Operate
Run Ory Talos in production: install, configure, choose a database, and deploy.
Get started
- Install — install with Homebrew or Scoop, pull the Docker image, or download a binary
- Configure — set up the config file, environment variables, and secrets
- Database — choose and configure a database backend
- Deploy — run Talos with Docker, Kubernetes, or as a systemd service
Production checklist
Review these guides before going to production:
- Secrets management — configure and rotate HMAC and pagination-token secrets
- TLS — enable TLS termination or configure a reverse proxy
- Monitoring — set up Prometheus metrics, OpenTelemetry tracing, and health checks
- Security hardening — production security checklist
- Benchmarks — performance baselines and load testing
Commercial features
These features require the Commercial edition:
- PostgreSQL, MySQL, and CockroachDB SQL backends
- Caching — in-memory and Redis caching to cut database load and verification latency
- Edge proxy — cache key verification close to your application
- Multi-tenancy — serve multiple tenants from a single cluster
Architecture
Talos exposes two surfaces in a single binary:
- Admin — manages the key lifecycle and serves verification. It has no built-in authentication, so run it behind a trusted proxy or on an internal-only network. See Admin protection.
- Self-service — exposes proof-of-possession self-revocation to credential holders. It validates proof of possession inline, so it's safe on the public network.
Run both surfaces in one process (talos serve) or split them for production (talos serve admin, talos serve public). See
Deployment modes for details.
