diff --git a/docs/api-examples.sh b/docs/api-examples.sh
new file mode 100755
index 0000000000000000000000000000000000000000..906cd11f7704e42655f1ac6cd6bba629bea0b0ff
--- /dev/null
+++ b/docs/api-examples.sh
@@ -0,0 +1,53 @@
+
+# Admin IP/port
+ip=127.0.0.1:8000
+
+# Public IP/port
+pip=127.0.0.1:8080
+
+echo "Check if admin port can be reached:"
+
+curl http://$ip/health/ready
+
+echo "List identities:"
+
+curl http://$ip/identities
+
+echo "Get schema:"
+
+curl http://$pip/schemas/default
+
+echo "Create ID:"
+
+json='{
+"schema_id": "default",
+"traits": {
+        "email": "test@greenhost.nl",
+        "name": {
+                "first": "Dave",
+                "last": "Stanley"
+                }
+        }
+}'
+
+
+curl -d "$json" -X POST http://$ip/identities
+
+
+echo "Update an id"
+id=af9b4abc-6308-48e2-abda-04e664487cf9
+
+json='{
+"schema_id": "default",
+"traits": {
+        "email": "test@greenhost.nl",
+        "name": {
+                "first": "Dave",
+                "last": "Stanley"
+                },
+        "totp": "12345"
+        }
+}
+'
+
+curl -d "$json" -X PUT http://$ip/identities/$id
diff --git a/docs/local_dev_remote_kratos.md b/docs/local_dev_remote_kratos.md
new file mode 100644
index 0000000000000000000000000000000000000000..025d89d0ea05495b9520f03384bfa1aeb55f3af7
--- /dev/null
+++ b/docs/local_dev_remote_kratos.md
@@ -0,0 +1,95 @@
+
+
+# Introduction
+
+kratos managed the user database. It has profiles of all users and keeps track
+of lost password policies, welcome e-mails, TOTP (future). First, Last name etc.
+
+Kratos is a flexible identity manager where our own "schema" can be defined with
+the information we want for Stack Spin. 
+
+Kratos has a public API, which should be accessible for the world, and an admin API
+which is ONLY accible for our panel/board to manage users.
+
+At the point of writing BOTH end-point are not public yet. We can use SSH port
+forwards for development.
+
+# Installation
+
+The current kratos version is not yet merge to master. However, this does not
+prevent us from developing already. To use / add the kratos backend, the
+following needs to be done:
+
+On you `kubectl` / controller machine, make sure to checkout:
+
+`git@open.greenhost.net:openappstack/single-sign-on.git`
+
+Be sure to choose the kratos branch: `76-use-kratos-as-identity-manager`
+
+Once this is all fetched, installation can be done with the following steps:
+
+1. Suspend the automatic updating: 
+   As we are gonna use a non-release version, the flux subsystem will rollback
+   changes to follow the released versions. However, during development we want
+   to prevent this. We can suspend the service with:
+
+```
+flux suspend source chart oas-single-sign-on
+```
+
+2. Make a backup of the current keys and configuration values. We needs those
+when we install the new version of the `single-sign-on` helmchart:
+
+```
+helm get values single-sign-on > /to/a/path/my_cluster_values.yaml
+```
+
+3. Install the single-sign-on helmchart with kratos service
+
+```
+cd helmchart/single-sign-on
+helm upgrade -f /to/a/path/my_cluster_values.yaml single-sign-on . -n oas --debug
+```
+
+This will install the latest version. 
+
+**Note**: Known issue, in some circuimstances the installation fails because the
+"automerge", to update the database fields, kicks in while at that point is too
+early. This needs more investigation. If you run into this problem, try the
+following: 
+
+1. Open the file `helmchart/single-sign-on/values.yaml`
+2. Set the `autoMigrate` on line 151 to false
+3. Rerun the upgrade.
+
+After successful upgrade, adjust the value back to `true` and rerun the install. 
+
+It looks there is some kind of race condition, by first disabeling, the storage
+to store the database is created, so on the second run, this racecondition is
+not hit. This *should* not happen with kubernetes, so maybe the cause is
+something else.
+
+# Development
+
+To develop, one needs access to kratos from the development system. A helper 
+script is available in this directory to setup the redirect the ports, 
+giving access to localhost port 8000 and 8080 for the admin/public port of
+kratos.
+
+```
+./set-ssh-tunnel.sh `oas.example.com`
+```
+
+(the tunnel goes to the kubernetes node, so *not* your controller node.
+
+kratos API is specified on their website:
+
+https://www.ory.sh/kratos/docs/reference/api/
+
+Some example can be found in:
+
+```
+./api-examples.sh
+```
+
+
diff --git a/docs/set-ssh-tunnel.sh b/docs/set-ssh-tunnel.sh
new file mode 100755
index 0000000000000000000000000000000000000000..127bc53761589b416d395ade4e1f3fe086c7e104
--- /dev/null
+++ b/docs/set-ssh-tunnel.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+
+host=$1
+
+if [ "x$host" == "x" ]
+then
+    echo "Please give host of kubernetes master as argument"
+    exit
+fi
+
+
+admin=`ssh $host -lroot kubectl get service -n oas|grep single-sign-on-kratos-admin | awk '{print $3'}`
+public=`ssh $host -lroot kubectl get service -n oas|grep single-sign-on-kratos-public | awk '{print $3}'`
+
+echo "Admin port will be at localhost:8000, public port will be at localhost:
+8080"
+     
+ssh -L 8000:$admin:80 -L 8080:$public:80 root@$host