Skip to main content
This tutorial demonstrates how to set up a CockroachDB environment that uses for Identity and Access Management (IAM). This page describes the architecture of the integration, then walks through how to perform and test it. By the end of this tutorial, you will have a working environment where Ory’s services (Hydra, Kratos, and Keto) use a CockroachDB cluster for storage.

Integration Architecture Overview

This example environment integrates , , and . In a CockroachDB/Ory integration, each of these components relies on CockroachDB to store their state in a consistent and durable way, enabling them to function correctly even in the presence of partial outages or regional network partitions. Each Ory component is deployed as a stateless service, with its only persistence requirement being a backing SQL database. CockroachDB provides the database layer that ensures the accuracy and availability of user identities, access control rules, and session tokens. This makes it easier to horizontally scale Ory services, perform rolling updates, or deploy new regions without having to orchestrate complex data migrations. The following diagram illustrates how a CockroachDB/Ory integration could be designed: Single Region MAZ As illustrated in the diagram above, a single cloud region is shown containing three Availability Zones (AZs): us-east-1a, us-east-1b, and us-east-1c. Each AZ is an isolated failure domain with its own independent power, cooling, and networking. By deploying nodes of the CockroachDB/Ory clusters across all three zones, the system ensures resilience against localized outages. If one AZ becomes unavailable due to a hardware or network issue, the remaining two zones continue to serve client requests without data loss or downtime. In the middle of the diagram (Ory VPC): Ory is deployed as a Kubernetes cluster using Amazon Elastic Kubernetes Service (EKS). A worker node is created in each zone, and these nodes are grouped together in a namespace (ns). Together they form a single logical cluster. Traffic is routed to each node via an ingress (ing) and a service (svc). Each Ory component (Hydra, Kratos, and Keto) is replicated as a pod and distributed across the EKS nodes to provide failover capabilities and remain highly available. At the bottom of the diagram (CRDB VPC): The CockroachDB nodes in each zone form a single logical cluster that replicates data across zones using the consensus protocol (typically ). This replication model ensures strong — all nodes maintain a synchronized and always-on service. Even in the event of zone-level failure, the remaining pods and nodes — for both clusters — ensure that the solution remains available and consistent. A regional load balancer distributes traffic across the healthy nodes in the cluster. This Network Load Balancer (NLB) improves performance by directing requests to the closest responsive node and provides failover capabilities by rerouting traffic away from any failed or unreachable zones. In this example environment, both Ory and CockroachDB are deployed within the us-east-1 region as follows:
  • CockroachDB is deployed on one Virtual Private Cloud (VPC) in region (us-east-1) with three subnets, distributed across distinct AZs. The CockroachDB cluster itself consists of three nodes, each deployed in a separate AZ to enable fault tolerance and quorum-based consistency. A NLB sits in front of the cluster to evenly route incoming requests to the appropriate database node.
  • Ory is deployed on a separate VPC in the same region (us-east-1), also using three subnets, each placed in a different AZ to ensure high availability. An Amazon EKS cluster was deployed with three worker nodes — one in each AZ — to distribute the workload evenly. For the purposes of this example, the EKS cluster is publicly accessible, and the service ports are exposed via a load balancer. All Ory components — Hydra, Kratos, and Keto — are configured to connect to the CockroachDB cluster through the NLB, ensuring consistent and resilient backend access.

Set up a joint CockroachDB/Ory environment

This tutorial walks you through the manual setup of a joint CockroachDB/Ory environment.

Before you begin

Before starting this tutorial, read the . To complete this tutorial, you will need: Estimated setup time: 45–60 minutes.

Step 1. Provision a CockroachDB cluster

First you need to provision the CockroachDB cluster that Ory will use for its services. Choose one of the following methods to create a new CockroachDB cluster, or use an existing cluster and skip to Step 2.
Be sure to create a secure cluster. This is necessary for the user creation step of this tutorial.

Create a secure cluster locally

If you have the CockroachDB binary installed locally, you can manually deploy a multi-node, self-hosted CockroachDB cluster on your local machine. Learn how to .

Create a CockroachDB Self-Hosted cluster on AWS

You can manually deploy a multi-node, self-hosted CockroachDB cluster on Amazon’s AWS EC2 platform, using AWS’s managed load-balancing service to distribute client traffic. Learn how to .

Create a CockroachDB Cloud cluster

CockroachDB Cloud is a fully-managed service run by Cockroach Labs, which simplifies the deployment and management of CockroachDB. Sign up for a CockroachDB Cloud account and using .

Step 2. Create Databases for Ory Services

Before integrating Ory components with CockroachDB, you will need to set up separate databases for each service. Each Ory service manages its own schema and migrations:
  • manages OAuth2 clients, consent sessions, access/refresh tokens
  • handles identity, credentials, sessions, verification tokens
  • stores relation tuples (RBAC/ABAC data) for permissions
Keeping these in separate databases simplifies maintenance and ensures isolation between identity, OAuth2, and authorization data.
  1. Go to your .
  2. Replace with the certificates directory that you established during the cluster setup, and with your CockroachDB load balancer domain name. Then run the following command:
  3. Once connected to the SQL shell, :
  4. and for each Ory database:

Step 3. Provision a Kubernetes cluster for Ory

This section describes how to deploy Ory on a self-hosted Kubernetes cluster in EKS.
  1. Complete the steps described in the EKS Getting Started documentation. This includes installing and configuring the AWS CLI and eksctl, which is the command-line tool used to create and delete Kubernetes clusters on EKS, and kubectl, which is the command-line tool used to manage Kubernetes from your workstation.
  2. From your local workstation, start the Kubernetes cluster:
To ensure that all 3 nodes can be placed into a different AZ, you may want to first confirm that at least 3 zones are available in the region for your account.
This creates EKS instances and joins them into a single Kubernetes cluster named ory. The --node-type flag tells the node pool to use the m5.xlarge instance type (4 vCPUs, 16 GB memory), which meets Ory’s recommended CPU and memory configuration. Provisioning usually takes between 10-15 minutes. Do not move on to the next step until you see a message like [✔] EKS cluster "ory" in "us-east-1" region is ready and details about your cluster.
  1. Open the AWS CloudFormation console to verify that the stacks eksctl-ory-cluster and eksctl-ory-nodegroup-standard-workers were successfully created. Be sure that your region is selected in the console. Once the Kubernetes cluster is initialized, follow these steps to deploy Ory services:
  2. Install the Helm client (version 3.0 or higher) and add the ory chart repository:
    You should get the following message, confirming the repository was added:
  3. Update your Helm chart repositories to ensure that you’re using the latest CockroachDB chart:

Step 4. Deploy Ory services on Kubernetes

Use Helm charts to deploy Ory Hydra, Kratos, and Keto on Kubernetes:
  1. Copy/Paste the following code block in a hydra_values.yaml file and replace with your CockroachDB load balancer domain name. Refer to the Hydra Helm chart template.
  2. Install the Ory Hydra Helm chart using your custom values file:
To allow the Ory Hydra pods to successfully deploy, do not set the --wait flag when using Helm commands.
  1. Confirm that cluster initialization has completed successfully, with the pods for Hydra showing 1/1 under READY and the pod for auto-migrate showing Completed under STATUS:
  2. Verify that the Hydra services were created successfully:
  3. To test this deployment, you will need to execute a few API calls over the Hydra REST API. For this, you need to export the URLs for both admin and public endpoints:
You now have a high-availability deployment for a joint CockroachDB/Ory environment within a single cloud region. This architecture is designed to protect against failures at the AZ level by distributing nodes of the database cluster across multiple AZs within the same region.

Test the CockroachDB/Ory Integration

Once both CockroachDB and Ory are provisioned, configured, and network-accessible, the next step is to validate that all components work together as intended. Below is a practical guide for testing and debugging each part of this integration.

Test Ory Hydra

To test Ory Hydra, create an OAuth2 client, generate an access token, then introspect it. These steps use the $HYDRA_ADMIN_URL and $HYDRA_PUBLIC_URL that you exported at the end of the .

1. Create the OAuth2 client

Once you have created the OAuth2 client, you can parse the JSON response to get the client_id and client_secret:

2. Generate an access token

Replace and with the values you found in the JSON response:
This will generate an access token for Ory Hydra. Copy the string beside ACCESS TOKEN.

3. Perform a token introspection to confirm the validity of this new token

Replace with the string that you just copied:
This should generate a JSON response that includes your client_id, "active": true, an expiration timestamp (exp), and other data:

4. Access Hydra data with CockroachDB SQL

In your CockroachDB SQL client, run the following query to verify the accessibilty of Ory Hydra’s OAuth2 client data using CockroachDB:
The result set contains data about the OAuth2 client. The id should match the client_id found in the JSON response above:
Then run the following query to verify the accessibilty of Ory Hydra’s token creation data using CockroachDB:
The result set contains data about the access token you generated. The client_id should match the client_id found in the JSON response above:

Test Ory Kratos

To test Ory Kratos, you need to use the Kratos API endpoints to register the API flow, to start the log in flow, and verify the session token. These steps use the $KRATOS_PUBLIC_URL that you exported at the end of the .

1. Initialize the API flow

Use the Kratos registration endpoint to get a valid Registration Flow ID:
You can then submit the registration form using the following payload:
Kratos responds with a JSON payload which includes the signed up identity:

2. Start the login flow

Having completed the registration, you can now start the Login Flow by fetching a valid Login Flow ID:
Then you can submit the login form using a request payload that includes the password that you submitted when initializing the API flow:
Kratos responds with a JSON payload which includes the identity which just authenticated, the session, and the session token:

3. Check the session token

The Ory Session Token can be checked at the Kratos /sessions/whoami endpoint Replace with the session token ID that was returned in the Login Flow JSON response:
Kratos responds with a JSON payload which includes data about the current session:

4. Log out

To log out of the session, you can revoke the session token by calling the logout API endpoint. Replace with the session token ID that was returned in the Login Flow JSON response:

5. Access Kratos data with CockroachDB SQL

In your CockroachDB SQL client, run the following query to verify the accessibilty of Ory Kratos’s identity data using CockroachDB:
The result set contains data about the identity established when you initialized the API flow. Much of this data, including id and traits, should match the data found in the Login Flow JSON response:

Test Ory Keto

To test Ory Keto, create relationships between users and objects. Then use Ory Keto commands to check who has access to what objects. These steps use the $KETO_WRITE_REMOTE that you exported at the end of the .

1. Create a relation tuple

Create a Keto relation tuple using the Keto SDK:
or by using the Keto REST API:

2. See who can access objects

You can use the Ory Keto expand-API to display who has access to an object, and why:
To assist users with managing permissions for their files, the application has to display who has access to a file and why. In this example, we assume that the application knows the following files and directories:

3. Check permissions

It’s important to test your permission model. To test the permissions manually, you can create relationships and check permissions with the SDK:

4. Access Keto data with CockroachDB SQL

In your CockroachDB SQL client, run the following query to verify the accessibilty of Ory Keto’s access control data using CockroachDB:
The result set contains permissions data. Much of this data, including object_string, relation, and subject_string, should match that provided in the relation tuple data above:

Next steps

The tests above confirm that each Ory component in this deployment is properly connected using CockroachDB as the shared data layer. If you get the expected results from these tests, then your integration is ready for use in your application. You can begin building authentication, authorization, and access control features with CockroachDB and Ory.

See also