Skip to main content

ory proxy

ory proxy#

Secure Endpoint Using the Ory Reverse Proxy


This command starts a reverse proxy which can be deployed in front of your application.

To require login before accessing paths in your application, use the --protect-path-prefix flag:

$ ory proxy -port 4000 http://localhost:3000 --protect-path-prefix /members --protect-path-prefix /admin

The --protect-path-prefix flag is currently using a string prefix match. Future versions will include support for regular expressions and glob matching.

If the request is authenticated, a JSON Web Token will be sent in the HTTP Authorization Header containing the Ory Session:

GET / HTTP/1.1
Authorization Bearer <the-json-web-token>

The JSON Web Token claims contain:

  • The "sub" field which is set to the Ory Identity ID.
  • The "session" field which contains the full Ory Session.

The JSON Web Token is signed using the ES256 algorithm. The public key can be found by fetching the /.ory/jwks.json path when calling the proxy - for example

An example payload of the JSON Web Token is:

"id": "821f5a53-a0b3-41fa-9c62-764560fa4406",
"active": true,
"expires_at": "2021-02-25T09:25:37.929792Z",
"authenticated_at": "2021-02-24T09:25:37.931774Z",
"issued_at": "2021-02-24T09:25:37.929813Z",
"identity": {
"id": "18aafd3e-b00c-4b19-81c8-351e38705126",
"schema_id": "default",
"schema_url": "",
"traits": {
"email": "foo@bar",
// ... your other identity traits
ory proxy [upstream] [flags]


--dont-install-cert If set will not try to add the HTTPS certificate to your certificate store.
--endpoint string Use a different endpoint. (default "")
-h, --help help for proxy
--port int The port the proxy should listen on. (default 4000)
-p, --project string Must be set to your Ory Cloud Project Slug. Alternatively set using the ORY_PROJECT_ID environmental variable.
--protect-path-prefix strings Require authentication before accessing these paths.


  • ory - The ORY CLI
Last updated on by aeneasr