talos

Ory Talos is a server for managing API keys: creating them, checking that incoming ones are valid, and revoking them when needed. It is designed for applications that receive a large number of requests and need to verify credentials quickly without adding significant delay. The project comes from Ory, the company behind several open-source identity and security tools.

The central feature that sets it apart from simpler API key systems is something called token derivation. A long-lived API key can be used to generate short-lived, narrower tokens that only allow a specific subset of actions. An AI agent, a build pipeline, or a background service can hold one of these derived tokens and use it without contacting the key server on every request, because the token carries enough information to verify itself offline. This also means that if a derived token is leaked, its damage is limited by its short lifespan and restricted permissions.

Talos runs as a single binary with a choice of deployment modes: an admin-only surface for managing keys, a self-service surface where end users can manage their own credentials, or a combined mode. It scales horizontally using standard databases like PostgreSQL, MySQL, and CockroachDB, and optionally uses distributed caching to reduce database load during high-traffic verification.

For smaller projects, it can run against an embedded SQLite database with no external dependencies. Larger or business-critical deployments are expected to use a commercial license, which enables high-availability configurations. A managed hosted version is also available through Ory's own network.

The project is written in Go and licensed under Apache 2.0 for self-hosted use. It fits into Ory's broader ecosystem of identity tools including their login, OAuth2, and permissions servers.