Skip to main content

Credential types

Talos manages four credential types.

Issued API keys

Generated by Talos with the format prefix_v1_identifier_checksum. Long-lived with configurable TTL. The key ID (UUID) is embedded in the token for direct database lookup. The full secret is returned once at creation.

Lifecycle: Issue, rotate, update metadata, revoke.

Imported API keys

External credentials (Stripe, GitHub, etc.) stored by hash. Any string format accepted. Talos stores SHA-512/256(network_id + 0x00 + raw_key) and never the raw key. Supports the same metadata and scopes as issued keys.

Lifecycle: Import, update metadata, revoke, delete.

Derived JWTs

Short-lived tokens derived from a parent API key. The signing algorithm is determined by the alg field in the JWK (EdDSA or RS256). Can be verified independently using the JWKS endpoint (GET /v2alpha1/admin/derivedKeys/jwks.json). Claims include key_id, actor_id, scopes, and expiration.

Derived macaroons

Short-lived tokens with HMAC binding. Format: prefix_v1_base64data. Support scope restriction and contextual attenuation.

Credential routing

When a credential is submitted to /v2alpha1/admin/apiKeys:verify, Talos identifies the type automatically by its format and routes it to the appropriate verification handler. See the credential routing table for the full format-to-type mapping and lookup methods.

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free