Ask AI is now on the home page — ask a question and get a sourced answer from the Ory docs. You'll also find it in the bottom-right corner of any page.

Skip to main content

API access control

danger

The APIs of Ory open-source Servers don't come with integrated access control. This means that all requests sent to their APIs are considered authenticated, authorized, and will be executed. Leaving the APIs in this state can lead to severe security risks.

When deploying Ory open-source Servers, protect access to their APIs using Ory Oathkeeper or a comparable API Gateway.

If you need help, reach out to the community on Ory Community Slack.

If you have ideas how to improve this document, please open an issue.