OAuth 2.0 Server & OpenID Connect Provider | Ory Hydra

Question 1

What is Ory Hydra?

Accepted Answer

Ory Hydra is an OAuth 2.0 and OpenID Connect server written in Go. It is OpenID Certified and handles token issuance, consent management, client registration, and cryptographic key storage. Ory Hydra does not manage users or passwords. It delegates authentication to an external login provider (such as Ory Kratos or your own system) through a Login and Consent flow. This separation means Ory Hydra works with any existing identity backend. Ory Hydra is available as open-source software (Apache 2.0), under the Ory Enterprise License for self-hosted production, and as part of the fully managed Ory Network.

Question 2

What business benefits does Ory Hydra provide?

Accepted Answer

Total Brand Sovereignty - Legacy IAM platforms often force you to use their hosted login pages, leading to a fragmented user journey that limits conversions. Ory Hydra is a headless, API-first solution. Your developers can build pixel-perfect login, registration, and MFA screens that live entirely within your brand's ecosystem, while Ory Hydra manages the secure tokens in the background.

Planet-Scale Performance and Low Latency - For global businesses, identity is often the primary bottleneck for application speed. Ory Hydra is built for high-concurrency environments (like the scale required by OpenAI’s 900M+ weekly active users). It offers sub-millisecond response times, ensuring that security checks never degrade the user experience, even during massive traffic spikes.

Reduced Compliance Risk & Hardened Security - Implementing OAuth2 and OIDC from scratch is a significant security liability. Ory Hydra is a certified OIDC provider, significantly reducing your "Remediation Gap" and lowering the risk of data breaches associated with homegrown identity stacks.

Cost Effective Growth Traditional providers often charge "per-user" or "per-login" fees that punish growth. Ory is written in Go and takes an API-first headless approach. Because it is resource-efficient, businesses can scale to millions of users without the exponential cost increases associated with legacy SaaS platforms. Ory takes a average Daily Active Users (aDAU) approach to cost that has significant advantages over the more common Monthly Active User (MAU) approach.

Question 3

What OAuth 2.0 and OpenID Connect flows does Ory Hydra support?

Accepted Answer

Ory Hydra supports the Authorization Code Grant (with PKCE), Client Credentials Grant, Implicit Grant (deprecated per spec), Refresh Token Grant, Device Authorization Grant, and OAuth 2.0 Token Exchange (RFC 8693). It also supports the JWT Bearer profile for client authentication (RFC 7523). Ory Hydra is certified by the OpenID Foundation for Basic, Implicit, Hybrid, Config, and Dynamic OpenID Provider profiles.

Question 4

What is the Login and Consent App? How does Ory Hydra integrate with my identity provider?

Accepted Answer

The Login and Consent App is a web application you build (or use a reference implementation of) that handles two responsibilities: authenticating the user against your identity store, and asking the user for consent to share data with an OAuth2 client. When an OAuth2 flow starts, Ory Hydra redirects the user to your Login App with a challenge parameter. Your app verifies the user's credentials, then calls the Ory Hydra admin API to accept the login. Ory Hydra then redirects to your Consent App, which presents the requested scopes and calls the Ory Hydra API to accept or reject.

This design means Ory Hydra integrates with any identity backend: Ory Kratos, Keycloak, Azure AD, a custom database, or anything else. On the Ory Network, the Login and Consent flow is pre-integrated with Ory Kratos and the Ory Account Experience UI, so you can skip building it yourself.

Question 5

What is the difference between Ory Hydra and Ory Kratos?

Accepted Answer

Ory Hydra handles delegation: issuing OAuth 2.0 access tokens and OpenID Connect ID tokens so that third-party applications can access resources on behalf of users. Ory Kratos handles identity: login, registration, MFA, account recovery, and session management.

If you only need login for your own first-party app, use Ory Kratos alone. You do not need OAuth 2.0 just to authenticate your own users. If you need to issue tokens to third-party clients, enable machine-to-machine flows, or act as an OpenID Connect provider, use Ory Hydra. Ory Kratos and Ory Hydra pair naturally: Ory Kratos provides the identity layer, and Ory Hydra handles the OAuth2/OIDC protocol.

Question 6

Why Ory for Your IAM?

Accepted Answer

Ory Hydra delivers a "deploy-anywhere," OAuth2 and OpenID Connect-certified platform built for trillion-scale performance. By decoupling identity from application logic, Ory empowers global enterprises to eliminate vendor lock-in and secure a vast ecosystem of customers, partners, and AI agents. Consolidate your authorization layer into modular building blocks to slash total cost of ownership (TCO) and accelerate the delivery of mission-critical, secure-by-design applications.

Question 7

What token formats does Ory Hydra support?

Accepted Answer

Ory Hydra supports two access token formats. Opaque tokens (the default) are random strings stored in the database and validated via lookup. They are immediately revocable. JWT access tokens are self-contained and verified by checking their cryptographic signature, without a database call. The trade-off is that JWTs cannot be instantly revoked. You can configure the token format globally or per client. Refresh tokens are always opaque. Ory Hydra also supports token introspection (RFC 7662) so resource servers can validate tokens and check revocation status.

You can add custom claims to access tokens and ID tokens through the consent flow, by promoting claims to the top level of JWTs, or by registering a token webhook that Ory Hydra calls before issuing any token.

Question 8

Does Ory Hydra support machine-to-machine authentication?

Accepted Answer

Yes. The client credentials flow lets services authenticate without user interaction. Create an OAuth2 client with the client_credentials grant type, and the service exchanges its credentials for an access token. Ory Hydra supports three client authentication methods: Basic Authentication, body-based authentication, and JWT Bearer with a private key. You can use token webhooks to inject custom claims into M2M tokens.

Question 9

How do I manage OAuth2 clients in Ory Hydra?

Accepted Answer

Ory Hydra provides a full client lifecycle API. You can create, read, update, and delete OAuth2 clients via the Ory Console, the Ory CLI, the admin REST API, or SDKs in Go, TypeScript, Python, Java, PHP, Ruby, Rust, Dart, .NET, and Elixir. Ory Hydra also supports OpenID Connect Dynamic Client Registration (RFC 7591/7592) for programmatic client creation.

Question 10

What databases does Ory Hydra support?

Accepted Answer

PostgreSQL (12+), MySQL (8+), and CockroachDB are supported for production. SQLite is supported for local development only. CockroachDB is recommended for multi-region deployments or complex disaster recovery requirements. Connection pooling parameters are configurable for each database. On the Ory Network, the database layer is managed for you.

Question 11

How does Ory Hydra fit into the Ory ecosystem?

Accepted Answer

Ory Hydra is the delegation layer. It handles OAuth 2.0 and OpenID Connect: issuing access tokens, refresh tokens, and ID tokens so that third-party applications, partner services, and AI agents can access your APIs on behalf of users or on their own authority. Ory Hydra does not manage users or passwords itself. It delegates authentication to a Login and Consent App, which is where Ory Kratos fits in. When an OAuth 2.0 flow begins, Ory Hydra redirects the user to Ory Kratos for authentication, then collects consent and issues tokens. Ory Keto can enforce fine-grained permissions on the resources those tokens grant access to. Ory Oathkeeper can introspect tokens issued by Ory Hydra at the network edge, rejecting unauthorized requests before they reach your services. Ory Polis extends the ecosystem with SAML-to-OIDC bridging for enterprise SSO scenarios where Ory Hydra acts as the downstream OIDC provider. If you only need first-party login (no third-party token issuance), you do not need Ory Hydra at all; Ory Kratos handles that directly with native session management. You add Ory Hydra when you need to act as an OAuth 2.0/OIDC provider for external clients, enable machine-to-machine authentication, or secure MCP-based AI agent interactions. On the Ory Network, Ory Hydra and Ory Kratos are pre-integrated, so the Login and Consent flow works out of the box without building a custom app.

Question 12

How is Ory Hydra different from Keycloak?

Accepted Answer

Keycloak bundles user management, login, and OAuth2/OIDC into a single system. This means your authentication, user storage, and token issuance are all coupled in one Java-based application. Ory Hydra takes the opposite approach: it handles only OAuth2/OIDC and connects to your existing identity provider through a headless Login and Consent flow.

This separation has three practical consequences.

First, you keep your existing user database and login system. Ory Hydra does not force you to migrate users or adopt a new login UI.

Second, Ory Hydra ships as a lightweight Go binary (~5MB Docker image) optimized for cloud-native environments, compared to Keycloak's heavier JVM-based footprint.

Third, you get full control over the login and consent UX because you build those screens yourself, in your framework, with your design system.

The trade-off is that Ory Hydra requires you to implement or reuse a Login and Consent App. If you want a bundled system that handles both identity and OAuth2 out of the box, use Ory Kratos and Ory Hydra together, or use the Ory Network where they are pre-integrated.

Question 13

Is Ory Hydra free? How does pricing work?

Accepted Answer

Ory Hydra open source is free under the Apache 2.0 license. You can self-host it at no cost.

The Ory Network managed service has a free Developer tier for testing and proof-of-concept work. On the Ory Network, each M2M token issued via the Client Credentials flow is billed at a per-token rate. Token introspection calls are not billed. Each paid plan includes a monthly usage credit.

For self-hosted production with SLAs, CVE patching, enterprise features (such as stateless JWT tokens and high-performance pooling), and dedicated support, the Ory Enterprise License is available at custom pricing.

Hydra The cloud native OAuth 2.0 server and OpenID Connect provider.

Need support?

Need to move quickly?

Millions of users. Unlimited scale.

SDKs for every stack

OpenID Certified® OAuth 2.0

Powered by Open Source

SDKs for every stack

OpenID Certified® OAuth 2.0

Powered by Open Source

OAuth 2.0 and OpenID Connect features for production

Full OAuth 2.0 spec coverage

OpenID Certified®

Bring your own UX

Compatible with MITREid

Cryptographic key storage

Production-grade scale and performance

How to de-risk identity at scale with Ory

Deploy Ory Hydra on your preferred infrastructure

Open Source

Ory Enterprise License

Ory Network

Ready to try Ory Hydra?

More on Ory Hydra

OpenAI uses open source Ory to authenticate over 400M weekly active users

Scaling Ory Hydra to ~2bn monthly OAuth2 flows on a single PostgreSQL DB

Ory Hydra FAQ

Try Ory today Start for free