Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Also I want to get a better understanding of how the match parameter on access rules works for decisions API. Talking from a localhost perspective, I assume that any requests that hit the /decisions/* endpoint given that they pass the auth checks will return a 200 OK response, however, why does the match url specify a host? Shouldn't all requests hit oathkeeper host port only? Do I keep it as localhost:4456 or 0.0.0.0:4456 for prod environments? Am I gravely misunderstanding something? TIA