hydra
Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.
Ory Hydra is an open-source server that handles OAuth 2.0 and OpenID Connect for your applications. OAuth 2.0 is the standard protocol behind "Sign in with Google" style buttons and API access tokens; OpenID Connect is the identity layer built on top of it. Setting these protocols up correctly from scratch is notoriously error-prone, so Hydra packages the whole surface into a single service.
A key design choice is that Hydra deliberately does not manage users itself. There are no built-in login forms, password databases, or signup flows. Instead, Hydra delegates the login and consent screens to a separate login and consent app that you supply, which talks to whatever identity store you already have, such as Ory Kratos or an existing in-house user system. This gives you complete control over the user interface while Hydra handles the protocol details, token issuance and validation, client management, and JWKS key management.
Hydra is OpenID Foundation certified for several OpenID profiles, implements many OAuth 2.0 RFCs including token revocation, introspection, PKCE, and dynamic client registration, and is built for low latency and high throughput at large scale. The codebase is written in Go.
You can run Hydra as a managed service on the Ory Network, or self-host it on Linux, macOS, Windows, or Docker, backed by PostgreSQL, MySQL, or CockroachDB, and deploy to Kubernetes for orchestration. You would reach for Hydra when you need to act as an OAuth2 or OIDC identity provider yourself, for example to power single sign-on across multiple apps or to issue API access tokens, without writing the protocol from scratch.