Hello, you are mentioning in this article that you intend to publish a new token service that will provide standardize API Keys and Personal Access Tokens. Unfortunately, I couldn't find anything regarding this topic in your documentation and session tokens are not sufficient for our use-case Therefore, I wanted to ask what the current state of this project is.

Not started yet and currently not actively planned

Thanks for the information!

This would be a great feature for us

@high-optician-2097 We are thinking of using the OAuth Client Credentials Flow as an alternative that can be used by (many) API users. Do you think that would be an appropriate solution? Or do you have any other recommendations (e.g. external tools)? It would be also interesting to know how you have implemented API keys within Ory.

Hello @plain-megabyte-75926 I dont have recommendations for other tools, but the OAuth2 Client Credentials Flow has the drawback that the tokens are relatively short-lived and you have to request them again when they expire. This might be an issue or not depending on the details of your use case. In some cases you even want them to expire quickly. Alternative would be a "shared secret" - this is also what we implemented for API key in Ory Console - a bit version of the OAuth2 Client Credentials Flow without automatically expiring the secret. You should still rotate the secret from time to time depending on your threat model.