Installation
Ory Keto Enterprise License (OEL) is distributed as a Docker image from Ory's private enterprise Docker registry. Unlike the open source build, it is not available as a public binary download or from GitHub releases, and it requires authentication to pull.
Prerequisites
Before starting the process, ensure you meet the following requirements:
- Valid Ory Enterprise License: You must have purchased an Ory Enterprise License.
- Access to the Ory Enterprise Docker Registry: You need access to download the OEL Docker images.
- Backup and Testing: Create a backup of your current Ory database if you are upgrading or migrating and test the process on a test environment to ensure compatibility and minimize risks.
Docker registry
The Ory Keto OEL image is available from the EU region registry:
europe-docker.pkg.dev/ory-artifacts/ory-enterprise-keto/keto-oel
Authenticate to the registry
Enterprise Docker images are kept in a private registry that requires
authorization. An authorization key is provided for each customer separately.
The following steps assume the key is stored in keyfile.json.
gcloud auth activate-service-account --key-file=keyfile.json
gcloud auth configure-docker europe-docker.pkg.dev
Pull the image
Replace <image-tag> with the newest tag from
Available image tags at the bottom of this page:
docker pull europe-docker.pkg.dev/ory-artifacts/ory-enterprise-keto/keto-oel:<image-tag>
Run with Docker
To run Ory Keto OEL, set the DSN environment variable to your database
connection string and provide a
configuration file
. Pass the configuration file with the -c / --config flag and mount it into the
container.
Provide the database connection string through the DSN environment variable.
The enterprise build reads DSN from the environment when initializing, and
supplying it this way works for both the migration and serve steps.
Before deploying the service, apply the SQL migrations:
docker run \
-e DSN=your_database_connection_string \
europe-docker.pkg.dev/ory-artifacts/ory-enterprise-keto/keto-oel:<image-tag> \
migrate sql up -e -y
Then start the service:
docker run \
-p 4466:4466 -p 4467:4467 \
-e DSN=your_database_connection_string \
-v /path/to/config:/etc/config/keto \
europe-docker.pkg.dev/ory-artifacts/ory-enterprise-keto/keto-oel:<image-tag> \
serve -c /etc/config/keto/keto.yaml
Run on Kubernetes
Ory publishes Helm charts for all enterprise builds. Add the Ory Helm repository:
helm repo add ory https://k8s.ory.com/helm/charts
helm repo update
Create the ory namespace:
kubectl create namespace ory
Create a Kubernetes secret containing the image registry credentials:
kubectl create secret docker-registry ory-oel-gcr-secret \
--docker-server=europe-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat keyfile.json)" \
--namespace ory
Create a Kubernetes secret containing the DSN and other secret values:
apiVersion: v1
kind: Secret
metadata:
name: ory-oel-keto-secret
namespace: ory
data:
dsn:
# Add any additional secrets required by your configuration, base64-encoded.
# https://www.ory.com/docs/keto/reference/configuration
Create a values.yaml file to customize the configuration:
image:
registry: europe-docker.pkg.dev
repository: ory-artifacts/ory-enterprise-keto/keto-oel
tag: <replace-with-current-image-tag>
imagePullSecrets:
- name: ory-oel-gcr-secret
keto:
automigration:
enabled: true
serviceMonitor:
enabled: true
secret:
enabled: false
nameOverride: "ory-oel-keto-secret"
config:
# Ory Keto config
# https://www.ory.com/docs/keto/reference/configuration
Install Ory Keto:
helm install ory-oel-keto ory/keto --namespace ory --create-namespace -f values.yaml
Available image tags
The tags are ordered by date. Pick the newest tag from the top of the list.
| Image Tag | Release Date |
|---|---|
| 26.2.22 | 2026-06-26 |
| 26.2.21 | 2026-06-23 |
| 26.2.20 | 2026-06-19 |
| 26.2.19 | 2026-06-17 |
| 26.2.18 | 2026-06-11 |
| 26.2.17 | 2026-06-10 |
| 26.2.16 | 2026-06-05 |
| 26.2.15 | 2026-06-02 |
| 26.2.14 | 2026-05-29 |
| 26.2.13 | 2026-05-22 |
| 26.2.12 | 2026-05-20 |
| 26.2.11 | 2026-05-15 |
| 26.2.10 | 2026-05-11 |
| 26.2.9 | 2026-05-04 |
| 26.2.8 | 2026-04-28 |
| 26.2.7 | 2026-04-24 |
| 26.2.6 | 2026-04-22 |
| 26.2.5 | 2026-04-20 |
| 26.2.4 | 2026-04-14 |
| 26.2.3 | 2026-04-02 |
| 26.2.2 | 2026-03-26 |
| 26.2.1 | 2026-03-25 |
| 26.2.0 | 2026-03-20 |
| 26.1.18 | 2026-03-13 |
| 26.1.17 | 2026-03-11 |
| 26.1.16 | 2026-03-09 |
| 26.1.15 | 2026-02-26 |
| 26.1.14 | 2026-02-25 |
| 26.1.13 | 2026-02-20 |
| 26.1.12 | 2026-02-19 |
| 26.1.11 | 2026-02-17 |
| 26.1.10 | 2026-02-11 |
| 26.1.9 | 2026-02-09 |
| 26.1.8 | 2026-02-05 |
| 26.1.7 | 2026-02-04 |
| 26.1.6 | 2026-02-04 |
| 26.1.5 | 2026-02-01 |
| 26.1.4 | 2026-01-26 |
| 26.1.3 | 2026-01-22 |
| 26.1.2 | 2026-01-18 |
| 26.1.1 | 2026-01-17 |
| 26.1.0 | 2026-01-05 |
| 25.4.12 | 2025-12-24 |
| 25.4.11 | 2025-12-23 |
| 25.4.10 | 2025-12-22 |
| 25.4.9 | 2025-12-18 |
| 25.4.8 | 2025-12-09 |
| 25.4.5 | 2025-12-04 |
| 25.4.3 | 2025-12-01 |
| 25.4.2 | 2025-11-25 |
| 25.4.1 | 2025-11-19 |
| 25.4.0 | 2025-11-07 |
| 25.3.9 | 2025-10-30 |
| 25.3.8 | 2025-10-23 |
| 25.3.6 | 2025-10-10 |
| 25.3.5 | 2025-10-03 |
| 25.3.4 | 2025-09-26 |
| 25.3.3 | 2025-09-18 |
| 25.3.2 | 2025-09-08 |
| 25.3.1 | 2025-09-03 |
| 25.3.0 | 2025-08-19 |
| 8d6ee03cc8181d3277100a4b7412a3a113799964 | 2025-08-12 |
| 8fcb534888e8853836a97ead241bef518f6fc263 | 2025-08-04 |
| beebb63c5cd4a58b218a792027b34d231735dc05 | 2025-07-25 |
| 097934fff2bda05c808d962a92f52140f80dff83 | 2025-07-25 |
| cab093b480501b914f6b2eda1f306b8d6e179ab4 | 2025-07-16 |
| 9cde70b7b994db145ab08bc3e1288b49cd7b3696 | 2025-07-08 |
| 6147132bd97e3d9146037beeaebf8d315b760ed2 | 2025-07-04 |
| 86970d22e81479695c130079707f8f9dc0929885 | 2025-07-03 |
| ea3038323329fb703a31bde1abc1a0cf41a08926 | 2025-06-23 |
| 19fae4f763fa139db38db601000cb80b53ebde4d | 2025-06-20 |
| de9debec0a2c8e8f35b2a8924cc133925162a0a6 | 2025-06-18 |
| d389bd4c1bc21c1cdaf5e60688314a5bf9bfce3e | 2025-06-06 |
| d4f640cf72989adf24ba153919ede18d4cddc98e | 2025-05-27 |