Ory Talos is a scalable and secure API key server optimized for low-latency verification, horizontal scaling, and predictable operations. It follows established security best-practices for API keys and issues, verifies, revokes, and derives API keys and short-lived tokens for high-throughput systems.

Ory Talos is a server for issuing, verifying, and managing API keys. It follows cloud architecture best practices and focuses on:

• Issuing, verifying, and revoking API keys at scale
• Importing externally-issued API keys for unified verification
• Deriving short-lived JWT and macaroon tokens from long-lived keys
• Side-car deployment for fast API key verification
• Low-latency verification with caching and eventual revocation
• Predictable operations through structured logging, metrics, and tracing

We recommend starting with the Ory Talos documentation to learn more about its architecture, feature set, and how it compares to other systems.

Ory Talos is designed to:

• Run as a single binary with three deployment modes: admin, self-service, or all-in-one
• Verify API keys against the database with caching for low latency, while derived JWT and macaroon tokens verify offline without a database lookup
• Separate admin and self-service surfaces so key creation, revocation, derivation, and verification scale and are secured independently from proof-of-possession self-revocation
• Scale horizontally with external databases (Postgres, MySQL, CockroachDB) and optional distributed caching
• Fit modern cloud-native environments such as Kubernetes and managed platforms
• Mint reduced-scope, short-lived tokens offline so agents, CI/CD jobs, and services don't call the server on every request
• Keep credential routing, hashing, and verification centralized and constant-time

You can run Ory Talos in two main ways:

• As a managed service on the Ory Network
• As a self-hosted service under your own control, with or without the Ory Enterprise License

The Ory Network is the fastest way to use Ory Talos in production.

The Ory Network provides:

• API key issuance, verification, and derivation with low-latency global edge
• OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
• Identity and credential management that scales to billions of users and devices
• Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
• Prebuilt login, registration, and account management pages and components
• Low latency permission checks based on the Zanzibar model with the Ory Permission Language
• GDPR friendly storage with data locality and compliance in mind
• Web based Ory Console and Ory CLI for administration and operations
• Cloud native APIs compatible with the open source servers
• Fair, usage based pricing

Sign up for a free developer account to get started.

You can run Ory Talos yourself for full control over infrastructure, deployment, and customization.

The install guide explains how to:

• Install Ory Talos on Linux, macOS, Windows, and Docker
• Configure databases such as SQLite, PostgreSQL, MySQL, and CockroachDB
• Deploy to Kubernetes and other orchestration systems

The open source distribution runs as a single instance against an embedded SQLite database. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run low-traffic workloads without service level agreements (SLAs).

If you run Ory Talos as part of a business-critical system, for example API key verification on a hot path, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Ory Talos and provides:

• Multi-node deployments backed by external databases (Postgres, MySQL, CockroachDB)
• Multi-tenancy, distributed caching, rate-limit enforcement, and edge verification nodes
• Regular security releases, including CVE patches, with SLAs
• Support for advanced scaling and complex deployments
• Premium support options with response SLAs, direct access to engineers, and onboarding help
• Access to a private Docker registry with frequent, vetted enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and production support, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.

Install the Ory CLI and use the managed Ory Network, or run Ory Talos locally with Docker Compose.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart" --use-project

To run Ory Talos locally:

# Open source edition (SQLite, single-node)
docker-compose -f docker-compose.oss.yaml up --build

The API will be available at http://localhost:4420

For end-to-end walkthroughs of issuing, verifying, and revoking keys, see the Quickstart guide and Issue and verify.

The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!

If you would like to be featured here once Ory Talos lands on the Network, reach out to [email protected].

Many thanks to all individual contributors

We build Ory on several guiding principles when it comes to our architecture design:

• Minimal dependencies
• Runs everywhere
• Scales without effort
• Minimize room for human and network errors

Ory's architecture is designed to run best on a container orchestration system such as Kubernetes, CloudFoundry, OpenShift, and similar projects. Binaries are small and available for all popular processor types (ARM, AMD64, i386) and operating systems (FreeBSD, Linux, macOS, Windows) without system dependencies (Java, Node, Ruby, libxml, ...).

Ory Kratos is an API-first Identity and User Management system that is built according to cloud architecture best practices. It implements core use cases that almost every software application needs to deal with: Self-service Login and Registration, Multi-Factor Authentication (MFA/2FA), Account Recovery and Verification, Profile, and Account Management.

Ory Hydra is an OpenID Certified™ OAuth2 and OpenID Connect Provider which easily connects to any existing identity system by writing a tiny "bridge" application. It gives absolute control over the user interface and user experience flows.

Ory Oathkeeper is a BeyondCorp/Zero Trust Identity & Access Proxy (IAP) with configurable authentication, authorization, and request mutation rules for your web services: Authenticate JWT, Access Tokens, API Keys, mTLS; Check if the contained subject is allowed to perform the request; Encode resulting content into custom headers (X-User-ID), JSON Web Tokens and more!

Ory Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.

The Ory Talos documentation lives at www.ory.com/docs/talos.

See CONTRIBUTING.md for information on:

• Contribution guidelines
• Prerequisites and development setup
• Running tests for OSS and commercial builds
• Generating protobuf, SQL, and SDK artifacts
• Building Docker images

Ory Talos handles credentials on the hot path: raw API keys, derived tokens, and signing keys. The implementation uses constant-time comparisons, centralized credential routing, and per-tenant network isolation. Read the security model and security hardening guide for the details on cryptography, tenant isolation, and operational hardening.

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub. You can find all info for responsible disclosure in our security.txt.

Our services collect summarized, anonymized data that can optionally be turned off. Click here to learn more.

Ory Community: