June 11, 2026
Keys, leaks, and comment-section panic
Show HN: Open-source API Key server written in Go by Ory
A new tool to control secret app passwords lands — and the comments zoom in on AI leaks
TLDR: Ory launched an open-source service for managing the secret keys apps use behind the scenes, aiming to make them safer and easier to control. But commenters quickly pushed the conversation toward AI risks, asking whether it can stop temporary access secrets from being leaked by chatty AI agents.
Ory just rolled out Ory Talos, an open-source tool for creating, checking, and shutting off API keys — basically the secret passwords apps use to talk to other apps. The pitch is simple: make these keys safer, faster, and easier to manage whether you use Ory’s hosted service or run it yourself. Sounds neat, but the real energy came from the comments, where the community immediately skipped the polite applause and went straight to "okay, but what about the messiest real-world problem?"
Ory’s own Aeneas popped in to say the project was built for handling API keys at big-company scale — think the kind of secret keys used by AI services like OpenAI and Anthropic — and tried to head off confusion with a quick "not to confuse with Talos Linux" disclaimer. That little aside is exactly the kind of nerdy name-clash drama commenters love: half product launch, half identity crisis.
Then came the strongest reaction: reader denysvitali basically said, nice, but does it solve the scarier AI-agent problem? Specifically, how do you give an AI helper temporary access to a service like GitHub without risking that it blurts out a real secret in a code commit or chat log? That turned the discussion from “cool new tool” into “is this actually built for the nightmare everyone is worried about?” It’s less a flame war than a classic Hacker News vibe: polite, skeptical, and laser-focused on whether a shiny infrastructure launch survives contact with chaotic reality. In other words, the community verdict so far is: interesting idea, now prove it can handle the AI leak circus.
Key Points
- •Ory Talos is an open-source API key server for issuing, verifying, revoking, and managing API keys at scale.
- •The system supports deriving short-lived JWT and macaroon tokens from long-lived keys and can verify derived tokens offline without a database lookup.
- •Ory Talos is designed for low-latency verification through caching, side-car deployment, and horizontally scalable operation with external databases.
- •It can be deployed either as a managed service on the Ory Network or as a self-hosted service under user control.
- •The self-hosted open-source distribution runs as a single instance with embedded SQLite and is positioned for experimentation, prototyping, and low-traffic workloads.