Version: v1.5

REST API

Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here.

You are viewing REST API documentation. This documentation is auto-generated from a swagger specification which itself is generated from annotations in the source code of the project. It is possible that this documentation includes bugs and that code samples are incomplete or wrong.

If you find issues in the respective documentation, please do not edit the Markdown files directly (as they are generated) but raise an issue on the project's GitHub presence instead. This documentation will improve over time with your help! If you have ideas how to improve this part of the documentation, feel free to share them in a GitHub issue any time.

Authentication

  • HTTP Authentication, scheme: basic - OAuth 2.0 Authorization. - Flow: authorizationCode

    • OAuth 2.0 Authorization URL = /oauth2/auth

    • OAuth 2.0 Token URL = /oauth2/token

    • OAuth 2.0 Scope

      ScopeScope Description
      offlineA scope required when requesting refresh tokens (alias for offline_access)
      offline_accessA scope required when requesting refresh tokens
      openidRequest an OpenID Connect ID Token
## Public Endpoints

JSON Web Keys Discovery

GET /.well-known/jwks.json HTTP/1.1
Accept: application/json

This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like node-jwks-rsa among others.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKJSONWebKeySetJSONWebKeySet
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

Code samples

curl -X GET /.well-known/jwks.json \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/.well-known/jwks.json", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/.well-known/jwks.json', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/.well-known/jwks.json");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/.well-known/jwks.json',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/.well-known/jwks.json',
params: {}, headers: headers
p JSON.parse(result)

OpenID Connect Discovery

GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json

The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .

Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKwellKnownwellKnown
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"authorization_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/auth",
"backchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"claims_parameter_supported": true,
"claims_supported": [
"string"
],
"end_session_endpoint": "string",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"grant_types_supported": [
"string"
],
"id_token_signing_alg_values_supported": [
"string"
],
"issuer": "https://playground.ory.sh/ory-hydra/public/",
"jwks_uri": "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json",
"registration_endpoint": "https://playground.ory.sh/ory-hydra/admin/client",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"string"
],
"response_types_supported": [
"string"
],
"revocation_endpoint": "string",
"scopes_supported": [
"string"
],
"subject_types_supported": [
"string"
],
"token_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/token",
"token_endpoint_auth_methods_supported": [
"string"
],
"userinfo_endpoint": "string",
"userinfo_signing_alg_values_supported": [
"string"
]
}

Code samples

curl -X GET /.well-known/openid-configuration \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/.well-known/openid-configuration", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/.well-known/openid-configuration', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/.well-known/openid-configuration");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/.well-known/openid-configuration',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/.well-known/openid-configuration',
params: {}, headers: headers
p JSON.parse(result)

Check readiness status

GET /health/ready HTTP/1.1
Accept: application/json

This endpoint returns a 200 status code when the HTTP server is up running and the environment dependencies (e.g. the database) are responsive as well.

If the service supports TLS Edge Termination, this endpoint does not require the X-Forwarded-Proto header to be set.

Be aware that if you are running multiple nodes of this service, the health status will never refer to the cluster state, only to a single instance.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKhealthStatushealthStatus
503Service UnavailablehealthNotReadyStatushealthNotReadyStatus
Examples
200 response
{
"status": "string"
}

Code samples

curl -X GET /health/ready \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/health/ready", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/health/ready', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/health/ready");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/health/ready',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/health/ready',
params: {}, headers: headers
p JSON.parse(result)

The OAuth 2.0 authorize endpoint

GET /oauth2/auth HTTP/1.1
Accept: application/json

This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.

To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749

Responses

##### Overview
StatusMeaningDescriptionSchema
302FoundEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}

Code samples

curl -X GET /oauth2/auth \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth',
params: {}, headers: headers
p JSON.parse(result)

Revoke OAuth2 tokens

POST /oauth2/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json

Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by the client the token was generated for.

Request body

token: string
##### Parameters
ParameterInTypeRequiredDescription
bodybodyobjectfalsenone
» tokenbodystringtruenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}

Code samples

curl -X POST /oauth2/revoke \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/x-www-form-urlencoded"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/revoke", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"token": "string"
}';
const headers = {
'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'
}
fetch('/oauth2/revoke', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/revoke',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/revoke',
params: {}, headers: headers
p JSON.parse(result)

OpenID Connect Front-Backchannel enabled Logout

GET /oauth2/sessions/logout HTTP/1.1

This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout:

https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html

Responses

##### Overview
StatusMeaningDescriptionSchema
302FoundEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None

Code samples

curl -X GET /oauth2/sessions/logout
package main
import (
"bytes"
"net/http"
)
func main() {
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/sessions/logout", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
fetch('/oauth2/sessions/logout', {
method: 'GET'
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/sessions/logout");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
r = requests.get(
'/oauth2/sessions/logout',
params={)
print r.json()
require 'rest-client'
require 'json'
result = RestClient.get '/oauth2/sessions/logout',
params: {}
p JSON.parse(result)

The OAuth 2.0 token endpoint

POST /oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" HTTP request entity-body.

Do not implement a client for this endpoint yourself. Use a library. There are many libraries available for any programming language. You can find a list of libraries here: https://oauth.net/code/

Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!

Request body

grant_type: string
code: string
refresh_token: string
redirect_uri: string
client_id: string
##### Parameters
ParameterInTypeRequiredDescription
bodybodyobjectfalsenone
» grant_typebodystringtruenone
» codebodystringfalsenone
» refresh_tokenbodystringfalsenone
» redirect_uribodystringfalsenone
» client_idbodystringfalsenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKoauth2TokenResponseoauth2TokenResponse
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"access_token": "string",
"expires_in": 0,
"id_token": "string",
"refresh_token": "string",
"scope": "string",
"token_type": "string"
}

Code samples

curl -X POST /oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/x-www-form-urlencoded"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/token", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"grant_type": "string",
"code": "string",
"refresh_token": "string",
"redirect_uri": "string",
"client_id": "string"
}';
const headers = {
'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'
}
fetch('/oauth2/token', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/token");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/token',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/token',
params: {}, headers: headers
p JSON.parse(result)

OpenID Connect Userinfo

GET /userinfo HTTP/1.1
Accept: application/json

This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.

For more information please refer to the spec.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKuserinfoResponseuserinfoResponse
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"birthdate": "string",
"email": "string",
"email_verified": true,
"family_name": "string",
"gender": "string",
"given_name": "string",
"locale": "string",
"middle_name": "string",
"name": "string",
"nickname": "string",
"phone_number": "string",
"phone_number_verified": true,
"picture": "string",
"preferred_username": "string",
"profile": "string",
"sub": "string",
"updated_at": 0,
"website": "string",
"zoneinfo": "string"
}

Code samples

curl -X GET /userinfo \
-H 'Accept: application/json' \ -H 'Authorization: Bearer {access-token}'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
"Authorization": []string{"Bearer {access-token}"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/userinfo", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json', 'Authorization': 'Bearer {access-token}'
}
fetch('/userinfo', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/userinfo");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json',
'Authorization': 'Bearer {access-token}'
}
r = requests.get(
'/userinfo',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json',
'Authorization' => 'Bearer {access-token}'
}
result = RestClient.get '/userinfo',
params: {}, headers: headers
p JSON.parse(result)
## Administrative Endpoints

List OAuth 2.0 Clients

GET /clients HTTP/1.1
Accept: application/json

This endpoint lists all clients in the database, and never returns client secrets.

OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The "Link" header is also included in successful responses, which contains one or more links for pagination, formatted like so: 'https://hydra-url/admin/clients?limit={limit}&offset={offset}; rel="{page}"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'. Multiple links can be included in this header, and will be separated by a comma.

##### Parameters
ParameterInTypeRequiredDescription
limitqueryinteger(int64)falseThe maximum amount of policies returned.
offsetqueryinteger(int64)falseThe offset from where to start looking.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKA list of clients.Inline
500Internal Server ErrorgenericErrorgenericError
##### Response Schema

Status Code 200

NameTypeRequiredRestrictionsDescription
anonymous[oAuth2Client]falsenonenone
» Client represents an OAuth 2.0 Client.oAuth2Clientfalsenonenone
»» allowed_cors_origins[string]falsenonenone
»» audience[string]falsenonenone
»» backchannel_logout_session_requiredbooleanfalsenoneBoolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.
»» backchannel_logout_uristringfalsenoneRP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
»» client_idstringfalsenoneClientID is the id for this client.
»» client_namestringfalsenoneName is the human-readable string name of the client to be presented to the end-user during authorization.
»» client_secretstringfalsenoneSecret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again.
»» client_secret_expires_atinteger(int64)falsenoneSecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0.
»» client_uristringfalsenoneClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.
»» contacts[string]falsenonenone
»» created_atstring(date-time)falsenoneCreatedAt returns the timestamp of the client's creation.
»» frontchannel_logout_session_requiredbooleanfalsenoneBoolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false.
»» frontchannel_logout_uristringfalsenoneRP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.
»» grant_types[string]falsenonenone
»» jwksJoseJSONWebKeySetfalsenonenone
»» jwks_uristringfalsenoneURL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
»» logo_uristringfalsenoneLogoURI is an URL string that references a logo for the client.
»» metadataJSONRawMessagefalsenonenone
»» ownerstringfalsenoneOwner is a string identifying the owner of the OAuth 2.0 Client.
»» policy_uristringfalsenonePolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data.
»» post_logout_redirect_uris[string]falsenonenone
»» redirect_uris[string]falsenonenone
»» request_object_signing_algstringfalsenoneJWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
»» request_uris[string]falsenonenone
»» response_types[string]falsenonenone
»» scopestringfalsenoneScope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.
»» sector_identifier_uristringfalsenoneURL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
»» subject_typestringfalsenoneSubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
»» token_endpoint_auth_methodstringfalsenoneRequested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none.
»» tos_uristringfalsenoneTermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.
»» updated_atstring(date-time)falsenoneUpdatedAt returns the timestamp of the last update.
»» userinfo_signed_response_algstringfalsenoneJWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.
Examples
200 response
[
{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}
]

Code samples

curl -X GET /clients \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/clients", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/clients',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/clients',
params: {}, headers: headers
p JSON.parse(result)

Create an OAuth 2.0 client

POST /clients HTTP/1.1
Content-Type: application/json
Accept: application/json

Create a new OAuth 2.0 client If you pass client_secret the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe.

OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.

Request body

{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}
##### Parameters
ParameterInTypeRequiredDescription
bodybodyoAuth2Clienttruenone

Responses

##### Overview
StatusMeaningDescriptionSchema
201CreatedoAuth2ClientoAuth2Client
400Bad RequestgenericErrorgenericError
409ConflictgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
201 response
{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}

Code samples

curl -X POST /clients \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/clients", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/clients', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.post(
'/clients',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.post '/clients',
params: {}, headers: headers
p JSON.parse(result)

Get an OAuth 2.0 Client.

GET /clients/{id} HTTP/1.1
Accept: application/json

Get an OAUth 2.0 client by its ID. This endpoint never returns passwords.

OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.

##### Parameters
ParameterInTypeRequiredDescription
idpathstringtrueThe id of the OAuth 2.0 Client.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKoAuth2ClientoAuth2Client
401UnauthorizedgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}

Code samples

curl -X GET /clients/{id} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)

Update an OAuth 2.0 Client

PUT /clients/{id} HTTP/1.1
Content-Type: application/json
Accept: application/json

Update an existing OAuth 2.0 Client. If you pass client_secret the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe.

OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.

Request body

{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}
##### Parameters
ParameterInTypeRequiredDescription
idpathstringtruenone
bodybodyoAuth2Clienttruenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKoAuth2ClientoAuth2Client
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}

Code samples

curl -X PUT /clients/{id} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)

Deletes an OAuth 2.0 Client

DELETE /clients/{id} HTTP/1.1
Accept: application/json

Delete an existing OAuth 2.0 Client by its ID.

OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.

##### Parameters
ParameterInTypeRequiredDescription
idpathstringtrueThe id of the OAuth 2.0 Client.

Responses

##### Overview
StatusMeaningDescriptionSchema
204No ContentEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None
404Not FoundgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
404 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}

Code samples

curl -X DELETE /clients/{id} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)

Check alive status

GET /health/alive HTTP/1.1
Accept: application/json

This endpoint returns a 200 status code when the HTTP server is up running. This status does currently not include checks whether the database connection is working.

If the service supports TLS Edge Termination, this endpoint does not require the X-Forwarded-Proto header to be set.

Be aware that if you are running multiple nodes of this service, the health status will never refer to the cluster state, only to a single instance.

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKhealthStatushealthStatus
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"status": "string"
}

Code samples

curl -X GET /health/alive \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/health/alive", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/health/alive', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/health/alive");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/health/alive',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/health/alive',
params: {}, headers: headers
p JSON.parse(result)

Retrieve a JSON Web Key Set

GET /keys/{set} HTTP/1.1
Accept: application/json

This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

##### Parameters
ParameterInTypeRequiredDescription
setpathstringtrueThe set

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKJSONWebKeySetJSONWebKeySet
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

Code samples

curl -X GET /keys/{set} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)

Update a JSON Web Key Set

PUT /keys/{set} HTTP/1.1
Content-Type: application/json
Accept: application/json

Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

Request body

{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
##### Parameters
ParameterInTypeRequiredDescription
setpathstringtrueThe set
bodybodyJSONWebKeySetfalsenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKJSONWebKeySetJSONWebKeySet
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

Code samples

curl -X PUT /keys/{set} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)

Generate a new JSON Web Key

POST /keys/{set} HTTP/1.1
Content-Type: application/json
Accept: application/json

This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

Request body

{
"alg": "string",
"kid": "string",
"use": "string"
}
##### Parameters
ParameterInTypeRequiredDescription
setpathstringtrueThe set
bodybodyjsonWebKeySetGeneratorRequestfalsenone

Responses

##### Overview
StatusMeaningDescriptionSchema
201CreatedJSONWebKeySetJSONWebKeySet
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
201 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

Code samples

curl -X POST /keys/{set} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"alg": "string",
"kid": "string",
"use": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.post(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.post '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)

Delete a JSON Web Key Set

DELETE /keys/{set} HTTP/1.1
Accept: application/json

Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

##### Parameters
ParameterInTypeRequiredDescription
setpathstringtrueThe set

Responses

##### Overview
StatusMeaningDescriptionSchema
204No ContentEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}

Code samples

curl -X DELETE /keys/{set} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)

Fetch a JSON Web Key

GET /keys/{set}/{kid} HTTP/1.1
Accept: application/json

This endpoint returns a singular JSON Web Key, identified by the set and the specific key ID (kid).

##### Parameters
ParameterInTypeRequiredDescription
kidpathstringtrueThe kid of the desired key
setpathstringtrueThe set

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKJSONWebKeySetJSONWebKeySet
404Not FoundgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

Code samples

curl -X GET /keys/{set}/{kid} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)

Update a JSON Web Key

PUT /keys/{set}/{kid} HTTP/1.1
Content-Type: application/json
Accept: application/json

Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

Request body

{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
##### Parameters
ParameterInTypeRequiredDescription
kidpathstringtrueThe kid of the desired key
setpathstringtrueThe set
bodybodyJSONWebKeyfalsenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKJSONWebKeyJSONWebKey
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}

Code samples

curl -X PUT /keys/{set}/{kid} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)

Delete a JSON Web Key

DELETE /keys/{set}/{kid} HTTP/1.1
Accept: application/json

Use this endpoint to delete a single JSON Web Key.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.

##### Parameters
ParameterInTypeRequiredDescription
kidpathstringtrueThe kid of the desired key
setpathstringtrueThe set

Responses

##### Overview
StatusMeaningDescriptionSchema
204No ContentEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None
401UnauthorizedgenericErrorgenericError
403ForbiddengenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}

Code samples

curl -X DELETE /keys/{set}/{kid} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)

Get snapshot metrics from the Hydra service. If you're using k8s, you can then add annotations to

your deployment like so:

GET /metrics/prometheus HTTP/1.1
metadata:
annotations:
prometheus.io/port: "4445"
prometheus.io/path: "/metrics/prometheus"

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKEmpty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.None

Code samples

curl -X GET /metrics/prometheus
package main
import (
"bytes"
"net/http"
)
func main() {
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/metrics/prometheus", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
fetch('/metrics/prometheus', {
method: 'GET'
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/metrics/prometheus");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
r = requests.get(
'/metrics/prometheus',
params={)
print r.json()
require 'rest-client'
require 'json'
result = RestClient.get '/metrics/prometheus',
params: {}
p JSON.parse(result)

Get consent request information

GET /oauth2/auth/requests/consent?consent_challenge=string HTTP/1.1
Accept: application/json

When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.

The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").

The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted or rejected the request.

##### Parameters
ParameterInTypeRequiredDescription
consent_challengequerystringtruenone

Responses

##### Overview
StatusMeaningDescriptionSchema
200OKconsentRequestconsentRequest
404Not FoundgenericErrorgenericError
409ConflictgenericErrorgenericError
500Internal Server ErrorgenericErrorgenericError
Examples
200 response
{
"acr": "string",
"challenge": "string",
"client": {
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-05-28T13:50:42Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-05-28T13:50:42Z",
"userinfo_signed_response_alg": "string"
},
"context": {},
"login_challenge": "string",
"login_session_id": "string",
"oidc_context": {
"acr_values": [
"string"
],
"display": "string",
"id_token_hint_claims": {},
"login_hint": "string",
"ui_locales": [
"string"
]
},
"request_url": "string",
"requested_access_token_audience": [
"string"
],
"requested_scope": [
"string"
],
"skip": true,
"subject": "string"
}

Code samples

curl -X GET /oauth2/auth/requests/consent?consent_challenge=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth/requests/consent", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}