Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/intro.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ improves the safety of everyone:
control (incl. RBAC and ABAC models) in any application. It's based on the open-source
[Ory Keto Permission Server](https://github.com/ory/keto), which implements
[Zanzibar: Google’s Consistent, Global Authorization System](https://research.google/pubs/pub48190/).
- Ory API key management lets you issue, import, verify, and revoke API keys for your own services and derive short-lived tokens.
It's based on the open-source [Ory Talos](https://github.com/ory/talos) API key management service.

Ory develops and maintains many additional open-source projects. From an Ory Zero Trust Identity & Access Proxy
[Ory Oathkeeper](https://github.com/ory/oathkeeper) to developer tooling [Ory Dockertest](https://github.com/ory/dockertest) to
Expand Down
9 changes: 9 additions & 0 deletions docs/network/getting-started/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,15 @@ Ory Network incorporates the open-source [Ory Polis](https://www.ory.com/polis)
- Simplified SSO flow by implementing SSO as a standard OAuth 2.0 flow, abstracting away the complexities of SAML.
- Act as a SAML Identity Provider (IdP).

### API key management

Ory Network incorporates [Ory Talos](https://www.ory.com/talos) and offers:

- Issuing, rotating, and revoking API keys for your own APIs and services.
- Importing existing API keys and verifying any key with a single authenticated API call.
- Deriving short-lived JWT and macaroon tokens from long-lived keys.
- Per-key scopes, IP restrictions, and rate-limit policies, managed in the Ory Console.

### Ory Console

Ory Console is the management UI of Ory Network.
Expand Down
101 changes: 101 additions & 0 deletions docs/network/talos/configure.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
---
id: configure
title: Configure API keys on Ory Network
sidebar_label: Configuration
---

<head>
<link rel="canonical" href="https://www.ory.com/docs/network/talos/configure" />
</head>

On Ory Network there is no configuration file and no `TALOS_*` environment variables. API key settings live in your project
configuration: change them in the Ory Console or with the project APIs and the Ory CLI.

:::note

Configuration changes propagate asynchronously — allow a short delay before new settings affect key issuing and verification.

:::

## Ory Console

Go to <ConsoleLink route="project.apiKeys.configuration" />. The Configuration page has these sections:

- **Rate limiting** — enable server-side rate-limit enforcement (subject to your plan).
- **Caching** — enable verification response caching and set the cache time-to-live (subject to your plan).
- **Lifespans** — the default and maximum lifetime of issued keys.
- **Key prefixes** — the current and retired secret prefixes, and the public current and retired prefixes.
- **Derived token defaults** — the token issuer, retired issuers, and the default lifetime of derived tokens.
- **JWT tokens** — rotate the JWT signing key, gracefully or with immediate revocation.
- **Macaroon tokens** — macaroon prefixes and HMAC secret rotation.

## Ory CLI

The project configuration uses the same JSON shape as the self-hosted configuration file, nested under `/services/talos`. Apply
the whole configuration object with `ory patch project`:

```shell
ory patch project --project <project-id> --workspace <workspace-id> \
--add '/services/talos={"config":{"credentials":{"api_keys":{"default_ttl":"168h","max_ttl":"8760h","prefix":{"current":"acme_ak"}},"derived_tokens":{"default_ttl":"1h"}},"cache":{"enabled":true,"ttl":"30s"},"rate_limit":{"enabled":true}}}'
```

The example lowers the maximum key lifetime to one year (`8760h`); the Network default is `17520h`.

Or import a full configuration file with `ory update project`:

```shell
ory update project --project <project-id> --workspace <workspace-id> --file talos-config.json
```

where `talos-config.json` contains `{"services":{"talos":{"config":{...}}}}`.

:::warning Caveats

- `ory get project` does not return the API key configuration. Keep your desired configuration in a version-controlled file and
re-apply the whole object.
- Always use `--add '/services/talos=...'` with the complete configuration object. Deep patch paths such as
`--replace '/services/talos/config/credentials/issuer=...'` are not supported, because the project document returned by the API
contains no `services.talos` node to patch into.
- Use `--remove` to delete values. The `--delete` flag shown in some generated CLI examples does not exist.

:::

## Configuration reference

These keys are configurable per project. The JSON paths are relative to `/services/talos/config`:

| Setting | JSON path | Notes |
| ---------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------ |
| Token issuer | `credentials.issuer`, `credentials.issuer_retired` | Must be the project URL or a registered custom domain. |
| Key lifespans | `credentials.api_keys.default_ttl`, `credentials.api_keys.max_ttl` | Durations such as `168h`. |
| Key prefixes | `credentials.api_keys.prefix.{current,retired,public_current,public_retired}` | Pattern `^[a-zA-Z0-9_]{1,16}$`. |
| Derived token lifetime | `credentials.derived_tokens.default_ttl` | Duration such as `1h`. |
| JWT signing keys | `credentials.derived_tokens.jwt.signing_keys.urls` | `base64://` literals only. |
| Macaroon prefixes | `credentials.derived_tokens.macaroon.prefix.{current,retired}` | |
| Caching | `cache.enabled`, `cache.ttl` | Subject to your plan. |
| Rate limiting | `rate_limit.enabled` | Subject to your plan. |

Defaults on Ory Network differ from the self-hosted defaults in a few places: the issuer defaults to your project URL, issued keys
default to a lifetime of 168 hours (self-hosted keys have no expiry by default), the maximum lifetime is 17520 hours, and caching
is off by default with a 15 second time-to-live when enabled.

## Managed by Ory

Infrastructure settings — the database, `serve.*`, logging, tracing, the cache backend type, the rate-limit backend, last-used
tracking, multitenancy, clock skew, and the key quota (derived from your plan) — are operated by Ory. Setting them through the API
returns a warning or is ignored.

## Secrets and rotation

HMAC secrets and JWT signing keys are generated and stored by Ory; you never see or set them. Rotate them in the Console under
**API Keys** → **Configuration**:

- **Graceful rotation** keeps retired secrets valid for verification during the transition.
- **Revoke** invalidates outstanding derived tokens immediately.

## Plan gating

Caching and server-side rate-limit enforcement require a plan that includes them; the Console shows an upgrade prompt when they
aren't available. See [plans and pricing](https://www.ory.com/pricing).

Self-hosting? See the [configuration guide for self-hosted deployments](../../talos/operate/configure.md).
35 changes: 35 additions & 0 deletions docs/network/talos/index.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
id: index
title: API key management on Ory Network
sidebar_label: Introduction
---

<head>
<link rel="canonical" href="https://www.ory.com/docs/network/talos" />
</head>

```mdx-code-block
import MyPartial from "@site/src/components/Shared/talos/index.mdx"

<MyPartial />
```

## API key setup

New projects come with API key management ready to use: Ory generates the project's HMAC secret and JWT signing key when the
project is created and applies the default configuration. Projects created before API key management launched show an **Enable API
Keys** button on the <ConsoleLink route="project.apiKeys.keys" /> page instead — selecting it runs the same one-time setup.

## Plans and quotas

The number of active API keys, response caching, and server-side rate-limit enforcement depend on your
[subscription plan](https://www.ory.com/pricing). Issuing a key beyond your plan's quota returns HTTP 402 with the reason
`API_KEY_QUOTA_EXCEEDED`.

## Next steps

- Follow the [quickstart](./quickstart.mdx) to create a project, issue an API key, and verify it.
- Learn how to [configure API keys on Ory Network](./configure.mdx) with the Ory Console or the Ory CLI.
- Explore the guides for [issuing and verifying keys](../../talos/integrate/issue-and-verify.mdx),
[importing existing keys](../../talos/integrate/import-keys.mdx), and
[deriving short-lived tokens](../../talos/integrate/derive-tokens.mdx).
114 changes: 114 additions & 0 deletions docs/network/talos/quickstart.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
---
id: quickstart
title: Get started with API keys on Ory Network
sidebar_label: Quickstart
---

<head>
<link rel="canonical" href="https://www.ory.com/docs/network/talos/quickstart" />
</head>

This quickstart takes you from an empty Ory Network project to issuing, verifying, and revoking an API key — using the Ory Console
and `curl`. No installation, database, or configuration file is required.

## Create a project

Sign up at [console.ory.com/registration](https://console.ory.com/registration) and create a free project, or use the
[Ory CLI](../../guides/cli/01_installation.mdx):

```shell
ory create project --name "API keys demo"
```

Note the project slug — your project's API endpoint is `https://<project-slug>.projects.oryapis.com`.

## Open API keys in the Console

Go to <ConsoleLink route="project.apiKeys.keys" />. New projects come with API key management ready to use: Ory generates the
project's HMAC secret and JWT signing key at project creation and applies the defaults — key prefix `ory_ak`, default key lifetime
of 168 hours, and a maximum lifetime of 17520 hours.

If your project was created before API key management launched, the page shows **Enable API Keys** instead. Select it to run the
same one-time setup.

## Get an admin credential

:::info Two kinds of keys

The keys you manage in the **API Keys** section are your product's API keys — credentials you issue to your own users and
services, with the `ory_ak_` prefix. To call the management API itself, you need an **Ory Network project API key** with the
`ory_pat_` prefix. Create one under **Project settings → API Keys** at
[console.ory.com/projects/current/developers](https://console.ory.com/projects/current/developers).

:::

Export your project slug and project API key:

```shell
export PROJECT_SLUG=<your-project-slug>
export ORY_PAT=ory_pat_...
```

## Issue an API key

In the Console, go to **API Keys** → **Keys** and select **Issue new key**: set a name and an optional expiry, then copy the
secret from the dialog — it is shown only once and starts with `ory_ak_`.

Or issue a key with the API:

```shell
curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/issuedApiKeys" \
-H "Authorization: Bearer $ORY_PAT" \
-H "Content-Type: application/json" \
-d '{"name": "my-first-key"}'
```

The response returns HTTP 201 with the one-time `secret` and the key's ID in `issued_api_key.key_id`. Export both for the next
steps:

```shell
export API_KEY=ory_ak_...
export KEY_ID=<key_id from the response>
```

## Verify the key

In the Console, go to **API Keys** → **Playground** and paste the secret. Or verify with the API:

```shell
curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/apiKeys:verify" \
-H "Authorization: Bearer $ORY_PAT" \
-H "Content-Type: application/json" \
-d '{"credential": "'"$API_KEY"'"}'
```

The response contains `"is_valid": true`. Verification is an authenticated admin call on Ory Network: it confirms whether a
credential is valid and returns its metadata, so it requires the project API key like every other `/admin/` endpoint.

## Revoke and re-verify

Revoke the key from its row menu in **API Keys** → **Keys**, or with the API:

```shell
curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/issuedApiKeys/$KEY_ID:revoke" \
-H "Authorization: Bearer $ORY_PAT"
```

The call returns HTTP 204. Run the verify request again: the response now contains `"is_valid": false` and an `error_code`.

Key holders can also revoke their own key without a project API key by proving possession of the secret — see
[self-revocation](../../talos/integrate/self-revocation.mdx).

## Next steps

- [Configure API keys on Ory Network](./configure.mdx) — lifespans, prefixes, caching, and secret rotation via Console or CLI.
- [Derive short-lived tokens](../../talos/integrate/derive-tokens.mdx) from long-lived keys.
- [Import existing keys](../../talos/integrate/import-keys.mdx) from another system.
- Browse the [API reference](../../talos/reference/api/ory-talos-api.info.mdx).

:::note

Issuing keys beyond your plan's quota returns HTTP 402 with the reason `API_KEY_QUOTA_EXCEEDED`. Quotas depend on your
[subscription plan](https://www.ory.com/pricing).

:::
2 changes: 1 addition & 1 deletion docs/oel/getting-started/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Introduction to Ory Enterprise License
---

The Ory Enterprise License (OEL) is a commercial license designed for businesses and organizations that rely on Ory's open-source
identity and access control software (Ory Hydra, Ory Kratos, Ory Keto, Ory Oathkeeper, and Ory Polis) in production and
identity and access control software (Ory Hydra, Ory Kratos, Ory Keto, Ory Oathkeeper, Ory Polis, and Ory Talos) in production and
mission-critical environments. It grants access to enterprise-grade features, dedicated support, and builds optimized for
stability, security, and scalability.

Expand Down
8 changes: 8 additions & 0 deletions docs/oss/getting-started/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,14 @@ Ory Keto is able to authenticate different types of credentials (for example OAu
Tokens, ...) and allows you to define advanced permission rules ("Access Control Policies"). And there's of course an endpoint
that tells you if a certain set of credentials (for example an OAuth 2.0 Access Token) is allowed to modify that blog post.

## Ory Talos

Your APIs have users of their own: services, scripts, and AI agents that authenticate with API keys instead of a login screen.
Issuing those keys securely, verifying them on every request, and revoking them when they leak is its own problem — and Ory Talos
solves it. Issue and import API keys, verify them with a single call, derive short-lived JWT or macaroon tokens from long-lived
keys, and let key holders revoke a compromised key themselves. Start with the [Ory Talos documentation](../../talos/index.md) or
jump straight into the [open-source quickstart](../../talos/quickstart/open-source.mdx).

## Ory Polis

![Ory Polis](https://raw.githubusercontent.com/ory/meta/master/static/logos/logo-polis.svg)
Expand Down
1 change: 1 addition & 0 deletions docs/products/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ Choose Ory products based on the specific identity, authorization, or access con
| Delegated, Scope-based Authorization & Token Issuance | Which application can act on behalf of a user, and with what level of access? | **Ory Hydra** Implements OAuth2 and OpenID Connect to issue access and ID tokens with scopes. Delegates user login to Kratos or another IdP, enabling SSO and API access across apps and services. |
| Enterprise Federation & Single Sign-On (SSO) | How can enterprise customers sign in with their corporate identity provider? | **Ory Polis** Provides enterprise SSO by connecting apps to SAML and OIDC identity providers. Bridges legacy SAML into modern OAuth2 flows and supports SCIM directory sync for automated user and group provisioning. |
| Proxy Access Control (Enforcement) | Should this request be allowed to reach the API right now? | **Ory Oathkeeper** Acts as a proxy-based enforcement layer in front of APIs and services, validating credentials and applying authorization decisions before traffic reaches your application. |
| API Key Management & Machine Credentials | How do services, agents, and machines authenticate to my APIs? | **Ory Talos** Issues, imports, verifies, and revokes API keys for your own APIs, and derives short-lived JWT or macaroon tokens from long-lived keys. |

## From products to solutions

Expand Down
1 change: 1 addition & 0 deletions docs/sdk.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ sidebar_label: SDKs
---

The Ory SDK allows for integration with Ory services, including **Ory Identities**, **Ory Permissions**, and **Ory OAuth2**.
Recent SDK releases also include the **API key management (Ory Talos)** client.

Before using the SDK, consult the Ory [REST](./reference/api.mdx) API documentation, which includes code samples and examples for
various programming languages.
Expand Down
Loading
Loading