Hello all, does oathkeeper support session-less authentication using API keys (like those: https://docs.kraken.com/rest/#section/Authentication), or do we need to implement this ourselves?

you would likely use https://www.ory.sh/docs/oathkeeper/pipeline/authn#bearer_token

Thank you, not sure if I understand. The request that reaches oathkeeper contains in the header the public part of the api key pair and the digest of th ewhole payload, there is no bearer token.

it shouldn't actually need to be a single token, oathkeeper just forwards the request to a downstream service which authenticates the request, oathkeeper doesn't validate anything itself

If I understanad correctly, this means that that the authentication logic needs to be split betwen ory (sessions) and the underlying services (api keys)?

yes, oathkeeper cannot validate keys itself, as it has no way to manage those keys

it can manage sessions (hosted also somewhere else - kratos), so in theory it could manage api keys as well 😉

but that's not oathkeeper doing that work, so it's still in another system, oathkeeper doesn't have state like that