
Is your identity infrastructure agent & machine ready? Scale, security, resiliency? Legacy API keys are permanent vulnerabilities. Ory Talos evolves API keys into modern, dynamic, secure, and revocable tokens for non-human identities.
AI identity security that scales for the agentic era
Ory Talos secures automated workflows by turning static API keys into short-lived capability tokens for service to service and agent to agent interactions. Using token derivation and macaroon delegation enforces strict least-privilege guardrails.
A really interesting journey for Lumin with Ory is that we've gone from that B2B SaaS, pretty standard kind of set up in the browser, to a full AI-enabled platform. And the complexity of those flows, we wouldn't have been able to build that without Ory.
Ory Talos securing API keys at a glance
Macaroon tokens
Enable organizations to scale automated workflows safely via ironclad, least-privilege guardrails that allow permissions to only be narrowed, never expanded.
IP whitelists and time-to-live (TTL)
Neutralize the threat of compromised credentials by ensuring stolen keys are immediately useless outside your network or past their strict time limit.
Scalability
As AI agents and API keys multiply, legacy IAM degrades. Ory's high-concurrency Go architecture eliminates these bottlenecks, providing the infrastructure that scaled OpenAI through massive global traffic.
Token derivation
Minimize the blast radius of credential leaks by eliminating static API keys and providing an instantly revocable hierarchy where invalidating a parent key immediately neutralizes all child tokens.
Token prefixes
Prevent costly data breaches by allowing automated scanners to instantly detect and neutralize leaked keys before they can be exploited.
Deployment freedom
SaaS, on-prem, or private cloud, Ory adapts as your needs change. Start deployment one way and transition seamlessly to another, backed by the same code underneath. Deploy your way.
Ory Talos FAQ
- Dynamic Least-Privilege - Ory Talos enables organizations to programmatically derive restricted, task-specific tokens from a parent identity, effectively neutralizing the risk of privilege escalation with AI agents and other non-human identities (NHIs).
- Decentralized Delegation - By utilizing Macaroon-based tokens, Ory Talos embeds complex security logic directly into the credential, ensuring that permissions can only be narrowed, never expanded, to maintain strict least-privilege as NHIs move across systems.
- Hardened Guardrails - By enforcing IP whitelisting, short-lived TTLs, and identifiable prefixes, Talos eliminates the "infinite life" vulnerability and simplifies the detection of leaked credentials.
- Agentic-Ready Scale - The high-concurrency Go architecture effortlessly handles the massive authentication throughput required when non-human identities outnumber humans 144:1.
- The first is support and use of Macaroon tokens. Few other vendors support this caveat-based approach to support an ever narrowing scope of permissions particularly for autonomous AI agents.
- The second is the use of token pre-fixes which help make tokens easily identifiable and scan-able in public repositories to find leaked keys.
- The third is Ory scalability. Ory was designed for high-concurrency and low memory footprints. As legacy IAMs are strained by traditional customer identities, AI agents promise to bring even greater demand and scale to degrade performance. Ory is the identity provider behind OpenAI’s 900m+ weekly active users.
- Beyond the capabilities written above, Ory provides you freedom and composability. Unlike with other vendors, you can take and use Ory Talos standalone within your IAM stack. You don’t have to use the entire Ory stack together. Use what you want, leave the rest.
- Another reason to choose Ory Talos is the freedom to choose your deployment model. Want an Ory managed SaaS? Want to self-host on prem or in a private cloud? You can do either… same code, same transparency, no lock-in.
Deploy Ory Talos on your preferred infrastructure
Deploy on any infrastructure and take full control over authentication and user workflows of your application.
Ready to try Ory Talos?
Get started with the guides and docs below
cfg := client.NewConfiguration()
cfg.Servers = client.ServerConfigurations{
{URL: talosURL},
}
c := client.NewAPIClient(cfg)
verifyResp, _, err := c.StaticCredentialsAPI.
AdminVerifyAPIKey(ctx).
V2alpha1VerifyAPIKeyRequest(client.V2alpha1VerifyAPIKeyRequest{
Credential: new(secret),
}).
Execute()
if err != nil {
return fmt.Errorf("verify key: %w", err)
}
if verifyResp.GetIsActive() {
fmt.Println("Key is valid, owner:", verifyResp.GetActorId())
} else {
fmt.Println("Key is invalid:", verifyResp.GetErrorMessage())
}








