Ory

Ory

Ory is an open-source identity and authentication platform that provides login, registration, and access control infrastructure. Its scripts manage authentication flows, set session cookies and OAuth tokens, and handle multi-factor authentication. Ory makes network requests to its identity servers to validate credentials.

Back to Vendor Library

Overview

Ory is an open-source identity infrastructure platform that provides authentication, authorization, and session management services. Site operators self-host Ory components or use Ory Network (the cloud offering) to handle login flows, OAuth 2.0 and OpenID Connect, and multi-factor authentication. Its scripts appear on web properties wherever the operator has integrated Ory for user account management rather than building authentication in-house.

What This Script Does

Ory browser scripts perform several authentication functions. During login and registration, the SDK renders form UI and communicates with the Ory identity server to validate credentials. Session management relies on ory_session cookies (typically persistent for the duration configured by the operator, commonly 24 hours to 30 days) that are set on the application domain to maintain authenticated state across page loads. OAuth flows involve short-lived ory_oauth2_* state cookies used during the authorization code exchange, which expire after the flow completes. For CSRF protection, Ory sets a csrf_token cookie per-session. Scripts make network requests to the Ory API endpoint (either self-hosted or *.projects.oryapis.com for cloud deployments) to verify tokens and refresh sessions. MFA flows may involve additional device-trust cookies. The scripts do not perform behavioral analytics or cross-site tracking; all data handling is scoped to identity verification for the operating site.

Consent & Compliance

Authentication cookies that are strictly necessary to provide a service explicitly requested by the user fall within the ePrivacy Directive's exemption for technically necessary cookies. Under GDPR Article 6(1)(b), processing required to perform a contract with the user (i.e., providing account access) is lawful without consent. Ory's session and CSRF cookies qualify as essential under this framework. The IAB TCF purposes framework does not apply. For CCPA/CPRA, authentication data is not sold or shared for cross-context behavioral advertising, so opt-out obligations do not apply. Ory Network (cloud) is a US-based service; cross-border data transfers to Ory's infrastructure require standard contractual clauses or equivalent mechanisms for EU operators. Consent category: essential/functional.

Should You Block This Without Consent?

No. Ory handles authentication — blocking it would prevent users from logging in, registering, or accessing protected content. Session and CSRF cookies are technically necessary for the service to function. Apply privacy-by-design by ensuring Ory is configured to minimize data retention and limit scopes to what the application requires, rather than blocking the scripts.

Visit website

Consent Categories

Essential
Functional

Also Known As

oryory authory hydraopen source identityory authentication consent

Industries

Computers Electronics and TechnologyProgramming and Developer SoftwareBusiness and Consumer ServicesBusiness Services

Tracked Domains (1)

ory.comEssential

Frequently Asked Questions

Is consent required for Ory on my website?

No for core authentication. Ory is categorized as essential and functional. Session cookies and OAuth tokens it sets are necessary for login and access control to function. Essential authentication infrastructure is exempt from consent requirements under GDPR and ePrivacy.

What cookies does Ory set?

Ory sets session cookies and OAuth tokens to maintain authenticated user state. It may also set CSRF protection cookies for form security. These are short-lived functional cookies tied to the active session. Ory makes network requests to its identity servers to validate credentials.

How does ConsentStack handle Ory?

ConsentStack classifies Ory as essential and functional. Authentication session cookies are treated as strictly necessary and are never blocked, regardless of consent state. This ensures login flows and access control continue to operate correctly for authenticated users on your site.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Ory

ConsentStack automatically detects and manages Ory trackers so your site stays compliant with global privacy regulations.

Get started free