API key management on Ory Network
API keys are long-lived credentials for services, agents, and other machine callers of your APIs. API key management on Ory Network — powered by the open-source Ory Talos API key management service — handles the full lifecycle of these credentials: issuing keys, verifying them at low latency, deriving short-lived tokens, and revoking access.
With API key management, you can:
- Issue and manage API keys for your own APIs and services, with the one-time secret shown only at creation.
- Import existing API keys from another system, individually or in batches, and manage them like native keys.
- Verify any key — single or in batches — with one authenticated API call that returns the key's status and metadata.
- Derive short-lived JWT or macaroon tokens from long-lived keys and verify the JWTs locally against a published JWKS, without a round-trip.
- Let key holders revoke their own compromised keys through an unauthenticated proof-of-possession endpoint.
- Attach scopes, expiry times, IP CIDR restrictions, and rate-limit policies to every key, managed in the Ory Console.
To understand the credential model — issued keys, imported keys, and derived tokens — see credential types. For the trust boundaries and threat model, see the security model.
API key setup
New projects come with API key management ready to use: Ory generates the project's HMAC secret and JWT signing key when the project is created and applies the default configuration. Projects created before API key management launched show an Enable API Keys button on the API Keys → Keys in the Ory Console page instead — selecting it runs the same one-time setup.
Plans and quotas
The number of active API keys, response caching, and server-side rate-limit enforcement depend on your
subscription plan. Issuing a key beyond your plan's quota returns HTTP 402 with the reason
API_KEY_QUOTA_EXCEEDED.
Next steps
- Follow the quickstart to create a project, issue an API key, and verify it.
- Learn how to configure API keys on Ory Network with the Ory Console or the Ory CLI.
- Explore the guides for issuing and verifying keys, importing existing keys, and deriving short-lived tokens.