Hello all, I accidentally posted this question on the oathkeeper channel, but is more suited for kratos: does kratos (or, ory stack in general) support session-less authentication using API keys (like those: https://docs.kraken.com/rest/#section/Authentication), or does the authentication logic need to be split betwen ory (sessions) and the underlying services (api keys)?

Recently I had the same question 🙂 I couldn’t find the way to use kratos for this

😐

How does this look like exactly? Or what's the user case? I am not familiar with Kraken and I remember reading your link the other day and asked myself what it was for.

Stateless authentication, with the use of a key pair explicitly requested by the user, possibly with restricted power. Imagine writing a trading bot in python. No need to log in and worry about session expiry - each request is separately signed.

oh, i see

The api key pair is generated on demand for the user, probably outside kratos. Api key is one of the (arguably) common ways of authenticating and authorizing a request. Let's say we go with kratos & oathkeeper combo for request auth. Since kratos does ot speak api keys, what would be the proposed workflow? in case of a session: user -> oathkeeper -> authenticated requet to internal api in case of api key: user -> oathkeeper -> passthrough to internal api, to be authenticated/ authorized there? Since the authentication logic will be split between kratos and the downstream service in either case, does it make sense to redesign the worklfow like this: user -> internal ip <-> oauthkeeper?

I mean, you can implement your own "session" endpoint to verify the key

within ory?

I see. That is a possibility. Will try it out, thank you.