API access control

danger

The APIs of Ory open-source Servers don't come with integrated access control. This means that all requests sent to their APIs are considered authenticated, authorized, and will be executed. Leaving the APIs in this state can lead to severe security risks.

When deploying Ory open-source Servers, protect access to their APIs using Ory Oathkeeper or a comparable API Gateway.

If you need help, reach out to the community on Ory Community Slack.

If you have ideas how to improve this document, please open an issue.