Skip to main content
Version: v1.5

Consuming OAuth 2.0

This article explains how you to integrate ORY Hydra in your system.


A high-level overview of the interaction between a client, ORY Hydra (Authorization Server) and an API looks as follows:

ORY Hydra OAuth2 Server Overview

Most of what is explained here can also be seen as real-life examples in the ory/examples repository!

Interacting with OAuth 2.0#

Please, do not write your own code to interact with OAuth 2.0. Use open source & battle-tested libraries instead. Here are some examples:

For a full list of client libraries go here.

Validating OAuth 2.0 Access Tokens#

The best and easiest way to validate OAuth 2.0 Access Tokens is by performing OAuth 2.0 Token Introspection. You can do this with the CLI hydra token introspect <token>.


const token = 'the access token'
const body = qs.stringify({ token })
fetch('http://ory-hydra/oauth2/introspect', {
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': body.length
method: 'POST', body
}).then(body => {
if (! {
// Token is not active/valid
} else if (body.token_type !== 'access_token') {
// Token is not an access token (probably a refresh token)
// token is active


$ curl -X POST \
-d 'token=<the-token>' \
Last updated on by aeneasr