Ory Network offers different environments for production, staging, and development. These are called Ory Network projects. 1. Development projects: These provide a free test environment for your projects, with limited rate limits and no custom domain. They are ideal for early-stage development and testing. However, Ory Network doesn't guarantee GDPR-compliant PII handling in development projects. 2. Staging projects: These offer all features of the production environment including a custom domain. Staging projects have lower rate limits than production projects. They are suitable for testing your application and its integrations with Ory Network before deploying to production. They provide a more accurate representation of how your application will behave in a production project compared to development projects, without the risk of affecting real users or data. 3. Production projects: These are meant for the deployment of your final application. The specifics about production projects are not detailed in the provided sources. To create a new development project, you can use the following command:

ory create project --name "My Development Project"

To create a new staging project, you can open the Ory Console, hit "Create new project", and select the Staging environment in the next screen. For more information on the different environments, you can refer to the [Ory documentation](https://www.ory.sh/docs/getting-started/local-development#environments).

The error message you're seeing typically indicates that the API key you're using for authentication has expired or is invalid. Here are a few things you can check: 1. Validity of the API Key: Ensure that the API key you're using is still valid and has not been revoked or expired. 2. Correct Environment Variable: Make sure you're setting the correct environment variable. For project-level operations, you should use

ORY_PROJECT_API_KEY

, and for workspace-level operations, use

ORY_WORKSPACE_API_KEY

. 3. Correct Prefix: Ory API keys have specific prefixes. Project API keys have a

ory_pat_

or

ory_apikey_

prefix, and Workspace API keys have a

ory_wak_

prefix. Make sure your API key has the correct prefix. 4. Correct Usage: The API key should be used in API calls, SDK calls, or command-line interactions. When calling the API, include the API Key in the

Authorization

header. For example:

GET /admin/identities HTTP/1.1      Host: $<http://PROJECT_SLUG.projects.oryapis.com|PROJECT_SLUG.projects.oryapis.com>      Accept: application/json      Authorization: Bearer $API_KEY

If you're still having trouble, you might want to create a new API key and try again. You can create new API keys in the Ory Console, under Project settings → API Keys for project API keys, or under Workspace settings → API Keys for workspace API keys. For more information, you can refer to the [Ory documentation on API keys](https://www.ory.sh/docs/concepts/personal-access-token) and [Ory CLI authentication](https://www.ory.sh/docs/guides/cli/cli-basics#authentication).

To update to the latest version of the Ory CLI on Linux, you can use the same command that you used to install it. Here's the command:

bash bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory

After running the command, you may want to move the Ory CLI to your `$PATH`:

bash sudo mv ./ory /usr/local/bin/

You can verify the installation after moving to `$PATH`:

bash ory help

This should display the help text for the Ory CLI, including the version number. If the version number matches the latest version, you have successfully updated the Ory CLI. For more information, you can refer to the [Ory CLI installation guide](https://www.ory.sh/docs/guides/cli/installation).

The message you're seeing is a prompt from the Ory CLI asking you to log in through the Ory Console. This is part of the new authentication mechanisms introduced in the latest version of the Ory CLI. Even though you have set the

ORY_PROJECT_API_KEY

and

ORY_WORKSPACE_API_KEY

environment variables, the CLI might still require you to authenticate via the browser for certain operations. This is done using the

ory auth

command, which opens a browser window where you can log in to your Ory account. Here's how you can authenticate:

bash ory auth

After logging in, you should be able to use the CLI to manage workspaces, projects, and project data. If you're using the CLI in an automated environment like a CI/CD pipeline, you can authenticate using API keys. The Ory CLI supports both workspace and project API keys. Workspace API keys have permissions to manage project configs, while project API keys have permissions to manage project data. You can set the API keys using the

ORY_WORKSPACE_API_KEY

and

ORY_PROJECT_API_KEY

environment variables:

bash export ORY_WORKSPACE_API_KEY=ory_wak_8dwW9s....   export ORY_PROJECT_API_KEY=ory_pt_Wse93s....

For more information, you can refer to the [Ory CLI authentication guide](https://www.ory.sh/docs/guides/cli/cli-basics#authentication).

Yes, there is guidance on managing users across projects in the Ory Network. 1. Changing a Project or Workspace Owner: In Ory Network, you can manage project ownership. Projects are typically part of a workspace, where you can easily assign multiple owners. For projects that are part of a workspace, you can add a new owner or adjust current ownership through the "Workspace settings" and "Members" section. For legacy projects that predate the workspace system, you need to move the project to a workspace before assigning ownership. You can find detailed instructions on how to do this in the [Ory documentation](https://www.ory.sh/docs/console/change-owner). 2. Adding Ory OAuth2 as an OIDC Provider: You can add Ory OAuth2 as an OIDC provider to your Ory Network project. This allows you to manage user identities and provide OAuth2/OIDC endpoints for authentication and authorization. You can create projects and OAuth2 clients using either Ory Console or the Ory CLI. Detailed instructions on how to do this can be found in the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/ory). 3. Managing Users with Ory Identities: Ory Identities offers a comprehensive user management system that supports a wide range of authentication methods and identity management features. It allows you to streamline authentication across apps and services, ensure compliance with security standards and regulatory requirements, and improve user experience with a custom UI. More information on Ory Identities can be found in the [Ory documentation](https://www.ory.sh/docs/identities#benefits). 4. Managing Users in Organizations: Organizations in Ory Network are a way to group users within one project. An organization always belongs to one Ory project. Within a project, an identity can belong to an organization or remain without an organization. Organizations contain multiple OIDC SSO connections. All members of an organization must use one of the organization's OIDC SSO connections to log in. More information on managing users in organizations can be found in the [Ory documentation](https://www.ory.sh/docs/kratos/organizations). Remember that managing users across projects involves careful planning and execution to ensure security and compliance. Always refer to the official Ory documentation for the most accurate and up-to-date information.

In Ory Network, you can add audiences to the claims in JWT returned by the OAuth client by following these steps: 1. Specify the Intended Audiences: When creating or updating the OAuth 2.0 client, you need to define the audiences it needs access to. This can be done by including the

audience

parameter in the client's metadata. The

audience

parameter is a list of case-sensitive URLs. The URLs can't contain whitespaces. Here's an example:

json {     "client_id": "...",     "audience": ["<https://api.my-cloud.com/user>", "<https://some-tenant.my-cloud.com/>"],   }

For more information, refer to the [Ory Hydra Guide on OAuth2 token audience](https://www.ory.sh/docs/hydra/guides/audiences). 2. Add Audience to JWT Claims: When authenticating the client at the token endpoint, you generate and sign a JSON Web Token with the following claims: - `aud`: REQUIRED. Audience. The

aud

(audience) Claim is a value that identifies the Authorization Server (Ory) as an intended audience. The Authorization Server MUST verify that it's an intended audience for the token. The Audience SHOULD be the URL of the Authorization Server's Token Endpoint. For more information, refer to the [Ory Hydra Guide on JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) and the [Ory OAuth2-oidc Guide on JWT Bearer profile for OAuth2 client authentication](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication). Remember to ensure that the audience URLs you specify are allowed by the OAuth 2.0 client and are valid URLs.

To get the Ory Permission Language (OPL) file in Ory Network using the Ory CLI, you can use the

ory get opl

command. However, the exact command and its usage are not specified in the provided knowledge sources. For updating or patching the OPL file, you can use the

ory update opl

or

ory patch opl

commands respectively. Here's how you can use these commands: Update OPL

bash ory update opl --file /path/to/namespace_config.ts

Patch OPL

bash ory patch opl --file /path/to/namespace_config.ts

In both commands, replace

/path/to/namespace_config.ts

with the path to your OPL configuration file. For more information, you can refer to the [Ory CLI documentation on updating OPL](https://www.ory.sh/docs/cli/ory-update-opl) and [patching OPL](https://www.ory.sh/docs/cli/ory-patch-opl).

Migrating identities between Ory projects involves exporting identities from the source project and importing them into the target project. Here's a general process based on the provided knowledge sources: 1. Export Identities from the Source Project: Use the

ory get identity

command to retrieve and save the identity data from the source project. Here's an example command:

bash export IDENTITY_ID=$IDENTITY_ID   ory get identity "$IDENTITY_ID" --project "$PROJECT_ID" --format json-pretty > identity-"$IDENTITY_ID".json

Replace

$IDENTITY_ID

with the ID of the identity you want to export, and

$PROJECT_ID

with the ID of the source project. This command saves the identity data in a JSON file. 2. Prepare Identities for Import: Update the saved JSON file to match the identity schema of the target project. Here's an example of how to do this:

bash -"schema_id" : "$OLD_SCHEMA_ID",   +"schema_id" : "$NEW_SCHEMA_ID",   "traits": {   -"foo": "foobar"   +"bar": barfoo   }

Replace

$OLD_SCHEMA_ID

with the schema ID of the source project, and

$NEW_SCHEMA_ID

with the schema ID of the target project. Update the

traits

to match the new schema. 3. Import Identities into the Target Project: Use the

create identity API

to import the identities into the target project. Here's an example command:

bash curl -d "@identity-$IDENTITY_ID.json" -X PUT https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID> \   -H "Authorization: Bearer $ORY_API_KEY" \   -H'Content-Type: application/json'

Replace

$ORY_SLUG

with the slug of your Ory Network project, and

$ORY_API_KEY

with your Ory API key. Please note that this is a general process and might need to be adjusted based on your specific use case and the configuration of your Ory projects. For more information, you can refer to the [Ory documentation on managing identity schemas](https://www.ory.sh/docs/identities/model/manage-identity-schema#update-identities-to-use-a-new-schema) and [importing identities](https://www.ory.sh/docs/migrate-to-ory#import-identities).

Migrating identities from one Ory project to another while preserving passwords and Single Sign-On (SSO) connections involves exporting identities from the source project and importing them into the target project. Here's a general process based on the provided knowledge sources: 1. Export Identities from the Source Project: Use the

ory get identity

command to retrieve and save the identity data from the source project. Here's an example command:

bash export IDENTITY_ID=$IDENTITY_ID   ory get identity "$IDENTITY_ID" --project "$PROJECT_ID" --format json-pretty > identity-"$IDENTITY_ID".json

Replace

$IDENTITY_ID

with the ID of the identity you want to export, and

$PROJECT_ID

with the ID of the source project. This command saves the identity data in a JSON file. 2. Prepare Identities for Import: Update the saved JSON file to match the identity schema of the target project. Here's an example of how to do this:

bash -"schema_id" : "$OLD_SCHEMA_ID",   +"schema_id" : "$NEW_SCHEMA_ID",   "traits": {   -"foo": "foobar"   +"bar": barfoo   }

Replace

$OLD_SCHEMA_ID

with the schema ID of the source project, and

$NEW_SCHEMA_ID

with the schema ID of the target project. Update the

traits

to match the new schema. 3. Import Identities into the Target Project: Use the

create identity API

to import the identities into the target project. Here's an example command:

bash curl -d "@identity-$IDENTITY_ID.json" -X PUT https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID> \   -H "Authorization: Bearer $ORY_API_KEY" \   -H'Content-Type: application/json'

Replace

$ORY_SLUG

with the slug of your Ory Network project, and

$ORY_API_KEY

with your Ory API key. Please note that this is a general process and might need to be adjusted based on your specific use case and the configuration of your Ory projects. For more information, you can refer to the [Ory documentation on managing identity schemas](https://www.ory.sh/docs/identities/model/manage-identity-schema#update-identities-to-use-a-new-schema) and [importing identities](https://www.ory.sh/docs/migrate-to-ory#import-identities). To preserve passwords and SSO connections, ensure that the

credentials

field in the identity data is correctly formatted and includes the necessary information. For passwords, this includes the

hashed_password

field. For SSO connections, this includes the

oidc

field with the necessary

config

and

providers

fields. For more information, refer to the [Ory API reference on updating identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/updateIdentity).

For security and privacy reasons, it's not possible to directly retrieve a user's password from an Ory project. Passwords are stored as hashed values, not in plain text, to protect user data. However, you can migrate hashed passwords from one project to another. When you export an identity, the hashed password is included in the exported data. You can then import this data into the target project, preserving the user's password. Here's a general process for migrating hashed passwords: 1. Export the Identity: Use the

ory get identity

command to export the identity data, which includes the hashed password. Here's an example command:

bash export IDENTITY_ID=$IDENTITY_ID   ory get identity "$IDENTITY_ID" --project "$PROJECT_ID" --format json-pretty > identity-"$IDENTITY_ID".json

Replace

$IDENTITY_ID

with the ID of the identity you want to export, and

$PROJECT_ID

with the ID of the source project. 2. Import the Identity: Use the

create identity API

to import the identity data into the target project. Here's an example command:

bash curl -d "@identity-$IDENTITY_ID.json" -X PUT https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID> \   -H "Authorization: Bearer $ORY_API_KEY" \   -H'Content-Type: application/json'

Replace

$ORY_SLUG

with the slug of your Ory Network project, and

$ORY_API_KEY

with your Ory API key. Please note that this process assumes that the target project uses the same password hashing algorithm as the source project. If the target project uses a different hashing algorithm, you'll need to use a password migration hook to migrate the password. For more information, refer to the [Ory documentation on password migration using a web hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook).

To get the hashed password of a user in an Ory project, you can use the

get identity

command from the Ory CLI or the

get identity

API endpoint. Here's an example of how to use the CLI command:

bash export IDENTITY_ID=$IDENTITY_ID   ory get identity "$IDENTITY_ID" --project "$PROJECT_ID" --format json-pretty > identity-"$IDENTITY_ID".json

Replace

$IDENTITY_ID

with the ID of the identity you want to retrieve, and

$PROJECT_ID

with the ID of your project. This command saves the identity data, including the hashed password, in a JSON file. If you want to use the API endpoint, here's an example of how to do it:

bash curl -X GET https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID> \ -H "Authorization: Bearer $ORY_API_KEY"

Replace

$ORY_SLUG

with the slug of your Ory Network project,

$IDENTITY_ID

with the ID of the identity you want to retrieve, and

$ORY_API_KEY

with your Ory API key. This command retrieves the identity data, including the hashed password. Please note that the hashed password is stored in the

credentials

field of the identity data. For more information, refer to the [Ory API reference on getting an identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/getIdentity).

Yes, you can specify multiple credential types to return when calling the

GET /admin/identities/{id}

endpoint with the

include_credential

query parameter. The

include_credential

parameter accepts an array of strings, where each string represents a credential type. Here's an example of how to use the

include_credential

parameter with multiple credential types:

bash curl -X GET "https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID?include_credential=password&include_credential=oidc|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID?include_credential=password&include_credential=oidc>" \ -H "Authorization: Bearer $ORY_API_KEY"

Replace

$ORY_SLUG

with the slug of your Ory Network project,

$IDENTITY_ID

with the ID of the identity you want to retrieve, and

$ORY_API_KEY

with your Ory API key. This command retrieves the identity data, including the password and OIDC credentials. The available credential types are

password

,

oidc

,

totp

,

lookup_secret

,

webauthn

,

code

,

passkey

,

profile

,

link_recovery

, and

code_recovery

. For more information, refer to the [Ory API reference on getting an identity](https://www.ory.sh/docs/reference/api#tag/identity/operation/getIdentity).

Yes, when a user completes a recovery flow by clicking the recovery link sent to their email, a session is issued to the application. This allows the user to reset their password and update their profile information on the settings page. Here's the process as described in the [Ory documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#recovery): 1. A recovery flow is submitted. 2. A session is issued to the application. 3. The user is able to reset their password and update their profile information on the settings page. Browser applications are automatically redirected to the settings page, while native applications must take the user to the settings page. Please note that the recovery flow has two methods:

link

and

code

. The

link

method requires the user to open the recovery link from their email client using a browser on the same device. The

code

method is more user-friendly since the code can be entered on the same device where the user requested the code from.

The

/.well-known/jwks.json

endpoint contains multiple JSON Web Keys (JWKs) because different keys are used for different purposes in Ory's OAuth2 and OpenID Connect implementations. Each key in the JWK set has a specific use, and they are used to sign and verify different types of tokens. By default, Ory generates two cryptographic keys for each Ory Network project: one for ID Tokens and one for JWT Access Tokens ([source](https://www.ory.sh/docs/hydra/jwks#default-cryptographic-keys-in-ory)). These keys are stored securely and encrypted at rest using AES256-GCM and the system secret. The keys used for signing OpenID Connect ID Tokens and JWT Access Tokens are included in the default JWK set. You can interact with these keys using the

set-id

values

hydra.openid.id-token

and

hydra.jwt.access-token

, respectively ([source](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#json-web-token-validation)). In addition to these default keys, you can add custom keys to the OAuth2 configuration. These custom keys will also be included in the

/.well-known/jwks.json

endpoint ([source](https://www.ory.sh/docs/hydra/jwks#the-role-of-well-knownjwksjson)). In summary, the

/.well-known/jwks.json

endpoint contains multiple JWKs because different keys are used for different purposes, such as signing ID Tokens and JWT Access Tokens.

Yes, in Ory Network, you can query sessions to check if a user has logged in. You can use the

/sessions/whoami

endpoint to check if a user is signed in and has an active session. If the user doesn't have an active session, the system returns a

401 Unauthorized

response. If the user has an active session, you get a

200 OK

response and the session payload ([source](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api)). For example, to check for an active session with an Ory Session Token, you can run:

bash curl -H "Authorization: Bearer {your-session-token}" \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>"

And to check for an active session with an Ory Session Cookie, you can run:

bash curl -H "Cookie: ory_session_...=..." \     "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami|PROJECT_SLUG.projects.oryapis.com/sessions/whoami>"

Administrators can also get a list of all sessions of a user available in the system using the list identity sessions API from the SDK ([source](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#listing-all-sessions-of-a-user)). However, the documentation does not specify how far back the session history goes. This might depend on your specific Ory configuration and how long you retain session data. For more detailed information, you might want to refer to the [Ory documentation](https://www.ory.sh/docs/) or reach out to Ory support.

You can get a list of all sessions available in the system using the list sessions API from the SDK. The API returns a paginated response. Optional parameters allow you to get a specific page and define the number of items shown on a single page. Here is an example of how to do this in Go:

go package session      import (    "context"    "<http://github.com/ory/client-go|github.com/ory/client-go>"   )      type oryMiddleware struct {    ory *ory.APIClient   }      func init() {    cfg := client.NewConfiguration()    cfg.Servers = client.ServerConfigurations{     {URL: fmt.Sprintf("<https://%s.projects.oryapis.com>", os.Getenv("ORY_PROJECT_SLUG"))},    }       ory = client.NewAPIClient(cfg)   }      func GetSessions(ctx context.Context, pageToken string, perPage int64) (sessions []client.Session, err error) {    sessions, _, err = ory.IdentityApi.ListSessions(ContextWithToken(ctx)).     PageToken(pageToken). // Optional - token id     PageSize(perPage).    // Optional - number of sessions per page     Active(true).         // Optional - used to filter result for active or inactive sessions; not setting this returns all sessions     Execute()       if err != nil {     return nil, err    }       return sessions, err   }

(Source: [Ory Documentation](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#listing-all-sessions)) And here is an example of how to do this in TypeScript:

typescript import { Configuration, IdentityApi } from "@ory/client"      const identity = new IdentityApi(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: `${process.env.ORY_ACCESS_TOKEN}`,     }),   )      export async function listSessions(     expandOptions?: Array<"Devices" | "Identity">,     pageToken?: string,     pageSize?: number,     active?: boolean,   ) {     // All parameters here are optional     // Expand options can be used to include data for certain attributes in the response which are not returned by default to improve performance     // Page Token obtained from the response header has to be set to receive subsequent page data     return await identity.listSessions({       expand: expandOptions,       active: active, // Optional parameter to filter sessions based on state (active/inactive)       pageToken: pageToken,       pageSize: pageSize, // Optional parameter to control the number of sessions per page (has default fallback value)     })   }

(Source: [Ory Documentation](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#listing-all-sessions)) To view all sessions available in a project, you can also go to Activity → Sessions in the [Ory Console](https://console.ory.sh/projects/current/sessions).

Yes, Ory Network provides the ability to stream events such as logins, sign-ups, machine-to-machine tokens issued, and many more in real-time. These events can be piped into your own infrastructure like a data warehouse, data lake, or any other system of your choice. You can use these events to power your own analytics, dashboards, data science, and more. However, this feature is available for Ory Network enterprise contracts. You would need to talk to your account manager or reach out directly to Ory to find out more about this feature. Here is the relevant excerpt from the [Ory documentation](https://www.ory.sh/docs/actions/live-events): > You can stream events (sign-ups, logins, machine-to-machine tokens issued, and many more) in real-time, live as they happen in your Ory Network project, to your own infrastructure. Pipe those events into your own data warehouse, data lake, or flavor of choice, and use them to power your own analytics, dashboards, data science, and more. Please note that the documentation does not provide a specific API endpoint for querying these events. Instead, the events are streamed live as they happen. If your workload is not running on AWS or you don't want to use SNS, you can reach out to Ory to discuss your requirements.