Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.
v25.4.0 brings first-class support for agentic authorization with the Device Authorization Grant (RFC 8628) and OAuth 2.1 discovery endpoint, making it easier for agents, IoT devices, and headless clients to obtain and manage access securely. Combined with new consent-chain revocation and migration fixes for CockroachDB v25+, Hydra v25.4 strengthens its role as the web and AI scale-ready OAuth 2.1 and OpenID Connect server for modern applications.
Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.
Highlights
Agentic authentication use cases
This release makes Ory Hydra a stronger foundation for agentic authentication, where autonomous agents or constrained devices need to obtain and manage access without a full browser or direct human interaction. Two key updates enable this:
Device authorization grant (RFC 8628): Essential for headless or limited-input clients (e.g., smart TVs, IoT devices, AI agents). It allows users to securely authorize agents through a secondary device, solving a common gap in agentic workflows.
OAuth 2.1 discovery endpoint: Hydra now serves both OpenID Connect and OAuth 2.1 discovery documents, aligning with emerging standards. This simplifies integration for agents that expect OAuth 2.1 metadata and removes friction in federated or automated flows.
Together, these features address longstanding issues for agentic use cases by combining standards compliance with Hydra’s production-grade session and consent handling.
Device authorization grant (RFC 8628)
Adds full device flow support for devices without a browser or with limited input (smart TVs, consoles, agents).
Revoke token chains by consent challenge ID
New capability to revoke the entire token chain (refresh token and all derived access tokens) produced by a specific consent session.
OAuth 2.1 discovery endpoint
Hydra now serves /.well-known/oauth-authorization-server in addition to /.well-known/openid-configuration to aid OAuth 2.1 and certain integrations (per RFC 8414).
Improvements
Lower latency when revoking linked Kratos sessions by making revocation asynchronous.
Client updates with JWKS URI: PATCH/PUT no longer blocked when json_web_keys_uri is set (and json_web_keys present).
JWT query performance: added an index for faster JWT-related lookups.
CLI: clearer usage/help examples.
Fixes
CockroachDB v25+ migrations: corrected/updated migration scripts; includes device-flow down/auto-commit fixes.
Postgres UUIDs: use uuid_generate_v4() instead of MD5-based generation (enable the uuid-ossp extension if not already).
Case-insensitive user_code scrubbing in device flow.
Validation:tos_uri validation corrected.
Docs: fixed JWT access token documentation link.
Security and dependencies
go-jose v3.0.4 with a backport for CVE-2025-27144.
Go toolchain upgrades (1.24.x) and crypto stack updates (e.g., ThalesGroup/crypto11, circl) addressing advisories.
General dependency hygiene and CI hardening.
Upgrade notes
Run migrations before rolling out v2.4.0.
CockroachDB users on v25+: this release includes specific migration fixes; ensure your migration runner picks up the updated scripts.
Postgres users: ensure uuid-ossp is enabled (CREATE EXTENSION IF NOT EXISTS "uuid-ossp";) to support native UUIDs.
Device flow UI: add the two required screens/routes in your login/consent app to use RFC 8628.
Monitoring: if you scrape Prometheus on public endpoints, expect additional metrics.
Move database meta functions to root x folder for reusability (7e49133):
Features
Add allowed domains configuration for captcha (df3f05c):
Add error reason to OAuth2TokenExchangeError event (#3971) (241dd45)
Add handler for /.well-known/oauth-authorization-server. (#3980) (5baca28):
In order to support OAuth2.1 and some specific integrations that
leverage the /.well-known/oauth-authorization-server endpoint, this PR
adds a handler for the specific endpoint. The
/.well-known/openid-configuration endpoint already supports all
configuration items that conform to this endpoint as seen here:
https://datatracker.ietf.org/doc/html/rfc8414
JWT documentation link to point to the correct resource (#3907) (b746e41):
The previous link in the documentation led to a page unrelated to JWT.
Updated the URL to https://www.ory.sh/docs/oauth2-oidc/jwt-access-token,
which provides proper JWT guidance.
This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.
The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.
A very special thanks goes to @nsklikas from
Canonical, @supercairos from
shadow.tech and @BuzzBumbleBee.
For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)
To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
here.
Improve domain telemetry for OSS (Hydra & Kratos) (02c5757):
This change makes the session revocation in Kratos async to improve
observed latency.
Revoke token chain by consent challenge ID (#3932) (4a40193):
This change adds the ability to revoke token chains by "consent
challenge ID".
"Consent sessions"
Each time the user goes through a GET /oauth2/auth?response_type=code&... auth code flow, we persist a new
"consent session" to the database.
This is independent of whether the user has previously logged in and/or
granted consent, or whether the user was actively asked to grant consent
by the consent app. A successful journey through the auth code flow
results in a new "consent session".
This consent session is uniquely identified by its "consent challenge
ID". This ID is obtained from the GET /admin/oauth2/auth/requests/consent?consent_challenge=...
API. Note that it is not the same as the consent_challenge=... query
parameter!
Any access and refresh tokens obtained from a token exchange following
that particular user journey are bound to that consent session.
We call the totality of all refresh+access tokens derived from a
particular consent session a "token chain".
Token revocation
Revoking an access token (AT) is simple: send the AT to /oauth2/revoke
and it is revoked. If this AT was derived from a refresh token (RT), the
parent RT is not revoked.
Revoking a refresh token (RT) also revokes associated access tokens.
Revocation by consent challenge ID
During an authorization code flow, save the consent challenge ID into
the access token session data:
GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef
Response:
{
"acr": ...,
"challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need
...
}