I'm sorry, but the knowledge sources provided do not contain an entry or explanation for the message "Access credentials are not sufficient to access this resource." I do see related items about insufficient/invalid credentials in Ory components: - Ory OAuth2 resource access depends on access tokens and their scopes; an invalid or insufficient token/scope results in denial at the resource server (for example, via introspection) ([Accessing APIs](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts#accessing-apis)). - OAuth2 scopes reflect user consent for a client, not the user’s own permissions; a valid token can still be denied if the user lacks permissions enforced by Ory Permissions (Keto) ([Scopes represent user consent](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts#oauth2-scopes-represent-user-consent), [Scopes aren’t permissions](https://www.ory.sh/blog/oauth2-openid-connect-do-you-need-use-cases-examples)). - In Ory Permissions, authorization is done by checking permissions defined in your model against relationships; lack of the required permission (e.g., view/edit) will deny access even if the user is authenticated ([How to integrate permission checks](https://www.ory.sh/docs/keto/guides/simple-access-check-guide), [Checking for permissions](https://www.ory.sh/docs/guides/permissions/overview#checking-for-permissions)). If you can share where this exact message appears (Kratos UI, Hydra/OAuth2 endpoint, Oathkeeper proxy, or Keto check), I can map it to the relevant diagnostics or error codes from the docs.

If you’re calling Ory Admin/Management APIs with an API key and get “Access credentials are not sufficient to access this resource,” it usually means the key type or scope doesn’t match the API you’re calling. - Use a Project API Key for Project Admin APIs (identities, sessions, OAuth2 clients) at your project domain, sent as Authorization: Bearer $API_KEY ([Ory Network API Keys – Project Admin APIs](https://www.ory.sh/docs/concepts/personal-access-token)) and ([API overview](https://www.ory.sh/docs/api)). - Use a Workspace API Key only for Workspace admin/management endpoints (for example, creating projects) at api.console.ory.sh; it won’t work for project data like identities or sessions ([Workspace Admin APIs](https://www.ory.sh/docs/concepts/personal-access-token#authorizing-ory-network-workspace-admin-apis)) and ([Manage projects via API](https://www.ory.sh/docs/guides/manage-project-via-api)). Quick checks: - Ensure you’re hitting the correct host: project APIs use https://$PROJECT_SLUG.projects.oryapis.com, while workspace management uses https://api.console.ory.sh ([API overview](https://www.ory.sh/docs/api)). - Verify you created the right key type for the operation (Project vs Workspace) and pass it in Authorization: Bearer ... ([Project Admin APIs](https://www.ory.sh/docs/concepts/personal-access-token) and [Workspace Admin APIs](https://www.ory.sh/docs/concepts/personal-access-token#authorizing-ory-network-workspace-admin-apis)). - If you’re self-hosting, note that open-source servers have no built-in API access control; protect them behind Oathkeeper or an API gateway ([API access control (self‑hosted)](https://www.ory.sh/docs/self-hosted/operations/api-access-control)). If the error occurs via Oathkeeper while validating sessions (e.g., cookie_session/bearer_token), be aware that upstream 429s from /sessions/whoami may surface as 401/insufficient credentials; this is tracked in Oathkeeper’s issue tracker ([Issue: 401 on rate limit during whoami](https://github.com/ory/oathkeeper/issues/1167)).