MCPcopy
hub / github.com/ory/hydra

github.com/ory/hydra @v26.2.0 sqlite

repository ↗ · DeepWiki ↗ · release v26.2.0 ↗
7,598 symbols 28,898 edges 846 files 3,683 documented · 48%
README

Ory Hydra - Open Source OAuth 2 and OpenID Connect server

Chat · Discussions · Newsletter · Docs · Try Ory Network · Jobs

Ory Hydra is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. It connects to your existing identity provider through a login and consent app, giving you absolute control over the user interface and experience.


What is Ory Hydra?

Ory Hydra is a server implementation of the OAuth 2.0 authorization framework and the OpenID Connect Core 1.0. It follows cloud architecture best practices and focuses on:

  • OAuth 2.0 and OpenID Connect flows
  • Token issuance and validation
  • Client management
  • Consent and login flow orchestration
  • JWKS management
  • Low latency and high throughput

We recommend starting with the Ory Hydra introduction docs to learn more about its architecture, feature set, and how it compares to other systems.

Why Ory Hydra

Ory Hydra is designed to:

  • Be a standalone OAuth 2.0 and OpenID Connect server without user management
  • Connect to any existing identity provider through a login and consent app
  • Give you absolute control over the user interface and experience flows
  • Work with any authentication endpoint: Ory Kratos, authboss, User Frosting, or your proprietary system
  • Scale to large numbers of clients and tokens
  • Fit into modern cloud native environments such as Kubernetes and managed platforms

OAuth2 and OpenID Connect: Open Standards

Ory Hydra implements Open Standards set by the IETF:

and the OpenID Foundation:

OpenID Connect Certified

Ory Hydra is an OpenID Foundation certified OpenID Provider (OP).

<img src="https://github.com/ory/docs/blob/master/docs/hydra/images/oidc-cert.png" alt="Ory Hydra is a certified OpenID Providier" width="256px">

The following OpenID profiles are certified:

To obtain certification, we deployed the reference user login and consent app (unmodified) and Ory Hydra v1.0.0.

Deployment options

You can run Ory Hydra in two main ways:

  • As a managed service on the Ory Network
  • As a self hosted service under your own control, with or without the Ory Enterprise License

Use Ory Hydra on the Ory Network

The Ory Network is the fastest way to use Ory services in production. Ory OAuth2 & OpenID Connect is powered by the open source Ory Hydra server and is API compatible.

The Ory Network provides:

  • OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
  • Identity and credential management that scales to billions of users and devices
  • Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
  • Prebuilt login, registration, and account management pages and components
  • Low latency permission checks based on the Zanzibar model with the Ory Permission Language
  • GDPR friendly storage with data locality and compliance in mind
  • Web based Ory Console and Ory CLI for administration and operations
  • Cloud native APIs compatible with the open source servers
  • Fair, usage based pricing

Sign up for a free developer account to get started.

Self-host Ory Hydra

You can run Ory Hydra yourself for full control over infrastructure, deployment, and customization.

The install guide explains how to:

  • Install Hydra on Linux, macOS, Windows, and Docker
  • Configure databases such as PostgreSQL, MySQL, and CockroachDB
  • Deploy to Kubernetes and other orchestration systems
  • Build Hydra from source

This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.

If you run Hydra as part of a business-critical system, for example OAuth2 and OpenID Connect for all your users, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Hydra and provides:

  • Additional enterprise features that are not available in the open source version
  • Regular security releases, including CVE patches, with service level agreements
  • Support for advanced scaling, multi-tenancy, and complex deployments
  • Premium support options with SLAs, direct access to engineers, and onboarding help
  • Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.

Quickstart

Install the Ory CLI and create a new project to try Ory OAuth2 & OpenID Connect.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart" --use-project

Try out the OAuth 2.0 Client Credentials flow:

ory create oauth2-client \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
# Note the client ID and secret from output

ory perform client-credentials \
    --client-id <your-client-id> \
    --client-secret <your-client-secret>
# Note the access token from output

ory introspect token <your-access-token>

Try out the OAuth 2.0 Authorize Code + OpenID Connect flow:

ory create oauth2-client \
    --name "Authorize Code with OpenID Connect Demo" \
    --grant-type authorization_code,refresh_token \
    --response-type code \
    --redirect-uri http://127.0.0.1:4446/callback

ory perform authorization-code \
    --client-id <your-client-id> \
    --client-secret <your-client-secret>

Who is using Ory Hydra

The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!

The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. If you think that your company deserves a spot here, reach out to office@ory.com now!

Name Logo Website Case Study
OpenAI OpenAI openai.com OpenAI Case Study
Fandom Fandom fandom.com Fandom Case Study
Lumin Lumin luminpdf.com Lumin Case Study
Sencrop Sencrop sencrop.com Sencrop Case Study

Extension points exported contracts — how you extend this code

Requester (Interface)
Requester is an abstract interface for handling requests in Fosite. [7 implementers]
fosite/oauth2.go
ResourceOwnerPasswordCredentialsGrantStorage (Interface)
ResourceOwnerPasswordCredentialsGrantStorage provides storage for the resource owner password credentials grant. [6 implementers]
fosite/handler/oauth2/flow_resource_owner_storage.go
Transactional (Interface)
Transactional is an interface that a storage provider has to implement to ensure atomicity for certain flows that requir [5 …
fosite/transactional.go
IDer (Interface)
(no doc) [11 implementers]
client/client.go
MappedNullable (Interface)
(no doc) [55 implementers]
internal/httpclient/utils.go
TableHeader (Interface)
(no doc) [7 implementers]
oryx/cmdx/printing.go
AuthorizeEndpointHandler (Interface)
(no doc) [8 implementers]
fosite/handler.go
AuthorizeEndpointHandlersProvider (Interface)
AuthorizeEndpointHandlersProvider returns the provider for configuring the authorize endpoint handlers. [4 implementers]
fosite/config.go

Core symbols most depended-on inside this repo

IsNil
called by 1110
internal/httpclient/utils.go
Get
called by 994
fosite/token/jwt/claims.go
String
called by 982
oryx/watcherx/event.go
Now
called by 683
oryx/reqlog/middleware.go
Add
called by 562
fosite/token/jwt/claims.go
Persister
called by 305
persistence/definitions.go
Config
called by 298
oryx/contextx/contextual.go
Error
called by 264
fosite/errors.go

Shape

Method 4,605
Function 1,917
Struct 688
Interface 241
TypeAlias 104
FuncType 43

Languages

Go100%
TypeScript1%

Modules by API surface

internal/httpclient/model_o_auth2_client.go217 symbols
internal/httpclient/api_o_auth2.go173 symbols
internal/httpclient/model_oidc_configuration.go133 symbols
fosite/oauth2.go106 symbols
fosite/config.go104 symbols
driver/config/provider.go96 symbols
internal/httpclient/model_oidc_user_info.go89 symbols
persistence/sql/persister_nid_test.go83 symbols
internal/httpclient/model_json_web_key.go79 symbols
internal/httpclient/utils.go77 symbols
oryx/sqlxx/types.go72 symbols
internal/httpclient/model_o_auth2_consent_request.go70 symbols

Dependencies from manifests, versioned

code.dny.dev/ssrfv0.2.0 · 1×
codeberg.org/go-fonts/liberationv0.5.0 · 1×
codeberg.org/go-latex/latexv0.1.0 · 1×
codeberg.org/go-pdf/fpdfv0.11.1 · 1×
dario.cat/mergov1.0.2 · 1×
filippo.io/edwards25519v1.2.0 · 1×
github.com/Masterminds/goutilsv1.1.1 · 1×
github.com/Masterminds/semver/v3v3.4.0 · 1×
github.com/Masterminds/sprig/v3v3.3.0 · 1×
github.com/Microsoft/go-winiov0.6.2 · 1×
github.com/ProtonMail/go-cryptov0.0.0-2023071712142 · 1×
github.com/ProtonMail/go-mimev0.0.0-2023032210345 · 1×

Datastores touched

(mysql)Database · 1 repos
mysqlDatabase · 1 repos
postgresDatabase · 1 repos
hydraDatabase · 1 repos

For agents

$ claude mcp add hydra \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact