So this seems to be M2M tokens - what about the, arguably more common, use case of creating a short lived or simply ephemeral token to allow an AI agent to use a service (e.g: GitHub) without the possibility to have it leak a valid upstream token in a commit message?

My solution to this particular problem is gh-proxy - but of course GitHub is only one of the 100s of services that one might want this for.

https://github.com/denysvitali/gh-proxy

Btw, I love Ory and I'm always amazed by your new releases!

Appreciate the love :)

For AI Agents we have added token derivation to Ory Talos which allows you to exchange a static API key for a ephemeral, short lived, and restricted token. It can be both a JWT and a Macaroon (super interesting for caveats)!

However this would require GitHub to use Ory Talos and it‘s not a solution for third party credentials really.

So your project solves that need quite nicely, and I‘ll check it out in more detail today :)