2 comments
So this seems to be M2M tokens - what about the, arguably more common, use case of creating a short lived or simply ephemeral token to allow an AI agent to use a service (e.g: GitHub) without the possibility to have it leak a valid upstream token in a commit message?<p>My solution to this particular problem is gh-proxy - but of course GitHub is only one of the 100s of services that one might want this for.<p><a href="https://github.com/denysvitali/gh-proxy" rel="nofollow">https://github.com/denysvitali/gh-proxy</a><p>Btw, I love Ory and I'm always amazed by your new releases!
Appreciate the love :)<p>For AI Agents we have added token derivation to Ory Talos which allows you to exchange a static API key for a ephemeral, short lived, and restricted token. It can be both a JWT and a Macaroon (super interesting for caveats)!<p>However this would require GitHub to use Ory Talos and it‘s not a solution for third party credentials really.<p>So your project solves that need quite nicely, and I‘ll check it out in more detail today :)
We built Ory Talos (not to confuse with Talos Linux) to solve API keys (think OpenAI and Anthropic API keys) at scale and with the best practices around capabilities and securities.<p>If you have any questions, please shoot :)