Ory Hydra

Ory Hydra is a hardened, open-source OAuth 2.0 and OpenID Connect authorization server that issues access/refresh/ID tokens, manages consent flows, and integrates with any identity provider via a login/consent redirect API — without managing users itself.

Evaluated Mar 06, 2026 (0d ago) vv2.2.x
Homepage ↗ Repo ↗ Security oauth2 oidc auth security token hydra ory self-hosted pkce
⚙ Agent Friendliness
60
/ 100
Can an agent use this?
🔒 Security
93
/ 100
Is it safe for agents?
⚡ Reliability
80
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
80
Auth Simplicity
65
Rate Limits
85

🔒 Security

TLS Enforcement
98
Auth Strength
95
Scope Granularity
90
Dep. Hygiene
90
Secret Handling
92

Hydra uses the fosite OAuth2 framework with hardened defaults: PKCE support, refresh token rotation, token introspection, and JWT access tokens (optional). Built by a security-focused team with regular audits. Admin API network isolation is a critical operational requirement.

⚡ Reliability

Uptime/SLA
75
Version Stability
82
Breaking Changes
78
Error Recovery
85
AF Security Reliability

Best When

You need a standards-compliant, self-hosted OAuth2/OIDC authorization server that decouples token issuance from identity management and can serve as an authorization layer for third-party integrations.

Avoid When

You need an all-in-one identity platform with built-in user management UI — use Logto or Auth0 instead; Hydra requires you to build or integrate a separate login/consent UI.

Use Cases

  • Issue OAuth2 access tokens and OIDC ID tokens for a custom identity provider by implementing the Hydra login and consent redirect API in your own backend
  • Enable third-party developers to OAuth2-authorize into your platform by running Hydra as a standards-compliant authorization server with PKCE and refresh token rotation
  • Introspect access tokens at API gateways by calling the Hydra token introspection endpoint (/oauth2/introspect) to validate tokens without shared secrets
  • Implement machine-to-machine Client Credentials grant for agent-to-agent service auth, issuing short-lived scoped tokens via Hydra's admin API
  • Manage OAuth2 clients programmatically via Hydra admin REST API — create, rotate secrets, and revoke clients as part of an agent-driven developer portal

Not For

  • User identity management (login UI, registration, password reset) — Hydra deliberately has no user store; pair it with Ory Kratos or your own IdP for user management
  • Fine-grained resource authorization — Hydra manages token issuance and scopes, not row-level or attribute-based policies; use OpenFGA or Ory Keto for those
  • Simple internal auth where OAuth2 overhead is unnecessary — for pure service-to-service auth within a trusted boundary, mutual TLS or a simpler token mechanism may be more appropriate

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: api_key client_credentials bearer_token
OAuth: Yes Scopes: Yes

Admin API is protected by network policy (no built-in auth by design — expose only internally). Public endpoints use standard OAuth2 client authentication (client_secret_basic, client_secret_post, private_key_jwt). Ory Network uses API keys.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Self-hosted Hydra is free and unlimited. Ory Network provides managed Hydra with observability and SLA for teams that do not want to operate it themselves.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • The Hydra admin API has no built-in authentication by design — it is intended to be network-restricted (internal only); exposing it publicly is a critical security misconfiguration that allows any caller to create OAuth clients or revoke tokens
  • Login and consent challenge tokens are single-use and have a short TTL (default 30 minutes); agents implementing the login/consent redirect flow must complete the challenge before it expires — no retry is possible without restarting the authorization flow
  • Refresh token rotation: after a successful token refresh, the old refresh token is immediately invalid; a network error between Hydra's response and the client persisting the new token causes permanent session loss — implement atomic token storage
  • Token introspection (/oauth2/introspect) returns HTTP 200 with {active: false} for invalid tokens, NOT HTTP 401 — agents that check status code for validity will incorrectly treat revoked tokens as valid
  • PKCE is supported but not enforced by default on public clients in Hydra v1.x; v2.x requires explicit configuration — always set require_pkce=true for public clients to prevent authorization code interception attacks

Alternatives

ory-kratos-api logto-api oauth2-api openfga-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Ory Hydra.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered