// the find
ory/hydra
Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.
Ory Hydra is a standalone OAuth 2.0 / OpenID Connect server written in Go that deliberately ships without user management — you bring your own login/consent UI and wire it up via a small bridge app. It's for teams that need a certified, production-grade authorization server and want full control over the identity layer. OpenAI and Klarna run it at scale, which tells you something about the load profile it's built for.
The separation of concerns is genuinely good design: Hydra handles token issuance and client management, and your existing auth system handles users. That boundary prevents the common mess where your auth provider becomes a load-bearing monolith. The Go binary is small, stateless, and runs anywhere without a JVM or Node runtime. The OpenID certification is meaningful — it's not self-declared, they passed the conformance suite across all flow types. The fosite library vendored inside handles the actual OAuth2 state machine and covers an unusual breadth of RFCs including DPoP, JAR, and device flow.
The headless-only design is a feature but also a real adoption cost: you must build and host a login/consent app yourself, and the reference implementation is a Node app that's not kept in sync with Hydra's releases. The enterprise license split is murky — CVE patches with SLAs require a paid license, which means the open-source version is implicitly unsupported for production security incidents. Configuration is a 2000-line YAML schema that's difficult to reason about; there's no opinionated 'small team' profile. Multi-tenancy requires either separate deployments or the enterprise tier, which is a hard wall for SaaS use cases.