So this seems to be M2M tokens - what about the, arguably more common, use case of creating a short lived or simply ephemeral token to allow an AI agent to use a service (e.g: GitHub) without the possibility to have it leak a valid upstream token in a commit message?
My solution to this particular problem is gh-proxy - but of course GitHub is only one of the 100s of services that one might want this for.
For AI Agents we have added token derivation to Ory Talos which allows you to exchange a static API key for a ephemeral, short lived, and restricted token. It can be both a JWT and a Macaroon (super interesting for caveats)!
However this would require GitHub to use Ory Talos and it‘s not a solution for third party credentials really.
So your project solves that need quite nicely, and I‘ll check it out in more detail today :)
We built Ory Talos (not to confuse with Talos Linux) to solve API keys (think OpenAI and Anthropic API keys) at scale and with the best practices around capabilities and securities.
So this seems to be M2M tokens - what about the, arguably more common, use case of creating a short lived or simply ephemeral token to allow an AI agent to use a service (e.g: GitHub) without the possibility to have it leak a valid upstream token in a commit message?
My solution to this particular problem is gh-proxy - but of course GitHub is only one of the 100s of services that one might want this for.
https://github.com/denysvitali/gh-proxy
Btw, I love Ory and I'm always amazed by your new releases!
Appreciate the love :)
For AI Agents we have added token derivation to Ory Talos which allows you to exchange a static API key for a ephemeral, short lived, and restricted token. It can be both a JWT and a Macaroon (super interesting for caveats)!
However this would require GitHub to use Ory Talos and it‘s not a solution for third party credentials really.
So your project solves that need quite nicely, and I‘ll check it out in more detail today :)
We built Ory Talos (not to confuse with Talos Linux) to solve API keys (think OpenAI and Anthropic API keys) at scale and with the best practices around capabilities and securities.
If you have any questions, please shoot :)