We want to protect the Keto API according to what is written in the docs with Oathkeeper. Oathkeeper then uses authentication (Kratos) and authorization (Keto???). The question is how to implement the authorization step. I suppose that the same Keto instance cannot be used for authorizing the access to itself, so should one instead use “remote_json”?
What is the best practice for this?
Yes, remote_json is your friend here 
Sorry that there are no docs on this atm.