API key management on Ory Network
API keys are long-lived credentials for services, agents, and other machine callers of your APIs. API key management on Ory Network — powered by the open-source Ory Talos API key management service — handles the full lifecycle of these credentials: issuing keys, verifying them at low latency, deriving short-lived tokens, and revoking access.
With API key management, you can:
- Issue and manage API keys for your own APIs and services, with the one-time secret shown only at creation.
- Import existing API keys from another system, individually or in batches, and manage them like native keys.
- Verify any key — single or in batches — with one authenticated API call that returns the key's status and metadata.
- Derive short-lived JWT or macaroon tokens from long-lived keys and verify the JWTs locally against a published JWKS, without a round-trip.
- Let key holders revoke their own compromised keys through an unauthenticated proof-of-possession endpoint.
- Attach scopes, expiry times, IP CIDR restrictions, and rate-limit policies to every key, managed in the Ory Console.
To understand the credential model — issued keys, imported keys, and derived tokens — see credential types. For the trust boundaries and threat model, see the security model.
Enable API keys in your project
API key management starts deactivated in every project. Open the API Keys → Keys in the Ory Console page and select Enable API Keys. This one-time step generates the project's HMAC secret and JWT signing key and applies the default configuration.
Plans and quotas
The number of active API keys, response caching, and server-side rate-limit enforcement depend on your
subscription plan. Issuing a key beyond your plan's quota returns HTTP 402 with the reason
API_KEY_QUOTA_EXCEEDED.
Next steps
- Follow the quickstart to create a project, issue an API key, and verify it.
- Learn how to configure API keys on Ory Network with the Ory Console or the Ory CLI.
- Explore the guides for issuing and verifying keys, importing existing keys, and deriving short-lived tokens.