v3.2.1 · canvas design system

Identity and OAuth2, on your terms.

Olympus is a free identity solution built on Ory Kratos and Hydra. Self-hosted, standards-compliant, no per-seat pricing.

Open the playgroundRead the docs
✓ Apache 2.0✓ OIDC · OAuth2 · PKCE✓ Self-hosted
~60 seconds · zero config

Stand up the whole stack locally with one command.

octl auto-installs Podman, builds dev images for every Olympus repo, brings up infra → Ory → apps → seed in order, and hands you working URLs and a test login.

~/Olympus · octl
$ npm install -g @olympusoss/octl
$ octl

→ checking Podman, podman-compose, kubectl…
→ starting Podman machine
→ building dev images  (platform · hera · athena · site)
→ bringing up stack   infra → migrations → Ory → apps → seed

✓ kratos      healthy
✓ hydra       healthy
✓ hera        → http://localhost:3000
✓ athena      → http://localhost:3001
✓ site        → http://localhost:2000

test user → admin@olympus.local / olympus
Capabilities

Everything Ory gives you,
packaged for humans.

Canvas, hera, and athena compose a working stack on top of Ory. Bring your own Postgres, deploy anywhere.

Kratos identity

Sign-up, sign-in, recovery, verification, MFA. Extensible schemas per identity type.

Hydra OAuth2

Authorization code, client credentials, refresh, PKCE. OIDC-compliant id_tokens.

Fine-grained scopes

Declare scopes per client. Consent is recorded and revocable from athena.

Brute-force protection

Per-identity and per-IP lockouts. Configurable thresholds. Full audit log.

JSON Schema profiles

Define employee, customer, or service identities. Traits are typed end-to-end.

Observable

OpenTelemetry spans on every admin and runtime call. Ship to any backend.

Dual-domain architecture

Separate identity domains for customers and employees — clean isolation, shared infrastructure.

CIAM

Customer identity

Hera
iOS
Android
Web
Athena
Web
Hydra
Kratos

IAM

Employee identity

Hera
iOS
Android
Web
Athena
Web
Hydra
Kratos
Shared
PostgreSQL
pgAdmin

OAuth2 flow: App → Hydra /oauth2/auth → Hera /login → Kratos auth → /consent → Hydra issues tokens → App receives code

Athena admin panels authenticate via IAM Hera (employee SSO)

try it out

Live Olympus, two domains.

Real instances on nannier.com — sign in, walk through the full OAuth2 + PKCE handshake, then come back with an authorization code.

C
Customer login (CIAM)

Sign in or register on the customer-facing identity domain. Built for end-users of apps you ship.

Login to CIAM
E
Employee login (IAM)

Sign in to the workforce identity domain. SSO, MFA, and provisioning for internal apps.

Login to IAM
Admin panels
A
Admin · Customer identity

Athena admin for the CIAM domain. Manage identities, sessions, OAuth2 clients, and lockouts.

Open admin
A
Admin · Employee identity

Athena admin for the IAM domain. Same surface, scoped to the employee identity store.

Open admin
Each login button redirects to Ory Hydra, which routes through Hera for authentication before returning here with an authorization code.
SDK

Three lines to your first session.

app/auth.ts
import { OlympusClient } from '@olympusoss/sdk';

const olympus = new OlympusClient({
  issuer: 'https://auth.olympus.dev',
  clientId: 'site-ciam-client',
  pkce: true,
});

await olympus.signIn();
const session = await olympus.getSession();
console.log(session.identity.traits.email);