Skip to main content

Get started with API keys on Ory Network

This quickstart takes you from an empty Ory Network project to issuing, verifying, and revoking an API key — using the Ory Console and curl. No installation, database, or configuration file is required.

Create a project

Sign up at console.ory.com/registration and create a free project, or use the Ory CLI:

ory create project --name "API keys demo"

Note the project slug — your project's API endpoint is https://<project-slug>.projects.oryapis.com.

Open API keys in the Console

Go to API KeysKeys in the Ory Console. New projects come with API key management ready to use: Ory generates the project's HMAC secret and JWT signing key at project creation and applies the defaults — key prefix ory_ak, default key lifetime of 168 hours, and a maximum lifetime of 17520 hours.

If your project was created before API key management launched, the page shows Enable API Keys instead. Select it to run the same one-time setup.

Get an admin credential

Two kinds of keys

The keys you manage in the API Keys section are your product's API keys — credentials you issue to your own users and services, with the ory_ak_ prefix. To call the management API itself, you need an Ory Network project API key with the ory_pat_ prefix. Create one under Project settings → API Keys at console.ory.com/projects/current/developers.

Export your project slug and project API key:

export PROJECT_SLUG=<your-project-slug>
export ORY_PAT=ory_pat_...

Issue an API key

In the Console, go to API KeysKeys and select Issue new key: set a name and an optional expiry, then copy the secret from the dialog — it is shown only once and starts with ory_ak_.

Or issue a key with the API:

curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/issuedApiKeys" \
-H "Authorization: Bearer $ORY_PAT" \
-H "Content-Type: application/json" \
-d '{"name": "my-first-key"}'

The response returns HTTP 201 with the one-time secret and the key's ID in issued_api_key.key_id. Export both for the next steps:

export API_KEY=ory_ak_...
export KEY_ID=<key_id from the response>

Verify the key

In the Console, go to API KeysPlayground and paste the secret. Or verify with the API:

curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/apiKeys:verify" \
-H "Authorization: Bearer $ORY_PAT" \
-H "Content-Type: application/json" \
-d '{"credential": "'"$API_KEY"'"}'

The response contains "is_valid": true. Verification is an authenticated admin call on Ory Network: it confirms whether a credential is valid and returns its metadata, so it requires the project API key like every other /admin/ endpoint.

Revoke and re-verify

Revoke the key from its row menu in API KeysKeys, or with the API:

curl -X POST "https://$PROJECT_SLUG.projects.oryapis.com/v2alpha1/admin/issuedApiKeys/$KEY_ID:revoke" \
-H "Authorization: Bearer $ORY_PAT"

The call returns HTTP 204. Run the verify request again: the response now contains "is_valid": false and an error_code.

Key holders can also revoke their own key without a project API key by proving possession of the secret — see self-revocation.

Next steps

note

Issuing keys beyond your plan's quota returns HTTP 402 with the reason API_KEY_QUOTA_EXCEEDED. Quotas depend on your subscription plan.