# Ory Hydra — Open-Source OAuth 2.0 and OpenID Connect Server > Ory Hydra is a hardened, certified OAuth 2.0 and OpenID Connect provider that handles token issuance and consent flows while letting you own user management and login UI. ## Install Save in your project root: # Ory Hydra — Open-Source OAuth 2.0 and OpenID Connect Server ## Quick Use ```bash # Run Hydra with Docker docker run --rm -p 4444:4444 -p 4445:4445 -e DSN=memory oryd/hydra:v2 serve all --dev # Create an OAuth2 client hydra create oauth2-client --endpoint http://localhost:4445 --grant-type client_credentials --scope openid ``` ## Introduction Ory Hydra is a certified OpenID Connect and OAuth 2.0 server written in Go. Unlike monolithic identity platforms, Hydra deliberately excludes user management and login screens so you can bring your own identity store and UIs. This separation of concerns makes it a clean building block for enterprise-grade authorization without vendor lock-in. ## What Ory Hydra Does - Issues OAuth 2.0 access tokens, refresh tokens, and OpenID Connect ID tokens - Delegates login and consent decisions to your own UI via redirect-based flows - Supports PKCE, token introspection, revocation, and dynamic client registration - Stores clients and sessions in PostgreSQL, MySQL, or CockroachDB - Provides both a public API (port 4444) and an admin API (port 4445) ## Architecture Overview Hydra runs as a single Go binary exposing two HTTP servers. The public server handles OAuth2 authorization and token endpoints. The admin server manages clients, keys, and consent flow acceptance. When a user hits the authorize endpoint, Hydra redirects to your login and consent app, which calls back to Hydra's admin API to approve or reject the request. All cryptographic keys are managed via a built-in JWKS endpoint. ## Self-Hosting & Configuration - Deploy via Docker image `oryd/hydra:v2` or download the binary from GitHub releases - Set `DSN` environment variable to your database connection string (PostgreSQL recommended) - Run `hydra migrate sql` to initialize the database schema - Configure `URLS_SELF_ISSUER`, `URLS_LOGIN`, and `URLS_CONSENT` to point to your custom UIs - Use `hydra.yml` config file or environment variables for TLS, CORS, and token lifetimes ## Key Features - Certified OpenID Connect implementation passing all conformance tests - Sub-millisecond token validation with no database round-trip using JWT access tokens - Built-in JSON Web Key management with rotation support - Multi-tenant capable through audience and scope isolation - Horizontally scalable and stateless — just add more replicas behind a load balancer ## Comparison with Similar Tools - **Keycloak** — full IdP with built-in user management but heavier to operate; Hydra is leaner by design - **Auth0** — managed SaaS with rich features but proprietary and per-MAU pricing - **Dex** — OpenID Connect provider for Kubernetes but lacks full OAuth 2.0 server capabilities - **ORY Oathkeeper** — companion project that acts as an identity-aware reverse proxy - **SuperTokens** — focuses on session management and auth recipes; less OAuth 2.0 protocol depth ## FAQ **Q: Does Hydra store user passwords?** A: No. Hydra has no user database. You implement login in your own service and tell Hydra whether the user authenticated successfully. **Q: Can I use Hydra for machine-to-machine auth?** A: Yes, the client_credentials grant type is fully supported for service-to-service authentication. **Q: Is Hydra production-ready?** A: Yes. It is a CNCF-certified OpenID Connect implementation used in production by enterprises worldwide. **Q: How does Hydra compare to the full Ory stack?** A: Ory Kratos handles identity management, Ory Oathkeeper is an API gateway, and Ory Keto does permissions. Hydra focuses exclusively on OAuth2/OIDC token issuance. ## Sources - https://github.com/ory/hydra - https://www.ory.sh/docs/hydra/ --- Source: https://tokrepo.com/en/workflows/c948e459-3942-11f1-9bc6-00163e2b0d79 Author: AI Open Source