🔥 Open Source · Apache 2.0 · By Ory Corp

The API Key Server Built for High-Throughput Systems

Ory Talos is an open-source API key server designed to issue, verify, revoke, and manage millions of API keys at scale — with token derivation for fine-grained capability tokens. Self-host with Docker Compose or go enterprise for managed HA.

Get Ory Talos →

Why Ory Talos?

Purpose-built for engineering teams that need bulletproof API key management without the overhead of a full gateway.

🔑

Issue & Verify at Scale

Create and validate API keys with sub-millisecond latency. Ory Talos handles millions of keys and billions of verifications per day on modest hardware.

🔐

Token Derivation

Derive cryptographically scoped capability tokens from any master key — each with its own permissions, TTL, and resource scopes — without exposing the parent key.

🔄

Revoke & Rotate

Instantly revoke any key, token, or entire namespace. Support for key rotation, expiration policies, and automated cleanup of stale credentials.

📊

Audit & Observability

Built-in audit logging tracks every key operation. Export metrics to Prometheus, integrate with your existing observability stack.

🐳

Self-Hosted (Apache 2.0)

Deploy via Docker Compose on your own infrastructure. No vendor lock-in, no hidden costs. Full control over your data and keys.

🏢

Enterprise HA

Enterprise license covers managed high-availability deployments with clustering, failover, and dedicated support from the Ory team.

Ory Talos vs. The Alternatives

See how Ory Talos stacks up against AWS API Gateway, Kong, and rolling your own solution.

Feature Ory Talos AWS API Gateway Kong Custom Built
Dedicated API Key Server ✓ Purpose-built ✗ Gateway add-on ✗ Plugin-based ✗ Must build
Token Derivation ✓ Cryptographic scoping ✗ Not available ✗ Not available ✗ Requires crypto expertise
Self-Hosted (Apache 2.0) ✓ Yes, Docker Compose ✗ Vendor lock-in ✓ OSS available ✓ Full control
Key Revocation at Scale ✓ Instant, bulk, namespaced ✗ Limited per-key only ✗ Requires plugin config ✗ Must build
Audit Logging ✓ Built-in ✓ CloudTrail ✓ Enterprise ✗ Must build
Cost at 1B requests/mo ✓ Minimal (self-host) ✗ ~$3500+ ✓ Moderate ✗ High dev cost
Managed HA Available ✓ Enterprise license ✓ AWS-managed ✓ Konnect ✗ Must operate

Ready to Take Control of Your API Keys?

Join teams that manage billions of API key verifications per day with Ory Talos. Start with the open-source version or talk to us about enterprise.

Get Ory Talos Now → View on GitHub

Frequently Asked Questions

Everything you need to know about Ory Talos.

What is Ory Talos and how does it work?
Ory Talos is an open-source API key server that provides a central service for issuing, verifying, and revoking API keys. It uses cryptographic token derivation to create scoped capability tokens. The server exposes a REST API and gRPC endpoints, making it easy to integrate into any microservices architecture. It stores key metadata in a database while keeping key secrets cryptographically protected.
How does Ory Talos compare to using AWS API Gateway?
While AWS API Gateway can manage API keys as part of its gateway functionality, it is not a dedicated API key server. AWS API Gateway charges per API call, which becomes expensive at high volumes. Ory Talos is purpose-built for key management — offering token derivation, bulk revocation, namespaced key management, and audit logging — and can be self-hosted for a fraction of the cost. It also avoids vendor lock-in.
How does Ory Talos compare to Kong?
Kong is an API gateway that offers key authentication as a plugin. Ory Talos is a dedicated API key server that provides deeper key management capabilities including cryptographic token derivation, audit logging, and fine-grained revocation. While Kong is a great gateway, Ory Talos excels as a standalone key management system that can complement any gateway or work independently.
What is token derivation in Ory Talos?
Token derivation allows you to create cryptographically derived capability tokens from a parent API key without exposing the parent key itself. Each derived token can have its own set of permissions, time-to-live, and resource scopes. This is ideal for microservices where a downstream service needs limited access — you derive a scoped token for that service without sharing the master key.
Can I self-host Ory Talos and what are the requirements?
Yes, Ory Talos is available under the Apache 2.0 license and can be self-hosted using Docker Compose. It requires a PostgreSQL database and can run on any Linux server. No external dependencies are needed for core functionality. The enterprise edition adds clustering, high availability, and managed support from the Ory team. Visit the GitHub repo for quickstart instructions.
Get Started with Ory Talos →