Authentication is evolving. Autonomous agents, IoT devices, and headless clients increasingly need secure, standards-based ways to obtain and manage access.
With Ory Hydra v25.4.0 – the latest version of Hydra from the Ory OSS ecosystem – agentic authentication becomes first-class. This release introduces support for the Device Authorization Grant (RFC 8628), token chain revocation and the OAuth 2.1 discovery endpoint, making Hydra the production-ready OAuth 2.1 and OpenID Connect server for modern applications.
Ory has also moved to a new versioning scheme to make upgrades more predictable. Learn more about the new versioning scheme.
Supporting the agents of the future
Hydra v25.4.0 strengthens its foundation for agentic authentication, where autonomous agents or constrained devices need to obtain and manage access without a browser or direct user interaction.
The Device Authorization Grant (RFC 8628), also known as Device Authorization Flow, enables secure authorization for devices with limited input capabilities: from smart TVs and gaming consoles to IoT devices and AI agents. Users can approve these agents via a secondary device, solving a long-standing challenge in headless and automated environments. This lets users safely authorize autonomous agents without ever exposing passwords or browser sessions.
Hydra now also serves the OAuth 2.1 discovery endpoint, alongside its existing OpenID Connect configuration. This alignment with emerging standards simplifies integration for agents and clients that expect OAuth 2.1 metadata, reducing friction in federated or automated flows.
Together, these features close key gaps for agentic use cases by combining standards compliance with Hydra’s production-grade consent and session management.
More control, more trust
Hydra v25.4 also introduces token chain revocation. Operators can now revoke an entire token chain, and refresh token and all derived access tokens that are tied to a specific consent session. This gives teams a much stronger way to control access lifecycles and tighten security when consent is withdrawn.
We’ve also made significant performance and usability improvements:
- Lower latency when revoking linked Kratos sessions
- Faster JWT queries with new database indexing
- Smarter client updates with
JWKS URI support
- Clearer, friendlier CLI usage
Security and stability
Security is at the core of Ory. Hydra v25.4 includes a backport for CVE-2025-27144, upgrades to the Go 1.24.x toolchain, and refreshed dependencies in our cryptographic stack. Database migrations have been fixed for CockroachDB v25+ and improved for Postgres users. These changes ensure Hydra remains reliable at scale, across environments.
Get started
Upgrading is straightforward. Remember to run migrations before rollout, add the required UI screens if you’re using device auth flows, and expect a few new metrics if you’re scraping Prometheus. Full details are available in the release notes.
The new Ory Hydra isn’t just another open source release — it’s the start of a new era for authentication, one where agents and devices are first-class citizens alongside human users.
New releases coming this week
Stay tuned as we announce new OSS versions of Kratos, Keto, and Oathkeeper in the following days. Each release will follow the new versioning format with clear upgrade documentation.
Join us for a live walkthrough on Thursday, November 13th where we'll dive into the updates made to the Ory stack, demonstrate the new versioning, and answer your questions about the newly released OSS features and upgrade.
Why Ory Enterprise License matters
Open source releases give you powerful identity infrastructure. However, mission-critical production environments often need continuous security patches, enterprise features that support compliance requirements, and updates that keep pace with your infrastructure demands.
Ory Enterprise License (OEL) provides continuous releases with the latest security patches and advanced enterprise features between open source releases.
For teams running identity infrastructure that needs to stay secure, compliant, and performant at scale, OEL delivers the update cadence and enterprise capabilities that production environments require.
Evaluating Ory for web-scale production? Learn more about OEL.
Questions about the new versioning? Join us in Ory Community Slack or GitHub Discussions.
