In the history of software, few milestones are as staggering as 900 million weekly active users. OpenAI’s user base now rivals entire continents, all interacting with a high-compute, stateful AI environment. At this scale, Identity and Access Management (IAM) is no longer just about a login box—it is the gatekeeper of system stability, data privacy, and global accessibility. When OpenAI launched ChatGPT, they triggered a global shift in computing. To survive the resulting “success disaster,” they needed an identity layer that could scale horizontally without friction, maintain absolute security, and offer flexibility across multiple deployment options. This guide extracts the key steps OpenAI took using Ory to build a bespoke, hardened identity system that supports nearly a billion weekly users.
What You Need
- A high-growth product—expecting rapid user adoption (e.g., reaching 1 million users in days).
- Existing or planned authentication—basic login, registration, session management.
- Engineering team—capable of configuring and self-hosting identity services.
- Cloud infrastructure—for multi-region deployment (e.g., AWS, GCP, Azure).
- Open standards knowledge—OAuth2, OpenID Connect, JSON Web Tokens.
- Monitoring tools—to observe latency, token validation, and user behavior.
Step-by-Step Guide
Step 1: Assess Your Identity Infrastructure Needs
Before scaling, identify the bottlenecks traditional IAM solutions impose. OpenAI faced database bottlenecks from rigid schemas, latency issues (even 100ms delays compound with millions), lack of control for A/B testing and observation, and deployment flexibility requirements (desire to self-host). Evaluate your own system against these criteria. Ask: Can my current identity provider handle global, multi-region distribution? Does it allow me to optimize performance through user behavior analysis?
Step 2: Choose an Identity Solution That Scales Horizontally
OpenAI didn’t select a traditional, monolithic “Identity-as-a-Service” provider. Instead, they chose Ory, which is built on open standards and designed for horizontal scaling. Look for a solution that offers standards-based protocols (OAuth2, OpenID Connect) to avoid vendor lock-in. Prioritize systems that can be self-hosted and are not tied to a single cloud provider. As Benjamin Billings, Engineering Manager at OpenAI, noted: “OpenAI wanted a partner that could help enable our vision for owning our identity processes, data, and success.”
Step 3: Implement a Standards-Based, Agile IAM Approach
Adopt open standards to ensure interoperability and future flexibility. Use Ory’s Kratos for identity and user management, and Hydra for OAuth2/OpenID Connect. This approach allows you to customize every aspect—from token validation to session handling—without reliance on proprietary APIs. Implement A/B testing capabilities: create separate authentication flows and observe user behavior to optimize performance for your audience. For example, test different login methods (email/password vs. social login) to reduce friction.
Step 4: Self-Host in an Environment of Your Choosing
OpenAI required a system that allowed them to self-host in a controlled environment. Deploy Ory on your own infrastructure (e.g., Kubernetes clusters across multiple regions) to achieve full control over data residency, compliance, and performance. Use multi-region replication to reduce latency—place authentication servers close to your user base. This also enables you to run custom monitoring and alerting without third-party limitations.
Step 5: Enable User Behavior Observation and Performance Optimization
With a self-hosted IAM, you gain the ability to observe every authentication event. OpenAI used this to conduct real-time analysis of login flows, session duration, and token refresh patterns. Set up dashboards to track token validation latency and error rates. When you see spikes during traffic surges (e.g., viral product launches), you can scale resources horizontally—add more instances of Ory services before bottlenecks occur.
Step 6: Prepare for Explosive Growth—the “Success Disaster”
ChatGPT reached 1 million users in just five days; OpenAI’s weekly active users jumped from 200 million to over 400 million within months. Your IAM must handle such explosive growth without downtime. Use Ory’s horizontal scalability: add more nodes to handle increasing login requests. Implement caching for session tokens (e.g., using Redis) to reduce database load. Ensure your deployment can auto-scale based on CPU/memory usage. Plan for worst-case scenarios—load test with simulated traffic peaks.
Step 7: Resolve the SaaS Paradox—Enterprise Security Without Rigid Constraints
OpenAI needed enterprise-grade security (data encryption, rate limiting, brute-force protection) but without the rigid constraints of a monolithic provider. Ory allowed them to customize security policies per user cohort. For example, implement adaptive authentication: step-up MFA for sensitive actions, while keeping low-friction access for basic queries. Use Ory’s identity schema to store arbitrary user data, enabling A/B tests on features without polluting a fixed schema.
Tips for Success
- Avoid vendor lock-in—use open standards so you can switch components if needed. Ory’s architecture is built on OAuth2 and OpenID Connect, making it compatible with many other tools.
- Monitor all the time—latency issues compound at scale. Set up alerts for token validation times exceeding a threshold (e.g., 200ms).
- Test your scaling strategy early—simulate massive concurrent logins (e.g., with tools like k6 or Locust) before your product goes viral.
- Own your data—self-hosting gives you control over compliance (e.g., GDPR, CCPA) and prevents third-party data breaches.
- Iterate on user experience—use A/B testing to find the optimal login flow that balances security and frictionlessness.
- Prepare for success—the “success disaster” is real. Have a runbook for scaling identity infrastructure in hours, not weeks.