Hi @magnificent-energy-493 Where actually Ory Hydra Access token saved? If it doesn't store access token and store only metadata related information of token, such as the client ID, granted scopes, subject, expiry time. then how idp understand that its valid regardless of interospect for bearer and if idp want to revoke it. they need to stored in its own db. I though ory hydra db needs to save it or store it? Q. Wouldn't you still need to store the Access Token though? Usually, the Access Token does not have any information about the User, so you need to store it to associate it to the user - particularly if you don't have your own sessions? I didn't understand how this works without the Access Token being stored. Q. Also, if you are not storing the Access Token, how would the /_revoke_ work? The Provider would know the token was invalid before expiration, but if you were not storing it, or using you own sessions, how would the Benefits application know it was revoked? Q. How is the Access Token stored if it is your method of session management, my assumption is a Domain Cookie?

Hello @happy-eve-92047 Ory Hydra does not directly handle the storage of access tokens. Instead, it issues tokens and manages their metadata. The actual storage and management of these tokens, including associating them with users, is typically handled by the application using Ory Hydra. When it comes to validating tokens, Ory Hydra provides an introspection endpoint. This endpoint can be used to check if a token is active (i.e., not expired and not revoked). The introspection endpoint returns the metadata associated with the token, such as the client ID, granted scopes, subject, and expiry time. This information can be used to validate the token and determine the associated user and their permissions. As for revoking tokens, Ory Hydra provides a revocation endpoint. This endpoint can be used to revoke a token, which will make it inactive and cause subsequent introspection requests for that token to indicate that it is not active. If you're using access tokens for session management, the storage method would depend on your application. For example, you might store the token in a secure cookie or in local storage on the client side. However, it's important to note that Ory does not recommend using access and refresh tokens for session management. Instead, they recommend using Ory Session Cookies or Ory Session Tokens, depending on whether the interaction is performed through a web browser or a non-browser client.

Just simple question confusing me. If user is authorized one time. if they login next time. how that user will be treated as authorized when accessing secure end point. eventually if they don't store access token in some place for interospection end point?