Skip to main content
Version: v1.4

Consuming OAuth 2.0

This article explains how you to integrate ORY Hydra in your system.


A high-level overview of the interaction between a client, ORY Hydra (Authorization Server) and an API looks as follows:

ORY Hydra OAuth2 Server Overview

Most of what is explained here can also be seen as real-life examples in the ory/examples repository!

Interacting with OAuth 2.0

Please, do not write your own code to interact with OAuth 2.0. Use open source & battle-tested libraries instead. Here are some examples:

For a full list of client libraries go here.

Validating OAuth 2.0 Access Tokens

The best and easiest way to validate OAuth 2.0 Access Tokens is by performing OAuth 2.0 Token Introspection. You can do this with the CLI hydra token introspect <token>.


const token = 'the access token'
const body = qs.stringify({ token })

fetch('http://ory-hydra/oauth2/introspect', {
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': body.length
method: 'POST', body
}).then(body => {
if (! {
// Token is not active/valid
} else if (body.token_type !== 'access_token') {
// Token is not an access token (probably a refresh token)

// token is active


$ curl -X POST \
-d 'token=<the-token>' \