Kratos

Identity Charmers Publisher

Platform:

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/stable	565	02 Feb 2026	Ubuntu 22.04
latest/edge	570	27 Apr 2026	Ubuntu 22.04
istio/edge	548	10 Mar 2025	Ubuntu 22.04
0.5/edge	565	24 Nov 2025	Ubuntu 22.04
0.4/edge	561	13 Aug 2025	Ubuntu 22.04
0.3/edge	419	05 Jul 2024	Ubuntu 22.04
0.2/stable	406	26 Jun 2024	Ubuntu 22.04
0.2/edge	406	02 May 2024	Ubuntu 22.04
0.1/edge	383	29 Sep 2023	Ubuntu 22.04

juju deploy kratos --channel edge

Learn to deploy on juju >

Learn about configurations >

cpu | string

K8s cpu resource limit, e.g. "1" or "500m". Default is unset (no limit). This value is used for the "limits" portion of the resource requirements (the "requests" portion is automatically deduced from it). See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
default_identity_schema_id | string

The default identity schema id, this option only works when identity_schemas is defined
dev | boolean

Run Kratos on dev mode, it is needed if HTTPS is not set up. This should only be used for development purposes.
enable_local_idp | boolean

Default: True

Enable Kratos Identity Provider
enable_oidc_webauthn_sequencing | boolean

Enforce setting up a WebAuthn key (e.g. with YubiKey or Google Password Manager on Android) after signing in with an external identity provider. Requires enable_passwordless_login_method=False. WARNING: Do not enable this option unless you are sure that this feature applies to your deployment.
enable_passwordless_login_method | boolean

Enable passwordless authentication via webauthn. Requires enable_local_idp=True.
enable_verification | boolean

Enable and enforce users to verify their accounts. Enabling this option will make users verify their accounts after registration or on the next login. This option requires an SMTP server integration.
enforce_mfa | boolean

Default: True

Enforce users to set up and use multi factor authentication. Disabling this option will allow users to log in with password or webauthn without completing 2fa.
http_proxy | string

URL of the HTTP proxy eg http://proxy.internal:6666, it will set the HTTP_PROXY var in the workload environment
https_proxy | string

URL of the HTTPS proxy eg http://proxy.internal:6666, it will set the HTTPS_PROXY var in the workload environment
identity_schemas | string

A mapping of schema_id to identity schemas. For example: { "user_v0": { "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "title": "E-Mail", "minLength": 3, "ory.sh/kratos": { "verification": { "via": "email" } } }, "name": { "type": "string" } } }, "additionalProperties": true } } }
log_level | string

Default: info

The verbosity of logs produced by Kratos. Available values are: panic, fatal, error, warn, info, debug, and trace.
memory | string

K8s memory resource limit, e.g. "1Gi". Default is unset (no limit). This value is used for the "limits" portion of the resource requirements (the "requests" portion is automatically deduced from it). See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
no_proxy | string

Domains that need to be excluded from proxying no_proxy="test.com,test.co.uk", it is a comma separate list
recovery_email_template | string

The custom html template used to send emails with recovery codes. For example:

Hi, Please enter the following code to recover your account: {{ .RecoveryCode }}
sender_email | string

Default: identity@canonical.com

The email address used as the sender for automated verification and recovery emails.
sender_name | string

Default: Canonical Identity Platform

The display name that appears alongside the sender email address in recovery and verification emails.