To query metadata for an OAuth 2.0 client in Ory, you can use either the Ory CLI or the Ory Hydra CLI, depending on whether you're using Ory Network or a self-hosted Ory Hydra instance. ## Using Ory CLI (for Ory Network) You can get the details of an OAuth 2.0 client, including its metadata, using the

get oauth2-client

command:

bash ory get oauth2-client <client-id> --format json

This will return all the client details in JSON format, which includes the metadata field if it exists. You can then extract just the metadata using a tool like `jq`:

bash ory get oauth2-client <client-id> --format json | jq -r '.metadata'

## Using Hydra CLI (for self-hosted Ory Hydra) Similarly, with the Hydra CLI, you can use:

bash hydra get oauth2-client <client-id> --format json

Or the older command format:

bash hydra get client <client-id> --format json

And extract the metadata with jq:

bash hydra get oauth2-client <client-id> --format json | jq -r '.metadata'

## API Endpoint You can also query the client directly through the API endpoint:

GET /admin/clients/{id}

This endpoint returns the OAuth 2.0 client details, including the metadata field if it exists. The metadata is returned as a JSON object. Sources: - [Ory CLI get oauth2-client](https://www.ory.sh/docs/cli/ory-get-oauth2-client#ory-get-oauth2-client) - [Hydra CLI get oauth2-client](https://www.ory.sh/docs/hydra/cli/hydra-get-oauth2-client#hydra-get-oauth2-client) - [Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api)

To get an OAuth 2.0 client using the Ory Go SDK, you can use the

GetOAuth2Client

method from the OAuth2Api. Here's how to do it:

go package main  import (     "context"     "fmt"     "os"      ory "<http://github.com/ory/client-go|github.com/ory/client-go>" )  // Use this context to access Ory APIs which require an Ory API Key var oryAuthedContext = context.WithValue(context.Background(), ory.ContextAccessToken, os.Getenv("ORY_API_KEY"))  func main() {     // Set up the configuration     configuration := ory.NewConfiguration()     configuration.Servers = []ory.ServerConfiguration{         {             URL: "<https://your-project-slug.projects.oryapis.com>", // Replace with your Ory project URL         },     }          // Create the API client     client := ory.NewAPIClient(configuration)          // Get the OAuth2 client by ID     clientID := "your-client-id" // Replace with your actual client ID          resp, r, err := client.OAuth2Api.GetOAuth2Client(oryAuthedContext).         Id(clientID).         Execute()          if err != nil {         fmt.Fprintf(os.Stderr, "Error when calling `OAuth2Api.GetOAuth2Client`: %v\n", err)         fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)         return     }          // Print the client details     fmt.Printf("Client ID: %s\n", resp.GetClientId())     fmt.Printf("Client Name: %s\n", resp.GetClientName())     // Access other properties as needed }

This example shows how to: 1. Set up the Ory API client with your project URL 2. Authenticate using an API key 3. Call the

GetOAuth2Client

method to retrieve a specific OAuth 2.0 client by its ID 4. Handle the response and any potential errors Make sure to replace

"<http://your-project-slug.projects.oryapis.com|your-project-slug.projects.oryapis.com>"

with your actual Ory project URL and

"your-client-id"

with the actual client ID you want to retrieve. [Ory OAuth2 & OpenID Connect Go SDK](https://www.ory.sh/docs/hydra/sdk/go) provides more examples of using the Go SDK with Ory. Note that you need to have the Ory client-go package installed:

go get <http://github.com/ory/client-go@master|github.com/ory/client-go@master>

The API requires authentication with an Ory API key, which you should set as an environment variable or provide directly in your code (though environment variables are more secure for sensitive information). Is there any specific information from the OAuth client that you're particularly interested in retrieving?

@chilly-king-10285 how to get private jwks

Based on the knowledge sources provided, I don't see specific information about retrieving private JSON Web Key Sets (JWKS) in Ory. The documentation primarily covers how to: 1. Register public keys for OAuth2 clients using

jwks

or

jwks_uri

fields 2. Retrieve public JSON Web Key Sets using API endpoints The API reference shows methods like

getJsonWebKeySet

and

discoverJsonWebKeys

which are used to retrieve public key information, but there's no explicit mention of retrieving private keys. This makes sense from a security perspective, as private keys should remain private and not be retrievable through APIs after they've been created and stored. If you need to work with JWKs in Ory, you can: 1. Retrieve public key information using the

/admin/keys/{set}

endpoint [Ory API Reference](https://www.ory.sh/docs/reference/api) 2. Register a client's public key using either the

jwks

field (direct JSON object) or

jwks_uri

(URL to JWKS) as shown in the documentation [Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key) If you're specifically looking to retrieve private keys that you've previously stored in Ory, this functionality may not be exposed through the API for security reasons. Private keys are typically generated and managed by you, and only the public portions are shared with Ory for verification purposes. Is there a specific use case you're trying to address with private JWKS retrieval?

Based on the knowledge sources provided, I don't see information about retrieving private keys that are used for JWT signing in Ory. This is consistent with security best practices, as private keys are typically not meant to be retrieved once they're stored in a system. In Ory, there are two scenarios related to private keys and JWT in the client credentials flow: 1. Server-side keys used by Ory: Ory generates and manages its own cryptographic keys for signing tokens. These include keys for ID Tokens (

hydra.openid.id-token

) and JWT Access Tokens (

hydra.jwt.access-token

). These private keys are stored securely by Ory and [encrypted at rest using AES256-GCM](https://www.ory.sh/docs/hydra/jwks#default-cryptographic-keys-in-ory). 2. Client-side keys for JWT client authentication: When using the JWT Bearer profile for client authentication, the client generates and manages its own private keys. The client only registers the corresponding public key with Ory (using

jwks

or

jwks_uri

), while keeping the private key secure on their side. For the client credentials grant with JWT client authentication, you would: 1. Generate your own key pair (private/public) 2. Register only the public key with Ory when creating the OAuth2 client:

ory create oauth2-client --project "$PROJECT_ID" \      --name "Client Credentials Demo" \      --grant-type client_credentials \      --token-endpoint-auth-method private_key_jwt \      --jwks-uri <https://example.org/path/to/clients/public_key_set.jwks>

3. Use your private key to sign JWTs for authentication as shown in the [JWT Bearer profile documentation](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication) The private keys used by Ory itself for signing tokens are not meant to be retrieved by users. If you need to rotate these keys, you can use the key rotation functionality:

ory create jwks \   --alg RS256 \   hydra.jwt.access-token

Is there a specific reason you're looking to retrieve the private keys? Perhaps I can suggest an alternative approach that aligns with security best practices. [Ory OAuth2 client credentials flow](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication) [Cryptographic key management and JSON Web Key Sets](https://www.ory.sh/docs/hydra/jwks#default-cryptographic-keys-in-ory)