Skip to main content

Ory Hydra

Ory Hydra is an open-source Open Authorization 2.0 (OAuth 2.0) and OpenID Connect (OIDC) server and identity layer (identity and access) designed for secure, standards-based delegated authentication and authorization in distributed systems.

  • Open-source OAuth 2.0 and OIDC provider for delegated authorization and authentication (identity and access).
  • Implements OAuth 2.0 flows, including authorization code, implicit, client credentials, and refresh tokens (identity and access).
  • Provides an OpenID Certified implementation of OIDC for user identity tokens and login flows (identity and access).
  • Integrates with external identity providers and login UIs through a decoupled consent and login app model (identity federation).
  • Designed for cloud-native deployments with a stateless, container-friendly architecture using a Structured Query Language (SQL) database as a System of Record (SOR) (cloud infrastructure).

More About Ory Hydra

Ory Hydra is an OAuth 2.0 and OIDC server (identity and access) that focuses on providing standards-compliant delegated authorization and authentication for web, mobile, and API-driven applications. It implements the OAuth 2.0 authorization framework and the OIDC identity layer so that applications can offload token issuance, validation, and consent handling to a central, auditable service while keeping actual user authentication under the control of existing identity systems.

The project exposes OAuth 2.0 endpoints and supports established grant types (identity and access), including the authorization code flow, implicit flow, client credentials, and refresh tokens, enabling a range of first-party and third-party client scenarios. It also implements OIDC (identity and access) to issue ID tokens and manage user login and consent flows, and is listed as an OpenID Certified provider by the OpenID Foundation. By adhering to these protocols, Ory Hydra can act as an authorization server and OpenID Provider in architectures that separate applications (clients), APIs (resource servers), and identity services.

A central design feature of Ory Hydra is its decoupled login and consent architecture (identity federation). Instead of directly handling user passwords or user interfaces, Hydra delegates login and consent to an external application controlled by the operator. This model allows integration with existing identity providers, directories, or authentication systems while Hydra remains responsible for issuing and managing OAuth 2.0 and OIDC tokens. Enterprises can plug in custom UIs, step-up authentication, or risk engines as part of the login and consent flow without modifying Hydra itself.

From an operational perspective, Ory Hydra is designed as a cloud-native component (cloud infrastructure). It is written as a stateless service that persists data such as clients, consent sessions, and tokens in a SQL database, which serves as the SOR. This design aligns with container orchestration platforms and Infrastructure-as-Code (IaC) practices, because Hydra instances can be scaled horizontally while sharing the same database backend. The project provides configuration options and administrative APIs to manage OAuth 2.0 clients, consent sessions, and keys, which is relevant for regulated environments and centralized security governance.

In enterprise environments, Ory Hydra typically functions as the central authorization server in a zero trust or Application Programming Interface (API) security architecture (security architecture). It integrates with other Ory components, such as Ory Kratos for user management and authentication, and Ory Keto for access control, although it can also operate on its own with third-party identity systems. Because it implements standard protocols, Hydra interoperates with a broad range of application frameworks, API gateways, and reverse proxies that understand OAuth 2.0 and OIDC. In directory and taxonomy terms, Ory Hydra fits under identity and access management, with subcategories including OAuth 2.0 authorization server, OIDC provider, and cloud-native security component.