5 Minute Tutorial
This tutorial walks you through a quick setup of ORY Hydra, a PostgreSQL instance and an exemplary User Login & Consent App based on Docker Compose. You need to have the latest Docker and Docker Compose version installed.

We will use the Docker Compose configuration in the ORY Hydra code base. Getting the Hydra source code is easy:
- if you have Go 1.12+ installed:
go get -d github.com/ory/hydra
- if you have Git installed:
git clone https://github.com/ory/hydra.git
- otherwise: download the Hydra source code. and extract it somewhere
Change into the directory with the Hydra source code and run the following command to start the needed containers:
If you prefer to use MySQL as the database backend, run this command instead:
This command makes Docker Compose start up a database server and a basic base
ORY Hydra server that uses this database. If you need more details on this,
please examine the scripts/5-min-tutorial.sh
and docker-compose*.yml
files.
You may also extend the command above to enable distributed tracing. The tracing UI is exposed at http://127.0.0.1:16686/search:
Hydra provides an endpoint for Prometheus to scrape as a target. You can run the following command to start the needed containers, and status of Hydra is exposed at targets page in Prometheus http://localhost:9090/targets:
Let's confirm that everything is working by creating an OAuth 2.0 Client.
Note: The following commands run Hydra inside Docker. If you have the ORY Hydra
CLI installed locally, you can omit
docker-compose -f quickstart.yml exec /hydra
in front of each command.
The OAuth 2.0 client uses port 4444
and 4445
. The former is ORY Hydra's
public endpoint, the latter its administrative endpoint. For more information
head over to Exposing Administrative and Public API Endpoints.
Let's create the OAuth 2.0 Client:
If you get an error message about a config file not being found, you can ignore it for now:
Let's perform the client credentials grant:
Let's perform token introspection on that token. Make sure to copy the token you just got and not the dummy value.
Next, we will perform the OAuth 2.0 Authorization Code Grant. For that, we must first create a client that is capable of performing that grant:
Note that you need to add --token-endpoint-auth-method none
if your clients
are public (such as SPA apps and native apps) because the public clients cannot
provide client secrets.
The following command starts a server that serves an example web application. The application will perform the OAuth 2.0 Authorization Code Flow using ORY Hydra. The web server runs on http://127.0.0.1:5555.
Open the URL http://127.0.0.1:5555, log in, and
authorize the application. Next, you should see at least an access token in the
response. If you granted the offline
scope, you will also see a refresh token.
If you granted the openid
scope, you will get an ID Token as well.
Great! You installed Ory Hydra, connected the CLI, created a client and completed two authentication flows! Before you continue, clean up this set up in order to avoid conflicts with other tutorials from this guide: