Skip to main content

Import existing keys

Talos can manage API keys that were created outside the system. Import lets you migrate from a legacy key management solution or centralize keys from multiple providers without rotating credentials. For large migrations, use the batchImport API to import up to 1000 keys in a single request.

How import works

When you import a key, Talos stores a cryptographic hash (HMAC-SHA256) of the raw key. The original key is never stored. Verification works by computing the same hash and looking it up in the database.

Imported keys support the same features as issued keys: scopes, metadata, expiration, token derivation (JWT/macaroon), and revocation.

Import a single key

RESPONSE=$(talos keys imported import "Stripe production key" \
  --raw-key "sk_live_test_51OxAM2Qly" \
  --actor payment-service \
  --scopes "payments:read,payments:write" \
  --ttl 8760h \
  --metadata '{"source": "stripe", "environment": "production"}' \
  --format json \
  -e "$TALOS_URL" 2>/dev/null)

echo "$RESPONSE" | jq .

export IMPORTED_KEY_ID=$(echo "$RESPONSE" | jq -er '.imported_api_key.key_id')

Request fields

The key fields are raw_key (the actual API key string), name, actor_id, and optional scopes, ttl, and metadata. For the complete field reference, see the ImportAPIKey API reference.

The response returns an imported_api_key object. The raw_key is never returned after import.

Verify an imported key

Imported keys use the same verification endpoint as issued keys. The data plane automatically detects the credential type:

talos keys verify "sk_live_test_51OxAM2Qly" -e "$TALOS_URL"

Batch import

Import up to 1000 keys in a single request:

talos keys imported batch-import --file - -e "$TALOS_URL" <<'JSON'
[
  {"raw_key": "ghp_batch_key_001", "name": "GitHub PAT 1", "actor_id": "dev-team"},
  {"raw_key": "ghp_batch_key_002", "name": "GitHub PAT 2", "actor_id": "dev-team"}
]
JSON

Batch response

The response includes a results array with per-item outcomes (imported_api_key on success, error_code and error_message on failure), plus success_count and failure_count counters. If at least one key succeeds, the HTTP response is 200 OK.

For the complete response field reference, see the BatchImportAPIKeys API reference. For batch import error codes, see the error codes reference.

List imported keys

talos keys imported list -e "$TALOS_URL"

Revoke an imported key

Imported keys are revoked through the same unified endpoint as issued keys:

talos keys revoke "$IMPORTED_KEY_ID" --reason superseded -e "$TALOS_URL"

Delete an imported key

For permanent removal (no audit trail), use the delete endpoint:

talos keys imported delete "$IMPORTED_KEY_ID" -e "$TALOS_URL"
caution

Delete is permanent and irreversible. Prefer revocation for audit trail.

Next steps

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free