For self hosted api, how to secure admin api. Even if some one know about http://127.0.0.1:4434/admin/identities They can see all identities. For postman. if its not localhost and somewebsite. why i suppose to see all user identities. it should be blocked untill some authorization invole. How to secure it and only admin can create users instead of any one can signup and login. Any help and answer will be highly appreciated.

Hello @happy-eve-92047 Securing your administrative API is crucial to prevent unauthorized access to sensitive data. Ory's APIs, including the administrative API, do not come with integrated access control. This means that all requests sent to their APIs are considered authenticated, authorized, and will be executed. Therefore, it's important to implement additional security measures. Here are some steps you can take to secure your administrative API: 1. Use an API Gateway or Authorization Proxy: You can use an API Gateway or Authorization Proxy to secure your administrative endpoints. This can help you manage who has access to these endpoints and under what conditions. For example, you can restrict access to certain IP addresses or require specific authentication tokens. 2. Use Ory Oathkeeper: Ory Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. It's a good option to protect access to Ory's APIs. 3. ...

So i have my wrapper API over ORY API. Internally using ORY API where i can access and call ORY API which are always authenticated regarding to admin. So what i have to do expose admin endpoint. but use Ory Oauthkeeper over all API. so only authenticated api access call my API and ORY API. No one call directly to ORY API, even expert person. Hope you will understand what i want to do. But security leakage is not acceptable.

3 is only access admin api via localhost lol