour app

/login

/consent

Grant access

What it does

6 surfaces · server-rendered

Kratos flows

Every flow, rendered

Login, registration, recovery, verification and settings — profile, password, MFA / TOTP, social logins, active sessions. No flow left as raw JSON.

Hydra bridge

OAuth2 screens

Admin

Admin surface

Manage identities, sessions and OAuth2 clients. Append-only audit log and a status dashboard so you can see what's happening.

Multi-tenant

Organizations

Multi-tenant orgs with members, invites and branding — plus per-org OIDC claims, so one deployment serves many tenants.

Security

Production-minded

CSRF on every form, signed cookies, rate-limited Dynamic Client Registration, and an account-deletion webhook saga. The boring parts, handled.

Runtime

Rust + Axum

Server-rendered in Rust on Axum — no JS-framework overhead. Backed by PostgreSQL or SQLite, your call.

How it works

user → forseti → ory → app

User hits a page

Someone lands on /login, /registration or an OAuth2 /consent screen. Forseti serves a real, branded HTML page — not a redirect into an API.

Forseti talks to Ory

It drives the Kratos self-service flows and the Hydra login / consent / logout requests over their admin APIs, handling CSRF, cookies and state along the way.

Your app gets a session

Kratos issues the session; Hydra issues the tokens for the authorization-code flow. Your app just trusts Ory — Forseti was only ever the front door.

Install

container or binary

podman ghcr.io ↓ linux x86_64 ↓ linux aarch64

run the binary · x86_64-linux

# grab the latest release — aarch64 is on the releases page too curl -L -o forseti.tar.gz https://github.com/franzos/forseti/releases/latest/download/forseti-x86_64-unknown-linux-gnu.tar.gz tar -xzf forseti.tar.gz cd forseti-x86_64-unknown-linux-gnu # copy the example config, edit it, then run cp config.example.toml config.toml ./forseti

run with podman / docker

podman pull ghcr.io/franzos/forseti:latest podman run --rm -p 3000:3000 \ -v ./config.toml:/app/config.toml:ro \ ghcr.io/franzos/forseti:latest

The binary needs libpq5 (Debian/Ubuntu) or libpq elsewhere; the container bundles it. Point config.toml at your Kratos and Hydra admin endpoints — PostgreSQL or SQLite, both work.

Licensing

open core · commercial add-ons

Open source

AGPL-3.0 core

The core is AGPL-3.0 — clone it, run it, change it. If you ship it as a service, the AGPL terms apply. Fair and predictable.

Commercial

Paid features

Some features live under src/commercial/ and need a commercial license. No upsell wall here — if you reach for them, you'll know. Details on GitHub →

Pre-release

Forseti is in active development. The core flows work end-to-end against the Ory playground, but the APIs, config and schema are still moving. Pin a release, read the changelog, and don't be surprised by breaking changes yet.