Ory Oathkeeper and Ory Keto are two different components of the Ory ecosystem, each serving a distinct purpose. Ory Oathkeeper is an Identity and Access Proxy (IAP) that authorizes incoming HTTP requests. It can act as a Policy Enforcement Point in your cloud architecture, serving as a reverse proxy in front of your upstream API or web server. It rejects unauthorized requests and forwards authorized ones to your server. It can also plug into other API Gateways and act as a Policy Decision Point. Ory Oathkeeper can be used standalone and alongside other stacks with adjacent problem domains. It doesn't have any dependencies to other services and doesn't require a database or any other type of persistent storage ([source](https://www.ory.sh/docs/oathkeeper)). On the other hand, Ory Keto is an access control server. It doesn't handle authentication but rather focuses on authorization, specifically, what resources a user (or another entity) is allowed to access once they have been authenticated ([source](https://www.ory.sh/docs/ecosystem/projects)). The warning you mentioned is highlighting the fact that the APIs of Ory open-source servers, including Ory Keto, do not come with integrated access control. This means that all requests sent to their APIs are considered authenticated and authorized, and will be executed. This could lead to severe security risks if the APIs are left unprotected. Therefore, it's recommended to protect access to their APIs using Ory Oathkeeper or a comparable API Gateway. This is because Ory Oathkeeper can act as a firewall in front of your services, rejecting unauthorized requests and forwarding authorized ones ([source](https://www.ory.sh/docs/ecosystem/projects#ory-oathkeeper)).