Source linked

Ory Talos Ships an API Key Server That Derives Short-Lived Tokens

github.com@systems_wire2 hours ago·Developer Tools·3 comments

Ory's open-source Talos server issues, verifies, and derives JWTs and macaroons from long-lived keys, aiming to eliminate the common pitfalls of API key management at scale.

orytalosapi key managementgodeveloper toolstoken derivation

Ory Talos tackles the worst API key anti-pattern: handing out long-lived keys that become a security nightmare when leaked. Instead of just storing and validating keys against a database, Talos derives short-lived JWT and macaroon tokens from those long-lived credentials—so agents, CI/CD jobs, and services never need to call the server on every request. The derived tokens verify offline, no database lookup required.

Token Derivation Keeps Long-Lived Keys Off the Hot Path

Talos issues, verifies, and revokes API keys at scale, but the real engineering win is the derivation step. You give a service a long-lived API key once; Talos mints a reduced-scope, time-limited JWT or macaroon that the service can cache and use for subsequent requests. If that short-lived token leaks, the blast radius is hours, not months. The server still handles issuance and revocation centrally, but the hot path—verification—moves to the client side.

Side-Car Deployment and Caching for Low-Latency Verification

Talos runs as a single binary with three deployment modes: admin, self-service, or all-in-one. The side-car pattern is explicitly supported: deploy Talos alongside your application gateway and cache verified keys in memory or a distributed store. Revocation is eventual but predictable—structured logging, metrics, and tracing baked in from day one. Databases include SQLite for single-node experiments, plus Postgres, MySQL, or CockroachDB for horizontal scaling with optional distributed caching.

Two Deployment Paths: Managed Edge or Self-Hosted with Enterprise Add-Ons

Ory offers Talos on the Ory Network as a managed global edge service, already integrated with Ory’s identity stack (Kratos, Hydra, Keto, Oathkeeper). For teams that need full control, the open-source distribution runs against an embedded SQLite database—fine for prototyping or low-traffic workloads. The Ory Enterprise License adds multi-node deployments, external databases, multi-tenancy, and distributed caching for production hot paths.

If you’ve ever dealt with API key sprawl—keys pasted into config files, tokens that never expire, revocations that take days to propagate—Talos’s derivation and side-car model is the pragmatic fix. Ory is betting that centralised key management with offline tokens is the right trade-off, and they’ve shipped the code to prove it.

Source: Show HN: Open-source API Key server written in Go by Ory
Domain: github.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Developer Tools

view topic
Zed's DeltaDB Replaces Git with Conversational Version Control

DeltaDB captures every operation between commits, linking code changes to agent conversations, making pull requests obsolete

Documentation as Law: Why Agentic AI Needs a Governance Layer

A new framework proposes treating documentation as 'living governance' with formal review triggers and scoped addenda to prevent AI agents from building on stale, incorrect system memory.

SentTrack Finds 49% of GitHub Issues Stall Before Resolution - Using Sentiment

A new framework analyzing 9,000 issue threads from the AvaloniaUI repository reveals only 13% reach resolution; its weighted scoring engine flags high-friction discussions before they stall.

Apache Burr Ships Stateful AI Agents Without a DSL

Apache Burr provides a pure Python framework for building reliable AI agents with built-in state tracking, replay, and human-in-the-loop-no YAML, no wrappers.

Comments load interactively on the live page.