HackerTrans
TopNewTrendsCommentsPastAskShowJobs

aeneas_ory

169 karmajoined 3 anni fa
Founder and CTO of Ory, an open source company. Visit us at https://github.com/ory

---

meet.hn/city/48.1371079,11.5753822/Munich

Socials: - github.com/aeneasr - linkedin.com/in/aeneasr

Interests: AI/ML, Cybersecurity, Entrepreneurship, Hacking, Open Source, Startups

---

Submissions

Anthropic says: nothing wrong with our usage limits, you're hallucinating

reddit.com
7 points·by aeneas_ory·3 mesi fa·1 comments

Show HN: Scanner to check if you are affected by the axios supply chain attack

github.com
2 points·by aeneas_ory·3 mesi fa·0 comments

New versioning strategy for Ory and v25.4 release week

ory.com
1 points·by aeneas_ory·8 mesi fa·0 comments

Show HN: Open-source OAuth2 server Ory Hydra 25.4 ships OAuth2.1 and Device Auth

github.com
2 points·by aeneas_ory·8 mesi fa·0 comments

Show HN: Secure AI contexts with open source reBAC-protected RAG and SQLite-vec

github.com
4 points·by aeneas_ory·9 mesi fa·0 comments

comments

aeneas_ory
·4 giorni fa·discuss
Auth is not stable, it‘s constantly changing and evolving and also a lot of work to keep secure, and scalable. Auth is critical infrastructure and certainly not free. Most companies with homegrown at some point go to a vendor because it is so much work to DIY.

I can’t speak for Vercel‘s goals or pricing - but Ory is evidently still open source while many others went other routes!
aeneas_ory
·4 giorni fa·discuss
Probably the first time reading that the Ory stack is unfinished! Sorry you had a frustrating time, but there's 10 years of development and many happy customers + adopters who see it differently! Polis / Boxy still works as before, we didn't gut or take away anything.

Open source development needs to be paid by someone - most of the time people complaining about paying for software are working themselves (for money!) in some company making huge bucks, or looking up to "successful (as in money) tech leaders".

For Ory, B2B login is a good value differentiator, because it's required by companies selling to other companies meaning they can spend some money on licenses to further develop software.

Ory powers the largest technology providers, and super small solo projects. It's robust, stable, Apache2 licensed. It's the best CIAM tech out there that's free (!!).

In the end, everyone is entitled to their opinion but the "open source can't make money" train is honestly a bottom tier opinion and I'm tired of reading it on HN, probably written by people making $100K+ a year for writing software and using open source daily (without paying a dime).

It's like the people complaining that Wikipedia is collecting too many donations, while they cheer on Apple or Anthropic or whoever raking in billions of dollars.

Somehow, only if it's open source / non profit it's bad to make money. If it's proprietary nobody gives a damn. Says a lot about society.
aeneas_ory
·16 giorni fa·discuss
Truly appreciated, thank you :)
aeneas_ory
·16 giorni fa·discuss
My mistake - I thought it‘s now just under the IBM corp but it is indeed in CNCF. Still, IBM offers a commercial product around KeyCloak.

If you serve 900m weekly active users, you need this type of distributed database architecture that is expensive to run. But at that point the cost of running it is a fraction of overall infra spend. No start up really needs this level of scale, only Enterprises (hence it‘s gated). Making Cockroach work is more work than just wiring up the SQL, you actually need to deal with it like dynamodb under the hood and use primary keys efficiently, avoid hotspots, and all that jazz.

Most companies (like Cloudflare!) do just fine with Postgres and one of our services. Ory Hydra is written in Go, doesn’t need JVM, very little RAM, doesn’t need caches or start up time due to cold starts. The architecture is different and that makes it cheap and fast to run. From the blog post - they run Hydra on 0.6 vCPU and 200MB of RAM. That’s probably as cheap as it gets!

It‘s a different tool for a different problem than KeyCloak - both have their place.
aeneas_ory
·17 giorni fa·discuss
KeyCloak is great if you want a full stack Java server to run internal workforce for example, but Ory is much better at running high scale (eg at OpenAI https://www.ory.com/case-studies/openai) and in a composable fashion.

Yes we have an commercial version because how else can one finance world class open source powering the biggest software names on the planet? It‘s a good thing that Ory has a business model that works, not a bad thing. And by the way, IBM finds ways to charge you for KeyCloak too ;)
aeneas_ory
·17 giorni fa·discuss
OAuth2 is complex and often not the right tool. I wrote Ory Hydra and also a blog post when OAuth2 is/is not a good idea: https://www.ory.com/blog/oauth2-openid-connect-do-you-need-u...

For API Keys we just launched Ory Talos (https://github.com/ory/talos) - a perfect alternative for when OAuth2 is too much for the use case.

There are use cases and security concerns that legitimize using OAuth2 - with specs like DPoP you can make these flows more secure. In my view the use cases presented here is a good one for OAuth2, but it certainly doesn’t make sense everywhere - complexity makes system harder to secure.
aeneas_ory
·17 giorni fa·discuss
Author of Ory Hydra here! Very cool to see this blog post and technical description! I never would have thought this piece of software would secure the internet companies in the world :) Also great to see that the 2.x version performs so well for you! The CPU use is ridiculously small for that scale! We have a commercial variant that‘s even faster, if you ever run into trouble.

If anyone here is interested in providing their own oauth, IAM, rebac permissions, API keys, agent security - check out our open source & commercial products at https://github.com/ory and https://www.ory.com/
aeneas_ory
·mese scorso·discuss
Appreciate the love :)

For AI Agents we have added token derivation to Ory Talos which allows you to exchange a static API key for a ephemeral, short lived, and restricted token. It can be both a JWT and a Macaroon (super interesting for caveats)!

However this would require GitHub to use Ory Talos and it‘s not a solution for third party credentials really.

So your project solves that need quite nicely, and I‘ll check it out in more detail today :)
aeneas_ory
·mese scorso·discuss
We built Ory Talos (not to confuse with Talos Linux) to solve API keys (think OpenAI and Anthropic API keys) at scale and with the best practices around capabilities and securities.

If you have any questions, please shoot :)
aeneas_ory
·3 mesi fa·discuss
What are parallel agents worth to professional engineers if reviewing the code is a pain (aka non existent) in Zed? Please add proper code review tools (compare with branch|file|revision) and GH pr review tools like IntelliJ!
aeneas_ory
·3 mesi fa·discuss
Besides some of the obvious hacks to reduce token usage, properly indexed code bases (think IntelliJ) reduce token usage significantly (30%-50%, while keeping or exceeding result quality compared with baseline) as shown with https://github.com/ory/lumen

Anthropic is not incentivized to reduce token use, only to increase it, which is what we are seeing with Opus 4.6 and now they are putting the screws on
aeneas_ory
·3 mesi fa·discuss
Read the source code
aeneas_ory
·3 mesi fa·discuss
Check if your machine was affected with this tool: https://github.com/aeneasr/was-i-axios-pwned
aeneas_ory
·3 mesi fa·discuss
I wrote a tool that helps you check if your machine was compromised: https://github.com/aeneasr/was-i-axios-pwned
aeneas_ory
·3 mesi fa·discuss
Why does is this ridiculous thing trending on HN? There are actually good tools to reduce token use like https://github.com/thedotmack/claude-mem and https://github.com/ory/lumen that actually work!
aeneas_ory
·5 mesi fa·discuss
Sounds like GPT wrote this piece based on some tech exec‘s „we must use AI or lose“ „strategy“. Just let engineers use the tools they want instead of force feeding them yet another ridiculous process. For me, if I have to do meetings in the morning (or „write promps“ lmao) instead of clearing out the ridiculous AI slop debt of code agents my product would never ship.
aeneas_ory
·5 mesi fa·discuss
It‘s really hard to read this article, it smells of LLM generated slop once you get past the first couple of paragraphs - lots of negative parallelisms and lots of words without adding value to the sentence:

> To validate the thesis that the Yen unwind is the primary driver of volatility, we must examine the sequence of events. The crash did not happen in a vacuum; it followed a precise timeline …

> It wasn't just about rates anymore; it was about the stability of the U.S.-led global order

> The unwinding of a carry trade is not a monolithic event; it is a cascade that ripples outward

It‘s like almost in every paragraph. I don’t understand why this gets to be on the frontpage to be honest. It just reads horrible even if some of the points may be true (or hallucinated, who knows)
aeneas_ory
·5 mesi fa·discuss
That's fair - removed. It was more geared towards the people who make more out of this than what it is (an interesting idea and cool tech demo).
aeneas_ory
·5 mesi fa·discuss
The AI code slop around these tools is so frustrating, just trying to get the instructions from the CTA on the moltbook website working which flashes `npx molthub@latest install moltbook` isn't working (probably hallucinated or otherwise out of date):

      npx molthub@latest install moltbook  
       Skill not found  
      Error: Skill not found
Even instructions from molthub (https://molthub.studio) installing itself ("join as agent") isn't working:

      npx molthub@latest install molthub
       Skill not found
      Error: Skill not found
Contrast that with the amount of hype this gets.

I'm probably just not getting it.
aeneas_ory
·6 mesi fa·discuss
Catch or prevent - linting only covers a tiny (depending on programming language sometimes more sometimes less) subset of runtime problems. The whole back pressure discussion feels like AI coders found out about type systems and lint rules - but it doesn’t resolve the type problems we get in agentic coding. The only „agent“ responsible for code correctness (and thus adherence to feature specification) is the human instructing the agent, a better compiler or lint rule will not prevent massive logic bugs LLMs tend to create like tests testing functions that have been created by the LLM for the test to make it pass, broken logic flows, missing DI, recreating existing logic, creating useless code that’s not being used anywhere yet pollutes context windows - all the problems LLM based „vibe“ coding „shines“ with once you work on a sufficiently long running project.

Why do I care so much about this? Because the „I feel left behind“ crowd is being gaslighted by comments like the OPs.

Overall strict type systems and static code analysis have always been good for programming, and I‘m glad vibe coders are finding out about this as well - it just doesn’t fix the lack of intelligence LLMs have nor the responsibility of programmers to understand and improve the generated stochastic token output