Is your identity infrastructure agent & machine ready? Scale, security, resiliency? Legacy API keys are permanent vulnerabilities. Ory Talos evolves API keys into modern, dynamic, secure, and revocable tokens for non-human identities.
AI identity security that scales for the agentic era
Ory Talos secures automated workflows by turning static API keys into short-lived capability tokens for service to service and agent to agent interactions. Using token derivation and macaroon delegation enforces strict least-privilege guardrails.
Identification
Know exactly which app, microservice, or AI agent is calling.
Authentication
Verify keys in real-time with zero-latency checks and instant revocation.
Authorization
Enforce the principle of least privilege with fine-grained scopes.
A really interesting journey for Lumin with Ory is that we've gone from that B2B SaaS, pretty standard kind of set up in the browser, to a full AI-enabled platform. And the complexity of those flows, we wouldn't have been able to build that without Ory.
Ory Talos securing API keys at a glance
Macaroon tokens
Enable organizations to scale automated workflows safely via ironclad, least-privilege guardrails that allow permissions to only be narrowed, never expanded.
IP whitelists and time-to-live (TTL)
Neutralize the threat of compromised credentials by ensuring stolen keys are immediately useless outside your network or past their strict time limit.
Scalability
As AI agents and API keys multiply, legacy IAM degrades. Ory's high-concurrency Go architecture eliminates these bottlenecks, providing the infrastructure that scaled OpenAI through massive global traffic.
Token derivation
Minimize the blast radius of credential leaks by eliminating static API keys and providing an instantly revocable hierarchy where invalidating a parent key immediately neutralizes all child tokens.
Token prefixes
Prevent costly data breaches by allowing automated scanners to instantly detect and neutralize leaked keys before they can be exploited.
Deployment freedom
SaaS, on-prem, or private cloud, Ory adapts as your needs change. Start deployment one way and transition seamlessly to another, backed by the same code underneath. Deploy your way.
Ory Talos FAQ
Deploy Ory Talos on your preferred infrastructure
Deploy on any infrastructure and take full control over authentication and user workflows of your application.
Open Source deployment — Explore and experiment with a pruned version Ory Talos. Ideal for developers building proofs of concept, testing integrations, or learning how Ory identity flows work. 
Ory Enterprise License
OEL deployment — Run Ory Talos with enterprise-grade performance and support. Get optimized code, security updates, and compliance features for mission-critical identity workloads, on-premises or in your private cloud. 
Ory Network
Ory Network deployment — Use Talos-powered secure API keys service instantly, without managing infrastructure. Ory Network delivers global scale, built-in compliance, and the fastest path to secure identity.
Integrations
Ready to try Ory Talos?
Get started with the guides and docs below
verify.go
cfg := client.NewConfiguration()
cfg.Servers = client.ServerConfigurations{
{URL: talosURL},
}
c := client.NewAPIClient(cfg)
verifyResp, _, err := c.StaticCredentialsAPI.
AdminVerifyAPIKey(ctx).
V2alpha1VerifyAPIKeyRequest(client.V2alpha1VerifyAPIKeyRequest{
Credential: new(secret),
}).
Execute()
if err != nil {
return fmt.Errorf("verify key: %w", err)
}
if verifyResp.GetIsActive() {
fmt.Println("Key is valid, owner:", verifyResp.GetActorId())
} else {
fmt.Println("Key is invalid:", verifyResp.GetErrorMessage())
}
