Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi Crew. It seems I'm not able to authenticate to the API using a Personal Access Token while using Ory Tunnel in local development. Is this a bug, or am I configuring something incorrectly? I'm configuring the ory client (<http://github.com/ory/client-go|github.com/ory/client-go>) with the Ory Tunnel url (<http://localhost:4000>), and requests to authenticate session cookies and generate logout urls work normally, however a permissions Check request will return 401 even when a valid Personal Access Token included in the request. If I configure the ory client to use the project url (<https://xxxxxx.projects.oryapis.com>), then the permissions Check request will accept the Personal Access Token, but my other requests for generating logout urls won't function correctly in the localhost environment.

Thank you for the report. It’s possible that we have overlooked this use case for the Ory Tunnel. Can you for the time being work around this using the oryapis URL? I added your report to our backlog: <https://github.com/ory/cli/issues/271>

Thanks for looking into this. Sure, for the moment use the oryapis URL for the requests that require it, and use the tunnel URL for the rest.